Too bad the ability to understand dependencies is quite poor and not extensible. The dependency graph in GitHub Enterprise is useless, especially for the price - which makes any SBOM also equally useless.
Simple example: using advanced security in GitHub Enterprise with dependabot, it understands our usage of actions and their depndencies - it can understand that action workflow X depends on Y and there's a new version. But if we use a docker image in those workflows, hosted in GitHub packages, it isn't able to understand that.
This is a fairly basic case I would have expected to work - but it doesn't. For anything C++ or more complex examples it's less useful... And dependabot is no longer extensible so this can't even be solved by using open source additions.
Currently looking at things like Mend's Renovate as an alternative