Exporting a software bill of materials for your repository

You can export a software bill of materials or SBOM for your repository from the dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.

谁可以使用此功能?

GitHub 上的任何人

本文内容

About the dependency graph and SBOM exports

依赖项关系图是存储在存储库中的清单和锁定文件以及使用 依赖项提交 API 提交给存储库的任何依赖项的摘要。 对于每个存储库,它显示 依赖关系,即它所依赖的生态系统和包。

对于每个依赖项,可以看到版本、包含它的清单文件,以及它是否具有已知漏洞。 对于支持传递性依赖项的包生态系统,将显示依赖关系状态。你可以单击 ,然后选择“Show paths”,以查看引入该依赖项的传递路径。

还可以使用搜索栏搜索特定依赖项。 依赖项会自动排序,存在漏洞的包排在最上方。

GitHub 不检索依赖项的许可信息,也不计算有关依赖项、仓库和依赖于仓库的包的信息。

You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format:

  • Via the GitHub UI
  • Using the REST API

SBOM 是项目依赖项和相关信息(如版本和软件包标识符)的正式、机器可读清单。 SBOM 可通过以下方式帮助降低供应链风险:

  • 让仓库使用的依赖项公开透明
  • 支持跨代码库识别漏洞
  • 提供有关代码库中可能存在的许可证合规性、安全性或质量议题的见解
  • 使你能够更好地遵守各种数据保护标准

If your company provides software to the US federal government per Executive Order 14028, you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.

注意

Dependents are not included in SBOMs.

Exporting a software bill of materials for your repository from the UI

  1. 在 GitHub 上,导航到存储库的主页面。

  2. 在存储库名称下,单击“ Insights”选项卡****。

    存储库的主页的屏幕截图。 在水平导航栏中,以橙色框出了标有图形图标和“见解”的选项卡。

  3. In the left sidebar, click Dependency graph.

  4. On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.

Exporting a software bill of materials for your repository using the REST API

If you want to use the REST API to export an SBOM for your repository, see 适用于软件物料清单 (SBOM) 的 REST API 终结点.

Generating a software bill of materials from GitHub Actions

The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see 下载工作流程构件.

ActionDetails
SPDX Dependency Submission ActionUses Microsoft's SBOM Tool to create SPDX 2.2 compatible SBOMs with the supported ecosystems
Anchore SBOM ActionUses Syft to create SPDX 2.2 compatible SBOMs with the supported ecosystems
SBOM Dependency Submission ActionUploads a CycloneDX SBOM to the 依赖项提交 API