리포지토리에 대한 소프트웨어 자료 청구서 내보내기

이 문서의 내용

종속성 그래프에서 리포지토리에 대한 소프트웨어 자료 청구서 또는 SBOM을 내보낼 수 있습니다. SBOM은 오픈 소스 사용에 대한 투명성을 허용하고 공급망 취약성을 노출하여 공급망 위험을 줄이는 데 도움이 됩니다.

이 기능을 사용할 수 있는 사용자

Anyone can export the dependency graph of a repository as a software bill of materials. The SBOM export will contain a list of the dependencies that are used in the repository.

About the dependency graph and SBOM exports

The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the Dependency submission API (beta). For each repository, it shows:

  • Dependencies, the ecosystems and packages it depends on
  • Dependents, the repositories and packages that depend on it

For each dependency, you can see the license information and vulnerability severity. You can also search for a specific dependency using the search bar. Dependencies are sorted automatically by vulnerability severity.

You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format:

  • Via the GitHub UI
  • Using the REST API

An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as versions, package identifiers, and licenses). SBOMs help reduced supply chain risks by:

  • providing transparency about the dependencies used by your repository
  • allowing vulnerabilities to be identified early in the process
  • providing insights in the license compliance, security, or quality issues that may exist in your codebase
  • enabling you to better comply with various data protection standards

If your company provides software to the US federal government per Executive Order 14028, you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.

Exporting a software bill of material for your repository from the UI

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Insights.

    Screenshot of the main page of a repository. In the horizontal navigation bar, a tab, labeled with a graph icon and "Insights," is outlined in dark orange.

  3. In the left sidebar, click Dependency graph.

  4. On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.

Exporting a software bill of material for your repository using the REST API

If you want to use the REST API to export an SBOM for your repository, see Software bill of materials (SBOM) in the REST API documentation for more information.