Introducing self-service SBOMs
Developers and compliance teams get a new SBOM generation tool for cloud repositories.
Following the precedent set by Executive Order 14028, security and compliance teams increasingly request software bills of materials (SBOMs) to identify the open source components of their software projects, assess their vulnerability to emerging threats, and verify alignment with license policies. So, we asked ourselves, how do we make SBOMs easier to generate and share?
Today, we’re happy to announce a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format, which can then be used with security and compliance workflows and tools, or reviewed in Microsoft Excel (use a JSON-to-CSV converter for compatibility with Google Sheets).
While this new self-service capability makes it easy to generate SBOMs on-demand, developers can also make SBOM generation a regular step of their development workflow. First, if you already have an SBOM for your project, you can upload it to the dependency graph to receive Dependabot alerts on any dependencies with known vulnerabilities. Next, use GitHub’s SBOM gh CLI extension to programmatically generate SBOMs from your repository’s dependency graph, or use a third-party GitHub Action to generate SBOMs at build time. A REST API for generating an SBOM from your dependency graph is coming soon.
As part of GitHub’s supply chain security solution, self-service SBOMs are free for all cloud repositories on GitHub.
What’s changing?
To generate an SBOM, simply click the new Export SBOM button on a repository’s dependency graph:
This creates a machine-readable JSON file in the SPDX format.
Learn more about SBOMs
- SBOM Documentation
- Dependency submission API
- GitHub SBOM command-line interface (CLI) extension
- Microsoft SBOM Tool
Tags:
Written by
Related posts
Enhance build security and reach SLSA Level 3 with GitHub Artifact Attestations
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
Streamlining your MLOps pipeline with GitHub Actions and Arm64 runners
Explore how Arm’s optimized performance and cost-efficient architecture, coupled with PyTorch, can enhance machine learning operations, from model training to deployment and learn how to leverage CI/CD for machine learning workflows, while reducing time, cost, and errors in the process.
GitHub Enterprise: The best migration path from AWS CodeCommit
AWS CodeCommit is discontinuing new customer access and will no longer introduce new features. Learn how to migrate to GitHub Enterprise and why it’s the best option for you.