chore: [SEC-7263] Add dependency-scan GitHub Actions workflow #226
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding <[email protected]>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pkaeding
changed the title
…ain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Fix YAML formatting issues to resolve Build Yarn Turborepo CI failure. Apply consistent indentation and spacing per repository standards. Co-Authored-By: Patrick Kaeding <[email protected]>
Address formatting check failure in Build Yarn Turborepo workflow. Run prettier --write to fix code style issues for SEC-7263. Co-Authored-By: Patrick Kaeding <[email protected]>
The evaluate-policy job needs actions/checkout@v4 to properly download SBOM artifacts from the generate-nodejs-sbom job. This resolves the '0 artifact(s)' error in the policy evaluation step. Co-Authored-By: Patrick Kaeding <[email protected]>
- Add NODE_OPTIONS with 6GB memory limit to prevent cdxgen timeout - Add 10-minute timeout to generate-sbom step - Verified locally that cdxgen creates 3.7MB SBOM with 4458 components Co-Authored-By: Patrick Kaeding <[email protected]>
Target only sdk/ directory with recurse=false to avoid scanning 9,287 package.json files in rrweb submodule that cause cdxgen to timeout. Co-Authored-By: Patrick Kaeding <[email protected]>
…cy analysis - Remove rrweb submodule exclusion to generate full SBOM as requested - Upgrade to ubuntu-latest-8-cores runner for better performance - Increase memory allocation to 8192MB for large monorepo processing - Extend timeout to 20 minutes for comprehensive SBOM generation - Fix formatting issues with yarn format:all Co-Authored-By: Patrick Kaeding <[email protected]>
Address GitHub comment from kinyoklion requesting correct SHA. Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of 692973e3d937129bcbf40652eb9f2f61becf3332. Co-Authored-By: Patrick Kaeding <[email protected]>
Vadman97
approved these changes
Sep 26, 2025
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
pkaeding
commented
Oct 7, 2025
Co-Authored-By: Patrick Kaeding <[email protected]>
…ion memory issue - Update to use launchdarkly/gh-actions/.github/workflows/dependency-scan.yml@main - Specify ubuntu-latest-8-cores runner to handle large repository size - Resolves evaluate-policy job failure due to missing SBOM artifacts - Addresses SEC-7263 dependency scan standardization Co-Authored-By: Patrick Kaeding <[email protected]>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…ain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
fixed lint |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add dependency-scan GitHub Actions workflow to generate Node.js Software Bill of Materials (SBOM) for SEC-7263 security initiative.
This workflow:
launchdarkly/gh-actions(appropriate for public repositories)How did you test this change?
This change adds a new GitHub Actions workflow that will be tested when the PR is created. The workflow follows the established pattern from other LaunchDarkly repositories, using
launchdarkly/gh-actionsfor public repositories.Key items for reviewer to verify:
Are there any deployment considerations?
No deployment considerations - this only adds CI workflow for security scanning. The workflow will begin running automatically on future PRs and main branch pushes.
Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding
Note
Adds a GitHub Actions workflow to generate a Node.js SBOM and evaluate it against policy on PRs and main pushes.
/.github/workflows/dependency-scan.ymllaunchdarkly/gh-actions.bom.nodejs.json.pull_requestand pushes tomain; runs onubuntu-latestwith read-only contents permissions.Written by Cursor Bugbot for commit 2d538fa. This will update automatically on new commits. Configure here.
Related Jira issue: SEC-7263: Investigate impact of compromised NPM packages: debug and chalk