Skip to content

chore: add SBOM generation and vulnerability audit to release pipeline#219

Merged
pkosiec merged 2 commits intomainfrom
pkosiec/unblock-releases
Mar 30, 2026
Merged

chore: add SBOM generation and vulnerability audit to release pipeline#219
pkosiec merged 2 commits intomainfrom
pkosiec/unblock-releases

Conversation

@pkosiec
Copy link
Copy Markdown
Member

@pkosiec pkosiec commented Mar 30, 2026
edited
Loading

Summary

  • Add @cyclonedx/cdxgen as devDependency for CycloneDX SBOM generation per released package
  • Add pnpm audit --audit-level=high as before:init release-it hook — blocks release on high/critical vulnerabilities
  • Generate per-package CycloneDX SBOM in before:release hook — included in published npm tarball
  • Applied to both appkit/appkit-ui (.release-it.json) and lakebase (packages/lakebase/.release-it.json) release configs

Notes

  • TODO: Once pnpm 11 stable is released with native pnpm sbom command, replace @cyclonedx/cdxgen with pnpm sbom and remove the devDependency

Test plan

  • Run pnpm cdxgen -t js --no-recurse --required-only -o /tmp/test.json packages/appkit locally to verify SBOM generation
  • Run pnpm audit --audit-level=high locally to verify audit works - it doesn't because of the proxy 501 error but it should work fine on CI (pnpm audit  WARN  post https://npm-proxy.dev.databricks.com/-/npm/v1/security/audits error (501). Will retry in 10 seconds. 2 retries left.)

This pull request was AI-assisted by Isaac.

@pkosiec
chore: add SBOM generation and vulnerability audit to release pipeline
0939278 
- Add @cyclonedx/cdxgen as devDependency for CycloneDX SBOM generation
- Add `pnpm audit --audit-level=high` as before:init hook (blocks release on high/critical vulns)
- Generate per-package CycloneDX SBOM in before:release hook (included in npm tarball)
- Applied to both appkit/appkit-ui and lakebase release configs

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>
@pkosiec pkosiec force-pushed the pkosiec/unblock-releases branch from eee5167 to 0939278 Compare March 30, 2026 08:39
@pkosiec
chore: improve SBOM generation in release pipeline
d596d7e 
- Include sbom.cdx.json in published npm packages via files allowlist
- Extract cdxgen into named release:sbom scripts for readability
- Use pnpm exec cdxgen for explicit dependency resolution
- Scan tmp/ (publish artifact) instead of source dirs for accurate SBOMs
- Scope pnpm audit to production deps only (--prod)

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>
@pkosiec pkosiec force-pushed the pkosiec/unblock-releases branch from 17cc5a1 to d596d7e Compare March 30, 2026 08:54
@pkosiec pkosiec marked this pull request as ready for review March 30, 2026 09:09
@pkosiec pkosiec merged commit 38f6474 into main Mar 30, 2026
8 checks passed
@pkosiec pkosiec deleted the pkosiec/unblock-releases branch March 30, 2026 09:34
thekauer added a commit to neondatabase/neon-js that referenced this pull request Mar 31, 2026
@thekauer
ci: add vulnerability audit and SBOM inclusion in published tarballs
7d9b5b8 
- Add npm audit --audit-level=high --production before version bumping
  (blocks release on high/critical CVEs, no continue-on-error)
- Reorder SBOM generation before packing so sbom.cdx.json is included
  in each published npm tarball via the files array in package.json
- Add sbom.cdx.json to .gitignore (generated artifact, not source)
- All GitHub Actions in release.yml were already pinned by commit SHA

Inspired by databricks/appkit#219.

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fjakobs fjakobs fjakobs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkosiec @fjakobs