CycloneDX export for the project dependency list

Release notes

Since the US Federal Government issued the software bill of materials (SBOM) requirement, companies have been required to produce their SBOM to help further increase the security of the software supply chain. The CyloneDX format has become the adopted SBOM standard. In this release, you will be able to export an SBOM directly from the Dependency List.

Problem to solve

When a user clicks the Export button on the Dependency List, they download a JSON file in GitLab's custom format (there is no documentation about this format). Ideally users would be downloading an industry standard.

Proposal

We will add a new item to the dependency export dropdown which allows users to download the dependency list in CycloneDX format.

Intended users

Amy (Application Security Engineer)
Cameron (Compliance Manager)

Feature Usage Metrics

We will add frontend event tracking when export menu items are clicked.

Does this feature require an audit event?

Edited Mar 12, 2025 by Brian Williams