The recent software supply chain attacks proof again that having insights in own project dependencies is crucial. This is where GitHub's dependency graph can help. It maps every direct and transitive dependency in your project, giving you the visibility you need to understand, secure, and manage your software supply chain.
What is the Dependency Graph?
The dependency graph is a summary of the manifest and lock files stored in a repository, showing which packages depend on what, helping you identify risks, prioritize security fixes, and keep track of your project's true footprint.
For each repository, the dependency graph shows:
- Dependencies: The ecosystems and packages your project relies on
- Version information: What versions you're using
- License details: The licensing terms of your dependencies
- Vulnerability status: Whether any dependencies have known security issues
- Transitive paths: For ecosystems that support it, you can see the entire chain that brought in each dependency
Why enable the dependency graph?
When vulnerabilities are discovered in open source packages, they ripple downstream through all projects that depend on them. Without visibility into your dependency tree, you can't take timely action to protect your project.
The dependency graph also unlocks other GitHub security features:
- Dependabot alerts: Get notified when vulnerabilities are found in your dependencies
- Dependency review: Understand the security impact of dependency changes in pull requests
- SBOM export: Generate a Software Bill of Materials for compliance and auditing
How to enable it?
For your public repositories, You don't need to do anything—it's already enabled for you. The dependency graph is available for public repositories by default.
If you have private repositories, a repository administrator can enable it manually:
Step 1: Navigate to Repository Settings
Go to your repository on GitHub and click on Settings (if you don't see the Settings tab, use the dropdown menu to access it).
Step 2: Access Security Settings
In the left sidebar, find the Security section and click on Code security and analysis (or Advanced Security depending on your view).
Step 3: Enable the Dependency Graph
Read the message about granting GitHub read-only access to repository data, then click Enable next to "Dependency Graph".
Step 4: Wait for Processing
When first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes, though this may take longer for repositories with many dependencies.
Viewing your dependency graph
After enabling, you can explore your dependencies by:
- Going to your repository's Insights tab
- Clicking Dependency graph in the left sidebar
- Browsing the list of dependencies, which automatically sorts vulnerable packages to the top
- Clicking on any dependency to see details like version, license, and vulnerabilities
- Using "Show paths" for transitive dependencies to understand how they entered your project
Export your dependency graph
One of the features of the dependency graph is the ability to export it as a Software Bill of Materials (SBOM) in the industry-standard SPDX format. SBOMs are increasingly required by regulators, government agencies, and enterprise customers for compliance and transparency purposes.
An SBOM provides a formal, machine-readable inventory of your project's dependencies and associated information such as versions, package identifiers, licenses, transitive paths for package ecosystems with support for transitive dependency labeling, and copyright information.
The export captures the current state of your dependency graph, representing the head of your main branch at the time of export.
The simplest way to generate an SBOM is through GitHub's web interface:
- Navigate to your repository on GitHub
- Click on the Insights tab
- Select Dependency graph from the left sidebar
- On the top right side of the Dependencies tab, click Export SBOM
- A JSON file will automatically download to your browser