github
Dependency submission API (server beta)
Summary
This is the GitHub Enterprise Server version of https://github.com/github/roadmap/issues/467.
The dependency graph today uses manifest parsing to understand the set of dependencies in a repository. This approach has some shortcomings: we can't easily support complex dependency systems which use executable code in the build to resolve dependencies (like Gradle), and users of an ecosystem need to wait for GitHub to add support for it.
The dependency submission API will allow users to upload details of their dependencies directly, via an API request. It will be designed to work with the output of build tools and package managers. The dependency graph will store this data and, if an ecosystem is supported in the advisory database, GitHub will send alerts if/when a vulnerable dependency is present.
This release will be a public beta.
Intended Outcome
We are building this so that GitHub can better track dependencies from package managers like Gradle which generally require a build to take place to get reliable results.
How will it work?
We are providing a new API which allows developers to submit a snapshot of their dependencies at a particular point in time. This can be called easily from any GitHub Actions or similar CI environment to provide this information.
