Dependency Graph

Download Spec

Endpoints to access Dependency Graph features.

Get a diff of the dependencies between commits

get /repos/{owner}/{repo}/dependency-graph/compare/{basehead}

Gets the diff of the dependency changes between two commits of a repository, based on the changes to the dependency manifests made in those commits.

name

string

The full path, relative to the repository root, of the dependency manifest file.

Response

ExamplesSchema

Response

[
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "helmet",
    "version": "4.6.0",
    "package_url": "pkg:npm/helmet@4.6.0",
    "license": "MIT",
    "source_repository_url": "https://github.com/helmetjs/helmet",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "helmet",
    "version": "5.0.0",
    "package_url": "pkg:npm/helmet@5.0.0",
    "license": "MIT",
    "source_repository_url": "https://github.com/helmetjs/helmet",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "Gemfile",
    "ecosystem": "rubygems",
    "name": "ruby-openid",
    "version": "2.7.0",
    "package_url": "pkg:gem/ruby-openid@2.7.0",
    "license": null,
    "source_repository_url": "https://github.com/openid/ruby-openid",
    "vulnerabilities": [
      {
        "severity": "critical",
        "advisory_ghsa_id": "GHSA-fqfj-cmh6-hj49",
        "advisory_summary": "Ruby OpenID",
        "advisory_url": "https://github.com/advisories/GHSA-fqfj-cmh6-hj49"
      }
    ]
  }
]

Export a software bill of materials (SBOM) for a repository.

get /repos/{owner}/{repo}/dependency-graph/sbom

Exports the software bill of materials (SBOM) for a repository in SPDX JSON format.

owner

string

required

The account owner of the repository. The name is not case sensitive.

repo

string

required

The name of the repository. The name is not case sensitive.

Response

ExamplesSchema

Response

{
  "sbom": {
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
      "created": "2021-09-01T00:00:00Z",
      "creators": [
        "Tool: GitHub.com-Dependency-Graph"
      ]
    },
    "name": "github/example",
    "dataLicense": "CC0-1.0",
    "documentDescribes": [
      "github/example"
    ],
    "documentNamespace": "https://github.com/github/example/dependency_graph/sbom-abcdef123456",
    "packages": [
      {
        "SPDXID": "SPDXRef-Package",
        "name": "rubygems:rails",
        "versionInfo": "1.0.0",
        "downloadLocation": "NOASSERTION",
        "filesAnalyzed": false,
        "licenseConcluded": "NOASSERTION",
        "licenseDeclared": "NOASSERTION"
      }
    ]
  }
}

Create a snapshot of dependencies for a repository

post /repos/{owner}/{repo}/dependency-graph/snapshots

Create a new snapshot of a repository's dependencies. You must authenticate using an access token with the repo scope to use this endpoint for a repository that the requesting user has access to.

version

int

required

The version of the repository snapshot submission.

job

object (job)

required

sha

string

required

The commit SHA associated with this dependency snapshot. Maximum length: 40 characters.

Min Length
40
Max Length
40
Example
"ddc951f4b1293222421f2c8df679786153acf689"

ref

string

^refs/

required

The repository branch that triggered this snapshot.

Example
"refs/heads/main"

detector

object (detector)

required

A description of the detector used.

metadata

object (metadata)

User-defined metadata to store domain-specific information limited to 8 keys with scalar values.

manifests

object (manifests)

A collection of package manifests, which are a collection of related dependencies declared in a file or representing a logical group of dependencies.

scanned

string

date-time

required

The time at which the snapshot was scanned.

Example
"2020-06-13T14:52:50-05:00"

Response

ExamplesSchema

Response

{
  "id": 12345,
  "created_at": "2018-05-04T01:14:52Z",
  "message": "Dependency results for the repo have been successfully updated.",
  "result": "SUCCESS"
}

Was this page helpful?