If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM), via the {% data variables.product.prodname_dotcom %} UI or {% data variables.product.company_short %} REST API. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)."

By default, the {% data variables.dependency-review.action_name %} check will fail if it discovers any vulnerable packages. A failed check blocks a pull request from being merged when the repository owner requires the dependency review check to pass. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)."

For more information about the action and the API endpoint, see the [`dependency-review-action`](https://github.com/actions/dependency-review-action) documentation, and "[AUTOTITLE](/rest/dependency-graph/dependency-review)."

After you enable the dependency graph, users will have access to the dependency review feature. {% data reusables.dependency-review.short-summary %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."

Organization owners can roll out dependency review at scale by enforcing the use of the {% data variables.dependency-review.action_name %} across repositories in the organization. This involves the use of repository rulesets for which you'll set the {% data variables.dependency-review.action_name %} as a required workflow, which means that pull requests can only be merged once the workflow passes all the required checks. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization)."

The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a `package-lock.json` file in a JavaScript project). For more information about viewing the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph)."

Submitted dependencies will receive {% data variables.product.prodname_dependabot_alerts %} and {% data variables.product.prodname_dependabot_security_updates %} for any known vulnerabilities. You will only get {% data variables.product.prodname_dependabot_alerts %} for dependencies that are from one of the supported ecosystems for the {% data variables.product.prodname_advisory_database %}. For more information about these ecosystems, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#github-reviewed-advisories)." For transitive dependencies submitted via the {% data variables.dependency-submission-api.name %}, {% data variables.product.prodname_dependabot %} will automatically open pull requests to update the parent dependency, if an update is available.

{% ifversion dependency-graph-repository-view-update %}Dependencies submitted to a project using the {% data variables.dependency-submission-api.name %} will show which detector was used for their submission and when they were submitted.{% elsif ghes %} The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files.{% else %}{% endif %} For more information on the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."

{% data variables.product.prodname_desktop %} is a free, open source application that helps you to work with code hosted on {% data variables.product.prodname_dotcom %} or other Git hosting services. With {% data variables.product.prodname_desktop %}, you can perform Git commands, such as committing and pushing changes, in a graphical user interface, rather than using the command line. For more information, see "[AUTOTITLE](/desktop/installing-and-configuring-github-desktop/overview/about-github-desktop)."

When you have opened a pull request branch, you can view the contents of the branch in an editor, view the diff and commit history of the contributor's updates, and view and re-run checks. For more information, see "[Working with a pull request in {% data variables.product.prodname_desktop %}](#working-with-a-pull-request-in-github-desktop)."