Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency submission API (server beta) #486

Open
github-product-roadmap opened this issue Apr 13, 2022 · 0 comments
Open

Dependency submission API (server beta) #486

github-product-roadmap opened this issue Apr 13, 2022 · 0 comments
Labels
all beta security & compliance server

Comments

@github-product-roadmap
Copy link
Collaborator

@github-product-roadmap github-product-roadmap commented Apr 13, 2022

Summary

This is the GitHub Enterprise Server version of #467.

The dependency graph today uses manifest parsing to understand the set of dependencies in a repository. This approach has some shortcomings: we can't easily support complex dependency systems which use executable code in the build to resolve dependencies (like Gradle), and users of an ecosystem need to wait for GitHub to add support for it.

The dependency submission API will allow users to upload details of their dependencies directly, via an API request. It will be designed to work with the output of build tools and package managers. The dependency graph will store this data and, if an ecosystem is supported in the advisory database, GitHub will send alerts if/when a vulnerable dependency is present.

This release will be a public beta.

Intended Outcome

We are building this so that GitHub can better track dependencies from package managers like Gradle which generally require a build to take place to get reliable results.

How will it work?

We are providing a new API which allows developers to submit a snapshot of their dependencies at a particular point in time. This can be called easily from any GitHub Actions or similar CI environment to provide this information.

@github github locked and limited conversation to collaborators Apr 13, 2022
@github-product-roadmap github-product-roadmap added all beta security & compliance server labels Apr 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
all beta security & compliance server
Projects
Status: Q3 2022 – Jul-Sep
Development

No branches or pull requests

1 participant