Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

The REST API is now versioned. For more information, see "About API versioning."

REST API endpoints for software bill of materials (SBOM)

Use the REST API to export the software bill of materials (SBOM) for a repository.

If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM), via the GitHub UI or GitHub REST API. For more information, see "Exporting a software bill of materials for your repository."

This article gives details about the REST API endpoint.

GitHub Enterprise Server does not retrieve license information for dependencies, and does not calculate information about dependents, the repositories and packages that depend on a repository. These fields will not be populated in the response.

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

Fine-grained access tokens for "Export a software bill of materials (SBOM) for a repository."

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

  • "Contents" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Export a software bill of materials (SBOM) for a repository."

Headers
Name, Type, Description
accept string

Setting to application/vnd.github+json is recommended.

Path parameters
Name, Type, Description
owner string Required

The account owner of the repository. The name is not case sensitive.

repo string Required

The name of the repository without the .git extension. The name is not case sensitive.

HTTP response status codes for "Export a software bill of materials (SBOM) for a repository."

Status codeDescription
200

OK

403

Forbidden

404

Resource not found

Code samples for "Export a software bill of materials (SBOM) for a repository."

Request example

get/repos/{owner}/{repo}/dependency-graph/sbom
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200
{ "sbom": { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2021-09-01T00:00:00Z", "creators": [ "Tool: GitHub.com-Dependency-Graph" ] }, "name": "github/example", "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57", "packages": [ { "SPDXID": "SPDXRef-Package", "name": "rubygems:rails", "versionInfo": "1.0.0", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION" } ], "relationships": [ { "relationshipType": "DEPENDS_ON", "spdxElementId": "SPDXRef-Repository", "relatedSpdxElement": "SPDXRef-Package" }, { "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Repository" } ] } }