Introducing self-service SBOMs | The GitHub Weblog
Following the precedent set by Executive Order 14028, safety and compliance groups more and more request software program payments of supplies (SBOMs) to establish the open supply elements of their software program initiatives, assess their vulnerability to rising threats, and confirm alignment with license insurance policies. So, we requested ourselves, how can we make SBOMs simpler to generate and share?
Right this moment, we’re blissful to announce a brand new Export SBOM perform that enables anybody with learn entry to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click on. The ensuing JSON file saves challenge dependencies and metadata, like variations and licenses within the business customary SPDX format, which may then be used with safety and compliance workflows and instruments, or reviewed in Microsoft Excel (use a JSON-to-CSV converter for compatibility with Google Sheets).
Whereas this new self-service functionality makes it simple to generate SBOMs on-demand, builders may make SBOM era a daily step of their improvement workflow. First, if you have already got an SBOM to your challenge, you possibly can upload it to the dependency graph to obtain Dependabot alerts on any dependencies with recognized vulnerabilities. Subsequent, use GitHub’s SBOM gh CLI extension to programmatically generate SBOMs out of your repository’s dependency graph, or use a third-party GitHub Action to generate SBOMs at construct time. A REST API for producing an SBOM out of your dependency graph is coming quickly.
As a part of GitHub’s provide chain safety answer, self-service SBOMs are free for all cloud repositories on GitHub.
What’s altering?
To generate an SBOM, simply click the new Export SBOM button on a repository’s dependency graph:
This creates a machine-readable JSON file in the SPDX format.