aquasecurity · simar7 · Mar 29, 2023 · Feb 18, 2023 · Feb 18, 2023 · Feb 18, 2023
diff --git a/README.md b/README.md
@@ -299,11 +299,12 @@ jobs:
 ```
 
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
+It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
+The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). 
+
+In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 
-In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
@@ -312,6 +313,11 @@ on:
  branches:
  - master
  pull_request:
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+ contents: write
+
 jobs:
  build:
  name: Checks
@@ -320,14 +326,14 @@ jobs:
  - name: Checkout code
  uses: actions/checkout@v3
 
- - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+ - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
  uses: aquasecurity/trivy-action@master
  with:
  scan-type: 'fs'
  format: 'github'
  output: 'dependency-results.sbom.json'
  image-ref: '.'
- github-pat: '<github_pat_token>'
+ github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```
 
 ### Using Trivy to scan your private registry
@@ -501,7 +507,7 @@ Following inputs can be used as `step.with` keys:
 | `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
 | `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
 | `trivy-config` | String | | Path to trivy.yaml config |
-| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
 | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest