You can export the current state of the dependency graph for your repository as a software bill of materials (SBOM) using the industry standard SPDX format.
SBOMs include an inventory of a project's dependencies and associated information such as versions, package identifiers, licenses, transitive paths, and copyright information. SBOMs do not include dependents (other projects that rely on your project).
Exporting a software bill of materials for your repository from the UI
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Insights.
-
In the left sidebar, click Dependency graph.
-
On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.
Exporting a software bill of materials for your repository using the REST API
If you want to use the REST API to export an SBOM for your repository, see REST API endpoints for software bill of materials (SBOM).
Generating a software bill of materials from GitHub Actions
The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see Downloading workflow artifacts.
| Action | Details |
|---|---|
| SPDX Dependency Submission Action | Uses Microsoft's SBOM Tool to create SPDX 2.2 compatible SBOMs with the supported ecosystems |
| Anchore SBOM Action | Uses Syft to create SPDX 2.2 compatible SBOMs with the supported ecosystems |
| SBOM Dependency Submission Action | Uploads a CycloneDX SBOM to the dependency submission API |