Header Image

Understanding your end-to-end software supply chain

Nicholas Liffen
Nicholas Liffen // Director, GitHub Advanced Security // GitHub

Having a comprehensive understanding of your software supply chain is critical for understanding your security posture and threat surface. One reason that supply chain security is so complicated is that not only do you have to know and ensure the security of your dependencies, but you have to know and secure your transient dependencies as well—that is, your dependencies’ dependencies, and the dependencies of those dependencies, and so on. Some programming platforms, such as Ruby and Node.js, include lock files that specify transient dependencies. But not every platform does.

In this guide, we’ll use GitHub Actions to use the GitHub Dependency Submission API to create a map of transient dependencies and provide it to dependency graph so that Dependabot can scan and alert on all of your dependencies. Then we'll demonstrate how to generate a software bill of materials (SBOMs) so you can report on all your dependencies and share the state of your supply chain security with relevant stakeholders in a consistent and repeatable format. We'll be joined again by GitHub principal field security specialist Keith Hoodlet for some insights.

In this guide, you will learn:

  • How to use GitHub Actions to create and upload a dependency snapshot with the GitHub Dependency Submission API

  • How to view the results with dependency graph

  • How to automatically export a software bill of materials (SBOM) with GitHub Actions

1. Check your current dependency graph.

Select the Insights tab on the Web Goat repository, then select Dependency Graph from the sidebar. We should have four pages of dependencies listed for Web Goat at this point. 

2. Use GitHub Actions to create and upload a dependency snapshot.

You can generate dependency maps manually, but we’re going to do it automatically with GitHub Actions.

For optimal security, you need to keep your dependency graph as up-to-date as possible. That means you should update early and often. You don't want to be waiting on a build to determine if you have a critical vulnerability. Automation is the best way to ensure you’re staying up-to-date.

Keith Hoodlet
Keith Hoodlet // Principal Field Security Specialist, CodeQL // GitHub

On your Web Goat repository, select the Actions tab.

Select New workflow. Name it upload-dependencies-of-dependenices.yml.

Paste the following workflow into the upload-dependencies-of-dependenices.yml file:

name: "Dependency Submission API Upload"

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '26 18 * * 1'

jobs:
  depSubmissionAPIUpload:
    name: Analyze
    runs-on: 'ubuntu-latest'
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
    - name: Submit Dependency Snapshot
      uses: advanced-security/maven-dependency-submission-action@v3

This will use an action created by GitHub called maven-dependency-submission-action to use Maven to capture a snapshot of all of your dependencies, including transient dependencies, and upload them to GitHub via the Dependency Submission API.

You can find similar actions for other build systems and platforms, such as Go, Gradle, Mill, and Scala.

3. Review the results.

Once again, select the Insights tab on the Web Goat repository, then select Dependency Graph from the sidebar.

We should now have around 16 pages of dependencies—providing you new visibility into these dependencies and their security posture.

Generate a SBOM

The idea of a software bill of materials (SBOMs) has become increasingly important with the rise of supply chain security concerns and recommendations and requirements from regulators and government agencies around the world to bring more transparency to the software supply chain. SBOMs can be useful to share a snapshot of your software supply chain and its security posture in an exportable and standard format.  Fortunately, the dependency graph that GitHub can create for each of your repositories is an SBOM, and can be exported in the industry standard SPDX format.

1. Quick and easy export.

Select the Insights tab on the Web Goat repository, then select Dependency Graph from the sidebar.

Select the Export SBOM button.

That’s it!

Dependency Graph settings with Export SBOM button highlighted

2. Automating SBOM exports and uploads with GitHub Actions.

Now let’s automate this process, as we did with the transient dependency submissions above. 

On your Web Goat repository, select the Actions tab.

Select New workflow. Name it SBOM.yml.

name: SBOM Generator



on:
  push:
    branches: [ "main" ]



  workflow_dispatch:



permissions: read-all



jobs:
  build:
    runs-on: ubuntu-latest



    steps:
      - uses: actions/checkout@v3



      - uses: advanced-security/sbom-generator-action@v0.0.1
        id: sbom
        env: 
          GITHUB_TOKEN: ${{ github.token }}
      - uses: actions/upload-artifact@v3.1.0
        with: 
          path: ${{steps.sbom.outputs.fileName }}
          name: "SBOM"

This will use a first-party action created by GitHub, sbom-generator-action, to generate your SBOM JSON file and upload it as an artifact whenever you push a change to the main branch of your repository, ensuring you have an always up-to-date SBOM on hand.

Up next: Advanced module on GitHub Advanced Security wrap-up

Now let’s review what we’ve learned so far and take a look at what else we can do with GitHub Advanced Security.