Github Provides Self-Service SBOMs
Written by Nikos Vaggalis   
Monday, 03 April 2023

In another attempt to secure the precious software supply chain, GitHub has released a new Export SBOM functionality which generates an NTIA-compliant software bills of materials (SBOMs) on demand.

The supply chain security aspect aside, this feature will also make it easier for software providers to comply with the US Executive Order 14028 on improving the nation’s cybersecurity, which introduced the requirements of providing SBOMs.

Now with a single click anyone with read-access to a GitHub cloud repository can generate an NTIA-compliant SBOM in SPDX format.

That is one part of the equation as generating SBOMs is not really that difficult any more; the other part is what do I do with it afterwards?

A SBOM in standardized formats can be used as input in a variety of tools, as we discovered in Track Open Source Vulnerabilities With Google's OSV Database, a service by the Google Security team.

Google Security used SBOMs against the OSV database to find vulnerabilities in open source software which were then mapped onto a list of known vulnerabilities to know which components could pose a threat.

The advantage of connecting these two sources of information was that consumers were able to know not just what’s in their software but also its risks and whether they need to remediate any issues.

Github too enables a similar functionality by letting you upload your SBOMs on to the Dependency Graph service, which will then scan your dependencies for known vulnerabilities and receive Dependabot alerts if any are present.

With that said, you can generate your SBOMs using the new Export SBOM button found on the repository’s Dependency graph menu. Or, if you don't like GUIs, you can also do the same from the command line by using the SBOM gh CLI extension.

But Github has not finished with just the exporting functionality. It has also introduced a GitHub Action which bakes the SBOM generating process into the repository's CI deliverables.

These functionalities are free in all of the GitHub cloud repositories as part of GitHub's contribution to the initiative of strengthening the software supply chain.

It is reassuring to watch the big players starting to take the issue more seriously, as the latest SLSA survey has revealed, and GitHub is certainly taking a step in the right direction.


More Information

Introducing self-service SBOMs


Using the Dependency submission API

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database

Sigstore Java - Sign And Verify Your Java Builds

Surveying Software Supply Chain Security

jbom - Dependency Analysis For Java Apps


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


GameMaker Free For Non-Commercial Use

GameMaker, for creating 2D platform games and now part of the Opera family, has made a change to its prices and terms and it is good news. GameMaker is now free for non-commercial purposes on all [ ... ]

.NET 8 Released

.NET 8 has been generally released. This is the latest long term support (LTS) version that will be supported for the next three years. Microsoft says the new version delivers improvements to the perf [ ... ]

More News




or email your comment to:

Last Updated ( Monday, 03 April 2023 )