Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。 有关最新信息,请访问英语文档

Exporting a software bill of materials for your repository

You can export a software bill of materials or SBOM for your repository from the dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.

谁可以使用此功能

Anyone can export the dependency graph of a repository as a software bill of materials. The SBOM export will contain a list of the dependencies that are used in the repository.

About the dependency graph and SBOM exports

依赖项关系图是存储在存储库 中的清单和锁定文件的摘要,以及所有提交给使用依赖项提交 API(beta 版) 的存储库的依赖关系。 对于每个存储库,它显示:

  • 依赖项、它依赖的生态系统和包

  • 依赖项、依赖于它的存储库

    对于每个依赖项,可以看到许可证信息和漏洞严重程度。 还可以使用搜索栏搜索特定依赖项。 依赖项按漏洞严重程度自动排序。

You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format:

  • Via the GitHub UI
  • Using the REST API

SBOM 是一份计算机可读的正式清单,其中包含项目的依赖项和相关信息(例如版本、包标识符和许可证)。 SBOM 通过以下方式帮助降低供应链风险:

  • 让存储库使用的依赖项公开透明
  • 支持在流程早期识别漏洞
  • 提供有关代码库中可能存在的许可证合规性、安全性或质量问题的见解
  • 使你能够更好地遵守各种数据保护标准

If your company provides software to the US federal government per Executive Order 14028, you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.

Exporting a software bill of material for your repository from the UI

  1. 在 GitHub.com 上,导航到存储库的主页。

  2. 在存储库名称下,单击 “见解”。

    存储库的主页的屏幕截图。 在水平导航栏中,标有图形图标和“见解”的选项卡以深橙色标出。

  3. In the left sidebar, click Dependency graph.

  4. On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.

Exporting a software bill of material for your repository using the REST API

If you want to use the REST API to export an SBOM for your repository, see 软件材料清单 (SBOM) in the REST API documentation for more information.