A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.
Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.
A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.
The GitHub Actions extension for VS Code is now in public beta. This extension includes rich editing features, such as syntax validation and autocomplete, making workflow authoring and editing faster and easier. Developers will also be able to view workflow runs, inspect logs, and trigger re-runs directly from VS Code.
The new code scanning tool status page allows users to view the status of CodeQL and other code scanning tools.
The page shows all the tools that are enabled on the repository and provides information about their setup types, configurations, and any relevant failures or warnings. If a tool is not working as expected, this is a good place to start troubleshooting the issue.
The page indicates three possible statuses for the tool: all configurations are working, some need attention, and some are not working.
Code scanning needs to have received at least one analysis for the default branch to provide a tool status. Only the status of the default branch is reported.
The page shows the latest state of all analysis configurations for the tool. For instance, if you created two separate workflows to scan two distinct parts of the repository independently, the page displays the most recent state of the tool by combining the statuses of both.
The page structure
For each tool, the page provides actionable information about misconfigurations and errors, the number of scanned files per language, the setup types and configurations, the list of rules the tool checks against, and detailed CSV reports.
Error messages
To help you with debugging, the tool status page shows error messages gathered from multiple code scanning system components during tool setup and analysis execution. These include errors from CodeQL, code scanning workflows, SARIF upload limits, and the internal code scanning system.
Third party code scanning tools are not yet able to deliver tool related errors to the page. In the future, these tools will be able to submit error messages to code scanning via SARIF uploads.
The section helps you determine whether code scanning tools are operating correctly on your repository and only shows information about languages supported and analysed by the tool while ignoring languages that are present in the repository but are not supported or being analysed by the tool.
This section is not yet displayed for third party code scanning tools. In the future, third party tools will be able to submit error messages to code scanning via SARIF uploads.
Delivery dates
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
