About the dependency graph and SBOM exports
依赖项关系图是存储在存储库 中的清单和锁定文件的摘要,以及所有提交给使用依赖项提交 API(beta 版) 的存储库的依赖关系。 对于每个存储库,它显示:
-
依赖项、它依赖的生态系统和包
-
依赖项、依赖于它的存储库
对于每个依赖项,可以看到许可证信息和漏洞严重程度。 还可以使用搜索栏搜索特定依赖项。 依赖项按漏洞严重程度自动排序。
You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format:
- Via the GitHub UI
- Using the REST API
SBOM 是一份计算机可读的正式清单,其中包含项目的依赖项和相关信息(例如版本、包标识符和许可证)。 SBOM 通过以下方式帮助降低供应链风险:
- 让存储库使用的依赖项公开透明
- 支持在流程早期识别漏洞
- 提供有关代码库中可能存在的许可证合规性、安全性或质量问题的见解
- 使你能够更好地遵守各种数据保护标准
If your company provides software to the US federal government per Executive Order 14028, you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.
Exporting a software bill of material for your repository from the UI
-
在 GitHub.com 上,导航到存储库的主页。
-
在存储库名称下,单击 “见解”。
-
In the left sidebar, click Dependency graph.
-
On the top right side of the Dependencies tab, click Export SBOM to generate an SBOM file for download from your browser.
Exporting a software bill of material for your repository using the REST API
If you want to use the REST API to export an SBOM for your repository, see 软件材料清单 (SBOM) in the REST API documentation for more information.