About the dependency graph and SBOM exports
The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API. For each repository, it shows dependencies, the ecosystems and packages it depends on.
For each dependency, you can see the version, the manifest file which included it, and whether it has known vulnerabilities. For package ecosystems supporting transitive dependencies, the relationship status will be displayed and you can click "", then "Show paths", to see the transitive path which brought in the dependency.
You can also search for a specific dependency using the search bar. Dependencies are sorted automatically with vulnerable packages at the top.
GitHub does not retrieve license information for dependencies, and does not calculate information about dependents, the repositories and packages that depend on a repository.
You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format:
- Via the GitHub UI
- Using the REST API
An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as versions and package identifiers). SBOMs help reduce supply chain risks by:
- Providing transparency about the dependencies used by your repository
- Allowing vulnerabilities to be identified across your codebase
- Providing insights in the license compliance, security, or quality issues that may exist in your codebase
- Enabling you to better comply with various data protection standards
If your company provides software to the US federal government per Executive Order 14028, you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.
참고 항목
Dependents are not included in SBOMs.
Exporting a software bill of materials for your repository from the UI
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Insights.
-
In the left sidebar, click Dependency graph.
-
On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.
Exporting a software bill of materials for your repository using the REST API
If you want to use the REST API to export an SBOM for your repository, see REST API endpoints for software bill of materials (SBOM).
Generating a software bill of materials from GitHub Actions
The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see Downloading workflow artifacts.
| Action | Details |
|---|---|
| SPDX Dependency Submission Action | Uses Microsoft's SBOM Tool to create SPDX 2.2 compatible SBOMs with the supported ecosystems |
| Anchore SBOM Action | Uses Syft to create SPDX 2.2 compatible SBOMs with the supported ecosystems |
| SBOM Dependency Submission Action | Uploads a CycloneDX SBOM to the dependency submission API |