REST API endpoints for software bill of materials (SBOM)

Use the REST API to export the software bill of materials (SBOM) for a repository.

If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM), via the GitHub UI or GitHub REST API. For more information, see Exporting a software bill of materials for your repository.

This article gives details about the REST API endpoint.

Note

GitHub Enterprise Server does not retrieve license information for dependencies, and does not calculate information about dependents, the repositories and packages that depend on a repository. These fields will not be populated in the response.

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Contents" repository permissions (read)

allows_public_read_access

Parameters for "Export a software bill of materials (SBOM) for a repository."

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

http_status_code

status_code	Description
`200`	OK
`403`	Forbidden
`404`	Resource not found

code_samples

request_example

get/repos/{owner}/{repo}/dependency-graph/sbom

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200

{
  "sbom": {
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
      "created": "2021-09-01T00:00:00Z",
      "creators": [
        "Tool: GitHub.com-Dependency-Graph"
      ]
    },
    "name": "github/example",
    "dataLicense": "CC0-1.0",
    "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57",
    "packages": [
      {
        "SPDXID": "SPDXRef-Package",
        "name": "rubygems:rails",
        "versionInfo": "1.0.0",
        "downloadLocation": "NOASSERTION",
        "filesAnalyzed": false,
        "licenseConcluded": "NOASSERTION",
        "licenseDeclared": "NOASSERTION"
      }
    ],
    "relationships": [
      {
        "relationshipType": "DEPENDS_ON",
        "spdxElementId": "SPDXRef-Repository",
        "relatedSpdxElement": "SPDXRef-Package"
      },
      {
        "relationshipType": "DESCRIBES",
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-Repository"
      }
    ]
  }
}