| title | REST API endpoints for dependency submission | ||||||
|---|---|---|---|---|---|---|---|
| shortTitle | Dependency submission | ||||||
| allowTitleToDifferFromFilename | true | ||||||
| intro | Use the REST API to submit dependencies. | ||||||
| versions |
|
||||||
| autogenerated | rest | ||||||
| category |
|
You can use the REST API to submit dependencies for a project. This enables you to add dependencies, such as those resolved when software is compiled or built, to {% data variables.product.prodname_dotcom %}'s dependency graph feature, providing a more complete picture of all of your project's dependencies.
The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a package-lock.json file in a JavaScript project). For more information about viewing the dependency graph, see AUTOTITLE.
Submitted dependencies will receive {% data variables.product.prodname_dependabot_alerts %} and {% data variables.product.prodname_dependabot_security_updates %} for any known vulnerabilities. You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the supported ecosystems for the {% data variables.product.prodname_advisory_database %}. For more information about these ecosystems, see AUTOTITLE. For transitive dependencies submitted via the {% data variables.dependency-submission-api.name %}, {% data variables.product.prodname_dependabot %} will automatically open pull requests to update the parent dependency, if an update is available.
{% data reusables.dependency-submission.about-dependency-submission %}
You can submit dependencies in the form of a snapshot. A snapshot is a set of dependencies associated with a commit SHA and other metadata, that reflects the current state of your repository for a commit. You can choose to use pre-made actions or create your own actions to submit your dependencies in the required format each time your project is built. For more information, see AUTOTITLE.
You can submit multiple sets of dependencies to be included in your dependency graph. The REST API uses the job.correlator property and the detector.name category of the snapshot to ensure the latest submissions for each workflow get shown. The correlator property itself is the primary field you will use to keep independent submissions distinct. An example correlator could be a simple combination of two variables available in actions runs: <GITHUB_WORKFLOW> <GITHUB_JOB>.
{% data reusables.dependency-graph.deduplication %}