Get a repo's dependency-graph SBOM summary
Read a quick summary of a repository’s SPDX SBOM — its spec version and package count — without pulling the full document.
-
Call
get_dependency_graph_sbomwith the repository’s owner and name:get_dependency_graph_sbom { owner: "octocat", repo: "example" } -
Read the summary off the response:
{ "spdxVersion": "SPDX-2.3", "packageCount": 47 }spdxVersionis the SPDX spec version GitHub generated the document against;packageCountis the number of entries in the SBOM’spackagesarray.
When this isn’t enough
Section titled “When this isn’t enough”This tool is deliberately a summary, not a full SPDX client — it does not
expose license information, package relationships, or any other field of the
underlying SBOM document. If you need the full document, fetch
GET /repos/{owner}/{repo}/dependency-graph/sbom directly rather than
through this tool.
If it fails
Section titled “If it fails”missing_scope: no GitHub token was resolvable. SetGITHUB_TOKENor rungh auth login.github_api_error: check the message for the underlying HTTP status — a repository with the dependency graph disabled, or one you can’t access, surfaces as a non-2xx status here.
See also
Section titled “See also”- reference/tools.md for the exact response schema.