GitHub SBOMs

July 02, 2023


In the ever-evolving landscape of software development, ensuring transparency and accountability are crucial factors for maintaining security and managing risks. The concept of Software Bill of Materials (SBOM) has gained prominence as a means to achieve these goals. Recently, GitHub introduced an Export SBOM function that enables anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click.

The Export SBOM function in GitHub simplifies the process of generating a Software Bill of Materials, which is a comprehensive list of all software components used in a particular project. It provides a clear and concise view of the project's dependencies, including third-party libraries, frameworks, and open-source components. The SBOM helps in understanding and managing potential vulnerabilities, licensing issues, and maintaining the integrity of the software supply chain.

The Export SBOM function plays a crucial role in enhancing software security and risk management. By generating an SBOM, developers gain visibility into the underlying components of their projects, including potential vulnerabilities associated with them. This enables proactive identification and mitigation of security risks, as known vulnerabilities can be addressed promptly. Furthermore, the SBOM helps organizations assess the impact of security patches and prioritize updates efficiently.

The Export SBOM function significantly streamlines the software supply chain. It simplifies the process of sharing information about dependencies between project owners, distributors, and consumers. With an SBOM readily available, organizations can easily assess the risks associated with incorporating specific components into their projects. This knowledge empowers them to make informed decisions, minimize vulnerabilities, and maintain a resilient software supply chain.

We will use 3 different methods as example:

using UI

rest api via curl

gh sbom cli extension

Today we will review it in example of simple react app. I have a repo with a simple code in it. We would need to pay attention to package.json file as all the dependensies are stored there: packagejson Please note that we would need at least read access to the repository we would use in order to generate SBOM function

To export SBOM function using UI we would need:

  • Click on 'Insights'
  • Then open 'Dependency Graph'
  • here you will find dependencies of your project and you will see 'Export SBOM'


  • after clicking it will be automatically downloaded in json format. Here is how it looks like:


Using rest api via curl:

  • We would need a personal access token

    1. Go to the GitHub website and log in to your account.

    2. Click on your profile picture in the top-right corner of the page, and then select "Settings" from the dropdown menu.

    3. In the left sidebar, click on "Developer settings."

    4. In the submenu, click on "Personal access tokens."

    5. Click on the "Generate new token" button.

    6. Provide a suitable note for your token to help you identify its purpose. I will use "sbom-test"

    7. Under "Select scopes," you can choose the desired permissions for your token. In our case, we'll need at least the "repo" scope. token-naming

    8. After selecting the required scopes, click on the "Generate token" button at the bottom of the page.

    9. GitHub will generate your personal access token. Copy the token value. token-value

  • When your token is ready to use we can open our terminal and use the following command:

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \

Here is example output: output

Using gh sbom cli extension

This method would be usefull if we have project directory locally on our pc. In order to use this method we would need to meet following requirements:

  1. Install gh CLI - here
  2. Install gh-sbomextension we would need:
    • Run gh auth login Fill in all the neccasary info. Please note if you will use token authorisation as i do you will need to select admin:org and admin:public_key scope as well while creating a token: ghtokenscopes ghauth
    • Run gh ext install advanced-security/gh-sbom
  3. Change to your local project directory and run - git init
  4. Then you can generate your SBOM - gh sbom | jq


Please note if you have output that command jq not found - you would need to install it here