L’API REST est maintenant versionnée. Pour plus d’informations, consultez « À propos des versions de l’API ».

Points de terminaison d’API REST pour la nomenclature logicielle (SBOM)

Utilisez l’API REST pour exporter la nomenclature logicielle (SBOM) d’un référentiel.

Si vous disposez au moins d’un accès en lecture au dépôt, vous pouvez exporter les graphe des dépendances pour le dépôt en tant que nomenclature logicielle compatible SPDX (SBOM), via l’interface utilisateur de GitHub ou l’API REST GitHub. Pour plus d’informations, consultez « Exportation d’une nomenclature logicielle pour votre dépôt ».

Cet article fournit des détails sur le point de terminaison de l’API REST.

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

  • "Contents" repository permissions (read)

allows_public_read_access

Paramètres pour «Export a software bill of materials (SBOM) for a repository. »

En-têtes
accept string

Setting to application/vnd.github+json is recommended.

Paramètres de chemin d’accès
owner string Requis

The account owner of the repository. The name is not case sensitive.

repo string Requis

The name of the repository without the .git extension. The name is not case sensitive.

http_status_code

status_codeDescription
200

OK

403

Forbidden

404

Resource not found

code_samples

data_residency_notice

request_example

get/repos/{owner}/{repo}/dependency-graph/sbom
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200
{ "sbom": { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2021-09-01T00:00:00Z", "creators": [ "Tool: GitHub.com-Dependency-Graph" ] }, "name": "github/example", "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57", "packages": [ { "name": "rails", "SPDXID": "SPDXRef-Package", "versionInfo": "1.0.0", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT", "copyrightText": "Copyright (c) 1985 GitHub.com", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:gem/rails@1.0.0" } ] }, { "name": "github/example", "SPDXID": "SPDXRef-Repository", "versionInfo": "main", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:github/example@main" } ] } ], "relationships": [ { "relationshipType": "DEPENDS_ON", "spdxElementId": "SPDXRef-Repository", "relatedSpdxElement": "SPDXRef-Package" }, { "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Repository" } ] } }

Fetch a software bill of materials (SBOM) for a repository.

Fetches a previously generated software bill of materials (SBOM) for a repository. When the SBOM is ready, the response is a 302 redirect to a temporary download URL for the SBOM in SPDX JSON format. The generated SBOM report may be retained for up to one week from the original request. The temporary download URL returned by this endpoint expires separately, and its expiry is set when the fetch request is made.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

  • "Contents" repository permissions (read)

allows_public_read_access

Paramètres pour «Fetch a software bill of materials (SBOM) for a repository. »

En-têtes
accept string

Setting to application/vnd.github+json is recommended.

Paramètres de chemin d’accès
owner string Requis

The account owner of the repository. The name is not case sensitive.

repo string Requis

The name of the repository without the .git extension. The name is not case sensitive.

sbom_uuid string Requis

The unique identifier of the SBOM export.

http_status_code

status_codeDescription
202

SBOM is still being processed, no content is returned.

302

Redirects to a temporary download URL for the completed SBOM.

403

Forbidden

404

Resource not found

code_samples

data_residency_notice

request_example

get/repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom_uuid}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/fetch-report/SBOM_UUID

SBOM is still being processed, no content is returned.

Status: 202

Request generation of a software bill of materials (SBOM) for a repository.

Triggers a job to generate a software bill of materials (SBOM) for a repository in SPDX JSON format.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

  • "Contents" repository permissions (read)

allows_public_read_access

Paramètres pour «Request generation of a software bill of materials (SBOM) for a repository. »

En-têtes
accept string

Setting to application/vnd.github+json is recommended.

Paramètres de chemin d’accès
owner string Requis

The account owner of the repository. The name is not case sensitive.

repo string Requis

The name of the repository without the .git extension. The name is not case sensitive.

http_status_code

status_codeDescription
201

Created

403

Forbidden

404

Resource not found

code_samples

data_residency_notice

request_example

get/repos/{owner}/{repo}/dependency-graph/sbom/generate-report
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/generate-report

Response

Status: 201
{ "sbom_url": "https://api.github.com/repos/github/example/dependency-graph/sbom/fetch-report/4bab1a7e-da63-4828-9488-44e0e01a7c1b" }