{"id":13692111,"url":"https://github.com/advanced-security/gh-sbom","last_synced_at":"2025-04-10T03:57:29.520Z","repository":{"id":132242324,"uuid":"603185332","full_name":"advanced-security/gh-sbom","owner":"advanced-security","description":"Generate SBOMs with gh CLI","archived":false,"fork":false,"pushed_at":"2024-09-20T17:27:36.000Z","size":39,"stargazers_count":179,"open_issues_count":13,"forks_count":13,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-10T03:57:24.936Z","etag":null,"topics":["gh-extension"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-17T19:52:36.000Z","updated_at":"2025-03-30T18:05:38.000Z","dependencies_parsed_at":"2024-01-14T04:42:58.215Z","dependency_job_id":"e5d4c1be-6d4c-4375-957e-2c862b80e606","html_url":"https://github.com/advanced-security/gh-sbom","commit_stats":null,"previous_names":["steiza/gh-sbom"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fgh-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fgh-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fgh-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fgh-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/gh-sbom/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248154996,"owners_count":21056542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gh-extension"],"created_at":"2024-08-02T17:00:53.826Z","updated_at":"2025-04-10T03:57:29.483Z","avatar_url":"https://github.com/advanced-security.png","language":"Go","funding_links":[],"categories":["Go","Dependency intelligence","SBOM","⭐ Most Starred","gh-extension","Security/Admin"],"sub_categories":["SCA and SBOM"],"readme":"# gh-sbom\n\nThis is a `gh` CLI extension that outputs JSON SBOMs (in SPDX or CycloneDX format) for your GitHub repository using information from [Dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).\n\nSPDX output use the [Dependency Graph SBOM API](https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28), which quickly generates the SBOM server-side, and as such is faster, works for large repositories, and always includes license information.\n\nCycloneDX output is generating by assembling the dependency information from the Dependency Graph GraphQL API, and license information (if you specify `-l`) from [ClearlyDefined](https://clearlydefined.io/)'s API. As such, CycloneDX output is slower, and may not work for large repositories.\n\nHere's an example of generating a SPDX SBOM:\n```\n$ gh sbom | jq\n{\n  \"SPDXID\": \"SPDXRef-DOCUMENT\",\n  \"creationInfo\": {\n    \"created\": \"2023-04-12T18:41:40Z\",\n    \"creators\": [\n      \"Tool: GitHub.com-Dependency-Graph\"\n    ]\n  },\n  \"dataLicense\": \"CC0-1.0\",\n  \"documentDescribes\": [\n    \"com.github.advanced-security/gh-sbom\"\n  ],\n  \"documentNamespace\": \"https://github.com/advanced-security/gh-sbom/dependency_graph/sbom-fa3abb267af77b5d\",\n  \"name\": \"com.github.advanced-security/gh-sbom\",\n  \"packages\": [\n    {\n      \"SPDXID\": \"SPDXRef-go-github.com/cli/go-gh-1.1.0\",\n      \"downloadLocation\": \"NOASSERTION\",\n      \"externalRefs\": [\n        {\n          \"referenceCategory\": \"PACKAGE-MANAGER\",\n          \"referenceLocator\": \"pkg:golang/github.com/cli/go-gh@1.1.0\",\n          \"referenceType\": \"purl\"\n        }\n      ],\n...\n```\n\nOr for CycloneDX use `-c`:\n```\n$ gh sbom -c -l | jq\n{\n  \"bomFormat\": \"CycloneDX\",\n  \"specVersion\": \"1.4\",\n  \"version\": 1,\n  \"metadata\": {\n    \"timestamp\": \"2023-03-10T21:14:23Z\",\n    \"tools\": [\n      {\n        \"vendor\": \"advanced-security\",\n        \"name\": \"gh-sbom\",\n        \"version\": \"0.0.9\"\n      }\n    ],\n    \"licenses\": [\n      {\n        \"expression\": \"CC0-1.0\"\n      }\n    ]\n  },\n  \"components\": [\n    {\n      \"type\": \"library\",\n      \"group\": \"github.com/cli\",\n      \"name\": \"go-gh\",\n      \"version\": \"1.2.1\",\n      \"purl\": \"pkg:golang/github.com/cli/go-gh@1.2.1\"\n    },\n    ...\n```\n\n## Background\n\nThere is not another planned release, but bug reports are welcome via issues and questions are welcome via discussion.\n\n## Requirements\n\nThis is an extension to the `gh` CLI. See [gh CLI installation](https://github.com/cli/cli#installation) if you haven't installed `gh` yet.\n\nOnce `gh` is installed, you can install this extension with:\n```\n$ gh ext install advanced-security/gh-sbom\n```\n\nIf you want to upgrade to the latest version you can remove and reinstall the extension:\n```\n$ gh ext remove advanced-security/gh-sbom\n$ gh ext install advanced-security/gh-sbom\n```\n\nFinally, if you are planning to run this on a GHES instance, you will need to be on: `GHES 3.9` or higher.\n\n## License\n\nThis project is licensed under the terms of the MIT open source license. Please refer to [LICENSE.md](./LICENSE.md) for the full terms.\n\n## Support\n\nBug reports are welcome via issues and questions are welcome via discussion. Please refer to [SUPPORT.md](./SUPPORT.md) for details.\nThis project is provided as-is. See\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fgh-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Fgh-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fgh-sbom/lists"}