Understanding your software supply chain
About supply chain security
GitHub helps you secure your supply chain, from understanding the dependencies in your environment, to knowing about vulnerabilities in those dependencies, and patching them.
About the dependency graph
You can use the dependency graph to identify all your project's dependencies. The dependency graph supports a range of popular package ecosystems.
Dependency graph supported package ecosystems
Dependency graph supports a variety of ecosystems.
Configuring the dependency graph
You can allow users to identify their projects' dependencies by enabling the dependency graph.
Configuring automatic dependency submission for your repository
You can use automatic dependency submission to submit transitive dependency data in your repository. This enables you to analyze these transitive dependencies using the dependency graph.
Exporting a software bill of materials for your repository
You can export a software bill of materials or SBOM for your repository from the dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.
Using the dependency submission API
You can use the dependency submission API to submit dependencies for projects, such as the dependencies resolved when a project is built or compiled.
About dependency review
Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.
Configuring the dependency review action
You can use the dependency review action to catch vulnerabilities before they are added to your project.
Customizing your dependency review action configuration
Learn how to add a basic customization to your dependency review action configuration.
Enforcing dependency review across an organization
Dependency review lets you catch insecure dependencies before you introduce them to your environment. You can enforce the use of the dependency review action across your organization.
Exploring the dependencies of a repository
You can use the dependency graph to see the packages your project depends on and the repositories that depend on it. In addition, you can see any vulnerabilities detected in its dependencies.
Troubleshooting the dependency graph
If the dependency information reported by the dependency graph is not what you expected, there are a number of points to consider, and various things you can check.