Automatic dependency submission now supports the pip package manager for Python. This release completes the cohort of package managers that now have auto-submission support, adding to the previously-released Maven, Gradle, and .NET ecosystems. Dependency auto-submission uploads a snapshot of a repository’s dependencies to the dependency graph submission API. The dependency graph then can see the full, transitive dependency tree of the project, which is useful for generating SBOMs, dependency insights, and Dependabot security alerts.

In order to use this feature, you must first enable the dependency graph in your repository’s settings: under Advanced Security, enable Automatic Dependency Submission. Your repository must also have GitHub Actions enabled. Note that turning on this feature will incur actions usage. For more information, see Configuring automatic dependency submission.