REST API 现已开始进行版本化。 有关详细信息,请参阅“关于 API 版本控制”。

适用于软件物料清单 (SBOM) 的 REST API 终结点

使用 REST API 导出存储库的软件材料清单 (SBOM)。

如果至少具有对存储库的读取访问权限,则可以通过 GitHub UI 或 GitHub REST API,将存储库的依赖项关系图导出为与 SPDX 兼容的软件物料清单 (SBOM)。 有关详细信息,请参阅“导出存储库的软件物料清单”。

本文提供有关 REST API 终结点的详细信息。

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

“Export a software bill of materials (SBOM) for a repository.”的细粒度访问令牌

此端点支持以下精细令牌类型:

细粒度令牌必须具有以下权限集:

  • "Contents" repository permissions (read)

如果仅请求公共资源,则无需身份验证或上述权限即可使用此终结点。

“”Export a software bill of materials (SBOM) for a repository. 的参数

标头
accept string

Setting to application/vnd.github+json is recommended.

路径参数
owner string 必须

The account owner of the repository. The name is not case sensitive.

repo string 必须

The name of the repository without the .git extension. The name is not case sensitive.

“Export a software bill of materials (SBOM) for a repository.”的 HTTP 响应状态代码

状态代码说明
200

OK

403

Forbidden

404

Resource not found

“Export a software bill of materials (SBOM) for a repository.”的代码示例

请求示例

get/repos/{owner}/{repo}/dependency-graph/sbom
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200
{ "sbom": { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2021-09-01T00:00:00Z", "creators": [ "Tool: GitHub.com-Dependency-Graph" ] }, "name": "github/example", "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57", "packages": [ { "name": "rails", "SPDXID": "SPDXRef-Package", "versionInfo": "1.0.0", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT", "copyrightText": "Copyright (c) 1985 GitHub.com", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:gem/rails@1.0.0" } ] }, { "name": "github/example", "SPDXID": "SPDXRef-Repository", "versionInfo": "main", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:github/example@main" } ] } ], "relationships": [ { "relationshipType": "DEPENDS_ON", "spdxElementId": "SPDXRef-Repository", "relatedSpdxElement": "SPDXRef-Package" }, { "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Repository" } ] } }

Fetch a software bill of materials (SBOM) for a repository.

Fetches a previously generated software bill of materials (SBOM) for a repository. When the SBOM is ready, the response is a 302 redirect to a temporary download URL for the SBOM in SPDX JSON format. The generated SBOM report may be retained for up to one week from the original request. The temporary download URL returned by this endpoint expires separately, and its expiry is set when the fetch request is made.

“Fetch a software bill of materials (SBOM) for a repository.”的细粒度访问令牌

此端点支持以下精细令牌类型:

细粒度令牌必须具有以下权限集:

  • "Contents" repository permissions (read)

如果仅请求公共资源,则无需身份验证或上述权限即可使用此终结点。

“”Fetch a software bill of materials (SBOM) for a repository. 的参数

标头
accept string

Setting to application/vnd.github+json is recommended.

路径参数
owner string 必须

The account owner of the repository. The name is not case sensitive.

repo string 必须

The name of the repository without the .git extension. The name is not case sensitive.

sbom_uuid string 必须

The unique identifier of the SBOM export.

“Fetch a software bill of materials (SBOM) for a repository.”的 HTTP 响应状态代码

状态代码说明
202

SBOM is still being processed, no content is returned.

302

Redirects to a temporary download URL for the completed SBOM.

403

Forbidden

404

Resource not found

“Fetch a software bill of materials (SBOM) for a repository.”的代码示例

请求示例

get/repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom_uuid}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/fetch-report/SBOM_UUID

SBOM is still being processed, no content is returned.

Status: 202

Request generation of a software bill of materials (SBOM) for a repository.

Triggers a job to generate a software bill of materials (SBOM) for a repository in SPDX JSON format.

“Request generation of a software bill of materials (SBOM) for a repository.”的细粒度访问令牌

此端点支持以下精细令牌类型:

细粒度令牌必须具有以下权限集:

  • "Contents" repository permissions (read)

如果仅请求公共资源,则无需身份验证或上述权限即可使用此终结点。

“”Request generation of a software bill of materials (SBOM) for a repository. 的参数

标头
accept string

Setting to application/vnd.github+json is recommended.

路径参数
owner string 必须

The account owner of the repository. The name is not case sensitive.

repo string 必须

The name of the repository without the .git extension. The name is not case sensitive.

“Request generation of a software bill of materials (SBOM) for a repository.”的 HTTP 响应状态代码

状态代码说明
201

Created

403

Forbidden

404

Resource not found

“Request generation of a software bill of materials (SBOM) for a repository.”的代码示例

请求示例

get/repos/{owner}/{repo}/dependency-graph/sbom/generate-report
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/generate-report

Response

Status: 201
{ "sbom_url": "https://api.github.com/repos/github/example/dependency-graph/sbom/fetch-report/4bab1a7e-da63-4828-9488-44e0e01a7c1b" }