Closed anthonyharrison closed 1 year ago
I think what's happening here is this tool uses the Dependency Graph API, and so if you don't have Dependency Graph enabled on your repository (regardless of if it's forked or not), it won't be able to get any information. I added a (hopefully) helpful error message for that case: https://github.com/advanced-security/gh-sbom/commit/781d1cee2a81550502c09aca42bbcb31c94c13cc
@steiza It appears that it is possible to enable DependencyGraph for a forked repo. Maybe add this reference somewhere in the documentation.
Pointing the tool at a forked repo results in an basic SBOM with none of the dependent packages identified.