Github Provides Self-Service SBOMs
Written by Nikos Vaggalis   
Monday, 03 April 2023

In another attempt to secure the precious software supply chain, GitHub has released a new Export SBOM functionality which generates an NTIA-compliant software bills of materials (SBOMs) on demand.

The supply chain security aspect aside, this feature will also make it easier for software providers to comply with the US Executive Order 14028 on improving the nation’s cybersecurity, which introduced the requirements of providing SBOMs.

Now with a single click anyone with read-access to a GitHub cloud repository can generate an NTIA-compliant SBOM in SPDX format.

That is one part of the equation as generating SBOMs is not really that difficult any more; the other part is what do I do with it afterwards?

A SBOM in standardized formats can be used as input in a variety of tools, as we discovered in Track Open Source Vulnerabilities With Google's OSV Database, a service by the Google Security team.

Google Security used SBOMs against the OSV database to find vulnerabilities in open source software which were then mapped onto a list of known vulnerabilities to know which components could pose a threat.

The advantage of connecting these two sources of information was that consumers were able to know not just what’s in their software but also its risks and whether they need to remediate any issues.

Github too enables a similar functionality by letting you upload your SBOMs on to the Dependency Graph service, which will then scan your dependencies for known vulnerabilities and receive Dependabot alerts if any are present.

With that said, you can generate your SBOMs using the new Export SBOM button found on the repository’s Dependency graph menu. Or, if you don't like GUIs, you can also do the same from the command line by using the SBOM gh CLI extension.

But Github has not finished with just the exporting functionality. It has also introduced a GitHub Action which bakes the SBOM generating process into the repository's CI deliverables.

These functionalities are free in all of the GitHub cloud repositories as part of GitHub's contribution to the initiative of strengthening the software supply chain.

It is reassuring to watch the big players starting to take the issue more seriously, as the latest SLSA survey has revealed, and GitHub is certainly taking a step in the right direction.


More Information

Introducing self-service SBOMs


Using the Dependency submission API

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database

Sigstore Java - Sign And Verify Your Java Builds

Surveying Software Supply Chain Security

jbom - Dependency Analysis For Java Apps


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Quadrupedal Parkour

What is it with robots and parkour? First Atlas and now ANYmal want to impress us with their prowess. For the roboticist, however, emulating the skills of free running can enhance the capabilities of  [ ... ]

Android 15 Developer Preview Updated

Google has released Android 15 Developer Preview 2 with changes including better handling of automatic language switching and updates for OpenJDK 17.

More News

raspberry pi books



or email your comment to:

Last Updated ( Monday, 03 April 2023 )