REST API endpoints for software bill of materials (SBOM)

If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM), via the GitHub UI or GitHub REST API. For more information, see Exporting a software bill of materials for your repository.

This article gives details about the REST API endpoint.

Export a software bill of materials (SBOM) for a repository.

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

Fine-grained access tokens for "Export a software bill of materials (SBOM) for a repository."

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Contents" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Export a software bill of materials (SBOM) for a repository."

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

HTTP response status codes for "Export a software bill of materials (SBOM) for a repository."

Status code	Description
`200`	OK
`403`	Forbidden
`404`	Resource not found

Code samples for "Export a software bill of materials (SBOM) for a repository."

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/dependency-graph/sbom

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom

Response

Status: 200

{
  "sbom": {
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
      "created": "2021-09-01T00:00:00Z",
      "creators": [
        "Tool: GitHub.com-Dependency-Graph"
      ]
    },
    "name": "github/example",
    "dataLicense": "CC0-1.0",
    "documentNamespace": "https://spdx.org/spdxdocs/protobom/15e41dd2-f961-4f4d-b8dc-f8f57ad70d57",
    "packages": [
      {
        "name": "rails",
        "SPDXID": "SPDXRef-Package",
        "versionInfo": "1.0.0",
        "downloadLocation": "NOASSERTION",
        "filesAnalyzed": false,
        "licenseConcluded": "MIT",
        "licenseDeclared": "MIT",
        "copyrightText": "Copyright (c) 1985 GitHub.com",
        "externalRefs": [
          {
            "referenceCategory": "PACKAGE-MANAGER",
            "referenceType": "purl",
            "referenceLocator": "pkg:gem/[email protected]"
          }
        ]
      },
      {
        "name": "github/example",
        "SPDXID": "SPDXRef-Repository",
        "versionInfo": "main",
        "downloadLocation": "NOASSERTION",
        "filesAnalyzed": false,
        "externalRefs": [
          {
            "referenceCategory": "PACKAGE-MANAGER",
            "referenceType": "purl",
            "referenceLocator": "pkg:github/example@main"
          }
        ]
      }
    ],
    "relationships": [
      {
        "relationshipType": "DEPENDS_ON",
        "spdxElementId": "SPDXRef-Repository",
        "relatedSpdxElement": "SPDXRef-Package"
      },
      {
        "relationshipType": "DESCRIBES",
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-Repository"
      }
    ]
  }
}

Fetch a software bill of materials (SBOM) for a repository.

Fetches a previously generated software bill of materials (SBOM) for a repository. When the SBOM is ready, the response is a 302 redirect to a temporary download URL for the SBOM in SPDX JSON format. The generated SBOM report may be retained for up to one week from the original request. The temporary download URL returned by this endpoint expires separately, and its expiry is set when the fetch request is made.

Fine-grained access tokens for "Fetch a software bill of materials (SBOM) for a repository."

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Contents" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Fetch a software bill of materials (SBOM) for a repository."

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.
`sbom_uuid` string Required The unique identifier of the SBOM export.

HTTP response status codes for "Fetch a software bill of materials (SBOM) for a repository."

Status code	Description
`202`	SBOM is still being processed, no content is returned.
`302`	Redirects to a temporary download URL for the completed SBOM.
`403`	Forbidden
`404`	Resource not found

Code samples for "Fetch a software bill of materials (SBOM) for a repository."

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom_uuid}

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/fetch-report/SBOM_UUID

SBOM is still being processed, no content is returned.

Status: 202

Request generation of a software bill of materials (SBOM) for a repository.

Triggers a job to generate a software bill of materials (SBOM) for a repository in SPDX JSON format.

Fine-grained access tokens for "Request generation of a software bill of materials (SBOM) for a repository."

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Contents" repository permissions (read)

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Parameters for "Request generation of a software bill of materials (SBOM) for a repository."

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`owner` string Required The account owner of the repository. The name is not case sensitive.
`repo` string Required The name of the repository without the `.git` extension. The name is not case sensitive.

HTTP response status codes for "Request generation of a software bill of materials (SBOM) for a repository."

Status code	Description
`201`	Created
`403`	Forbidden
`404`	Resource not found

Code samples for "Request generation of a software bill of materials (SBOM) for a repository."

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/repos/{owner}/{repo}/dependency-graph/sbom/generate-report

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/dependency-graph/sbom/generate-report

Response

Status: 201

{
  "sbom_url": "https://api.github.com/repos/github/example/dependency-graph/sbom/fetch-report/4bab1a7e-da63-4828-9488-44e0e01a7c1b"
}