SBOM exports are now computed asynchronously
Source: GitHub Changelog
Software Bill of Materials (SBOM) exports from repository pages and new API endpoints are now asynchronous operations. Previously, navigating to a repository’s dependency graph page and clicking the Export SBOM button, or requesting an SBOM from the /repos/{owner}/{repo}/dependency-graph/sbom REST API had a hard‑coded timeout value of ten seconds. This worked for most cases, but large repositories with complex dependency trees could often take longer to process. Moreover, multiple requests would spawn independent back‑end workers with no guarantee that any would complete.
Download SBOMs in your browser
A new web experience polls for job completion and eliminates timeouts. To use the new UI, navigate to a repository’s Insights tab, click Dependency Graph, then click Export SBOM. Once the file is ready, you can download it from that page.
API access to SBOMs
Two new endpoints work together to provide asynchronous access to SBOMs:
GET /repos/{owner}/{repo}/dependency-graph/sbom/generate-reportReturns a URL containing a unique identifier ({sbom-uuid}) indicating the service has started processing the request.
GET /repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom-uuid}Returns a 201 status until the report is ready. When ready, it issues a 302 redirect to the actual SBOM contents.
Limitations and caveats
- The SBOM export reflects the state of the repository at the time the request is initiated. SBOMs are not available for refs other than
HEAD. - Anonymous users are limited to one concurrent SBOM request per repository. Logged‑in users are not subject to this restriction.
Join the discussion within the GitHub Community.