How does SBOM support supply chain security in GitHub Advanced Security?

SBOM provides visibility into every component and dependency, letting you see exactly what’s included in your software and which versions are in use. That complete inventory is the foundation for assessing risk and enforcing supply chain security practices, because you can identify vulnerable components, track licenses, and verify that only approved pieces are part of your builds. In GitHub Advanced Security, this visibility lets you map known vulnerabilities to the specific components and versions in your SBOM, prioritize remediation based on real impact, and demonstrate governance and compliance with security policies. The SBOM itself doesn’t patch issues, encrypt dependencies, or manage who can access them—that work happens in remediation tooling, encryption-focused controls, or access management.