SBOM scan API ignores uploads_storage_path configuration and writes to public directory causes missing gl-dependency-scanning-report.json

Problem

The customer reported in ZD#675241 that when the dependency_scanning_sbom_scan_api feature flag is enabled, SBOM scan uploads fail with a 500 error which causes missing gl-dependency-scanning-report.json that would prevent MRs to be approved because no report is present with the complience:

{"correlation_id":"01KB4ZRPQ3C2DX33PVKZTY8ETW","error":"handleFileUploads: extract files from multipart: persisting multipart file: newLocalFile: mkdir \"/opt/gitlab/embedded/service/gitlab-rails/public/tmp/uploads\": mkdir /opt/gitlab/embedded/service/gitlab-rails/public/tmp: permission denied","level":"error","method":"POST","msg":"","time":"2025-11-28T10:22:30Z","uri":"/api/v4/jobs/4349/sbom_scans?filesize=35569"}

Root Cause

The public/ directory is typically owned by root:root with 755 permissions, so the git user (running Workhorse) cannot create the required tmp/uploads subdirectory especially with the docker images provided the root /opt/gitlab/embedded/service/gitlab-rails/public/. There is a required folder with git user has permissions

/opt/gitlab/embedded/service/gitlab-rails/public/tmp/uploads

Regular file uploads (such as image in comment, or other artifacts ) works as expected.

Expected Behavior

SBOM scan uploads should respect the configured uploads_storage_path setting and write to the same location as other uploads /opt/gitlab/embedded/service/gitlab-rails/public/uploads/.

Steps to Reproduce

  1. Create a fresh docker environment.

  2. Enable the dependency_scanning_sbom_scan_api feature flag for a project

  3. Attempt to upload an SBOM file via the API endpoint POST /api/v4/jobs/:id/sbom_scans

  4. Upload fails with 500 error and see the following in the job logs:

[WARN] [dependency-scanning] [2025-12-11T09:52:48Z] ▶ Error while running vulnerability scanning, skipping vulnerability scanning using API and deferring to SBOM scan on pipeline completion: scanning sbom files for vulnerabilities: uploading SBOM file: http://gitlab.example.com:8929/api/v4/jobs/6/sbom_scans?filesize=5006 request failed with status 500: Internal Server Error
. This feature is in Limited Availability,
	see https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/ for more details.
Edited by Ugur Dokmeci