Fine grain access to read only SBOM

[pritiprajapati314]

Select Topic Area

Question

Body

Hey experts, I need your help.
I am trying to find if there is way to get the list of dependencies (like package name and version), from a private repository in a github organization, currently I am exploring SBOM and manifest files. My requirement is to

1. have the least amount to access possible just enough to get the SBOM or manifest file(like pom.xml, package.json) without being able to read the content of the repository.
2. I am also reading it on a regular interval so I need this source to be as updated as possible.
3. Is there any other way rather than creating another repo, or creating a github action publishing this data in an external api.

Things I have explored : github action, webhooks, graphQL.
I know that github provides fine grain tokens and gives read only permission to content type access. I can fetch SBOM (but the only issue is that it also enables me to read the content of the repository). There is no other permission which has SBOM export access so this is my best option till now.

I would be really thankful if someone could tell me any other service github provide which would be relevant to the tenet. Or could provide a confirmation that no other way is possible.

Thank you in advance for your time.

[pritiprajapati314]

Thanks Nirva! Can you suggest some third-party services you mentioned above to start with, it would be really helpful. I have explored SNYK, but I think it only shows vulnerability and not the whole list, are there any other services that provide the complete list of dependencies.

[pritiprajapati314]

Thank you! really appreciate your help