Add support for cyclonedx based dependency scanning (!201034) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Add support for CycloneDX-based dependency scanning jobs in security inventory statuses. This merge request ensures that SBOM-based dependency scans using CycloneDX appear correctly as dependency scanning in security inventory statuses.

Changelog: added
EE: true

How to set up and validate locally

Add a mock SBOM-based scan with the following in gitlab-ci.yml:

 dependency-scanning:
   stage: test
   script:
     - echo NOOP
   artifacts:
     access: "developer"
     reports:
       cyclonedx: "gl-sbom-*.cdx.json"

Add gl-sbom-report.cdx.json file to your project root folder:

 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
   "version": 1,
   "metadata": {
     "timestamp": "2025-08-11T00:00:00Z",
     "tools": [],
     "authors": [],
     "component": null
   },
   "components": [],
   "dependencies": []
 }

Run a pipeline and wait for it to finish.
The project's dependency scanning status in the security inventory should be green, indicating success, and the latest job should point to the most recent pipeline's job.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Aug 11, 2025 by Gal Katz

Add support for cyclonedx based dependency scanning

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports