feat: initial commit of SBOM dashboard

Author: edwardlonsdale

.env.example

@@ -0,0 +1,21 @@
+NODE_ENV=development
+PORT=3000
+
+DATABASE_HOST=localhost
+DATABASE_PORT=5432
+DATABASE_USER=sbom
+DATABASE_PASSWORD=sbom
+DATABASE_NAME=sbom_service
+
+S3_BUCKET_NAME=vodg-sbom-local
+S3_REGION=eu-west-2
+S3_ENDPOINT=http://localhost:4566
+
+OSV_API_URL=https://api.osv.dev
+
+OIDC_ISSUER_URL=http://localhost:8090/default
+OIDC_CLIENT_ID=sbom-service
+OIDC_CLIENT_SECRET=sbom-secret
+OIDC_REDIRECT_URI=http://localhost:3000/auth/callback
+
+SESSION_SECRET=local-dev-session-secret-minimum-32-characters-long

.github/workflows/ci.yml

@@ -0,0 +1,126 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run lint
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run test
+
+  build:
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        if: github.event_name == 'push'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          push: ${{ github.event_name == 'push' }}
+          provenance: ${{ github.event_name == 'push' }}
+          sbom: ${{ github.event_name == 'push' }}
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ github.sha }}
+            ghcr.io/${{ github.repository }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  check:
+    if: always()
+    needs: [gitleaks, zizmor, commitlint, lint, test, build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify all jobs passed
+        run: |
+          results=( \
+            "${{ needs.gitleaks.result }}" \
+            "${{ needs.zizmor.result }}" \
+            "${{ needs.commitlint.result }}" \
+            "${{ needs.lint.result }}" \
+            "${{ needs.test.result }}" \
+            "${{ needs.build.result }}" \
+          )
+          for r in "${results[@]}"; do
+            if [[ "$r" != "success" && "$r" != "skipped" ]]; then
+              echo "Job failed or was cancelled: $r"
+              exit 1
+            fi
+          done
+          echo "All jobs passed"

.gitignore

@@ -0,0 +1,8 @@
+node_modules/
+dist/
+.env
+.env.local
+*.log
+playwright-report/
+test-results/
+.DS_Store

.gitleaks.toml

@@ -0,0 +1,3 @@
+[allowlist]
+  description = "Known safe patterns"
+  paths = ["docker-compose.yml", ".env.example"]

.husky/pre-commit

@@ -0,0 +1,3 @@
+npx lint-staged
+gitleaks git --pre-commit --staged --verbose
+zizmor .github/

.npmrc

@@ -0,0 +1,2 @@
+ignore-scripts=true
+save-exact=true

.nvmrc

@@ -0,0 +1 @@
+20

CLAUDE.md

@@ -0,0 +1,74 @@
+# SBOM Service
+
+## Overview
+
+TypeScript/Node.js service that ingests SBOMs (CycloneDX + SPDX), scans for vulnerabilities via a local OSV.dev mirror, tracks dependency freshness and release cadence, and serves a GOV.UK-styled dashboard. Part of the View of Digital Government (VODG) project.
+
+## Architecture
+
+- Express server + pg-boss worker (single process)
+- Ingest: `POST /api/modules/sbom/services/:service_id` (X-API-Key auth, SHA-256 hashed)
+- Normalisation: parses CycloneDX/SPDX, extracts components into PostgreSQL
+- Scanner: queries local OSV mirror for vulnerability matches
+- OSV Sync: downloads ecosystem ZIPs from GCS every 6h
+- Freshness: evaluates dependency age against endoflife.date, npm registry, and Maven Central. Watchlist-driven (`src/freshness/watchlist.yaml`). Daily sync at 3 AM via pg-boss cron. States: green/amber/red based on majors behind + EOL status.
+- Cadence: monitors SBOM submission frequency
+- Dashboard: GOV.UK Frontend v6, Nunjucks templates, OIDC SSO auth
+
+## Running locally
+
+```bash
+docker compose up postgres localstack oidc-mock -d
+AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test aws --endpoint-url=http://localhost:4566 s3 mb s3://vodg-sbom-local --region eu-west-2
+cp .env.example .env
+pnpm install
+pnpm run db:migrate
+pnpm dev:watch
+```
+
+## Package manager
+
+pnpm (v10.33.0). Node 20+ required (see `.nvmrc`).
+
+## Key files
+
+- `src/main.ts` — entrypoint (Express + pg-boss)
+- `src/config.ts` — environment configuration loader
+- `src/ingest/router.ts` — SBOM ingest endpoint
+- `src/normalise/` — CycloneDX + SPDX parsers
+- `src/scanner/` — vulnerability matching against local OSV mirror
+- `src/sync/` — OSV.dev data sync (downloads ecosystem ZIPs from GCS)
+- `src/freshness/` — dependency freshness analysis
+- `src/cadence/` — release cadence tracking
+- `src/server/routes/` — Express routes (admin, dashboard, services)
+- `src/db/migrations/` — PostgreSQL schema migrations
+
+## Scripts
+
+| Script | Description |
+|--------|-------------|
+| `pnpm run build` | Compile TypeScript to /dist |
+| `pnpm run dev` | Start development server |
+| `pnpm run dev:watch` | Start with file watching |
+| `pnpm run lint` | ESLint + Prettier |
+| `pnpm run test` | Jest unit tests |
+| `pnpm run test:e2e` | Playwright E2E tests |
+| `pnpm run db:migrate` | Run database migrations |
+| `pnpm run generate-key` | Generate API key for a service |
+
+## Docker
+
+Multi-stage Dockerfile: build stage (pnpm install + tsc), release stage (prod deps only). Base: `node:20-slim`.
+
+## TypeScript conventions
+
+- `strict: true` — no implicit any
+- ESM-style imports compiled to CommonJS
+- Collocated tests (`*.test.ts` alongside source)
+- Jest with `ts-jest` and `--experimental-vm-modules`
+
+## OSV Sync
+
+Ecosystems: npm, PyPI, Go, Maven, NuGet, crates.io, Packagist
+Schedule: every 6 hours (pg-boss cron)
+Data source: `https://osv-vulnerabilities.storage.googleapis.com/{ecosystem}/all.zip` (public, no auth)

Dockerfile

@@ -0,0 +1,30 @@
+FROM node:20-slim AS build
+
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+
+WORKDIR /app
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN pnpm install --frozen-lockfile
+
+COPY tsconfig.json ./
+COPY src/ src/
+RUN pnpm build
+
+FROM node:20-slim AS release
+
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+
+WORKDIR /app
+COPY package.json pnpm-lock.yaml .npmrc ./
+RUN pnpm install --frozen-lockfile --prod
+
+COPY --from=build /app/dist dist/
+COPY src/db/migrations/ dist/db/migrations/
+COPY src/server/views/ dist/server/views/
+COPY src/freshness/watchlist.yaml dist/freshness/watchlist.yaml
+COPY --from=build /app/node_modules/govuk-frontend/dist/ public/govuk-frontend/
+
+USER node
+EXPOSE 3000
+
+CMD ["node", "dist/main.js"]

LICENSE

@@ -0,0 +1,17 @@
+Open Government Licence v3.0
+
+Copyright (c) Crown Copyright
+
+You may use and re-use the information featured in this repository (not including
+logos) free of charge in any format or medium, under the terms of the Open
+Government Licence v3.0.
+
+To view this licence, visit:
+https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
+
+Or write to:
+Information Policy Team
+The National Archives
+Kew, London TW9 4DU
+
+Or email: psi@nationalarchives.gov.uk