#### Overview This epic is for tracking the remaining work required to reach the [General Availability (GA) level](https://docs.gitlab.com/ee/policy/experiment-beta-support.html#generally-available-ga) for [Dependency Scanning by using SBOM](https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/) currently released as Limited Availability. See linked items for additional context. #### Problem to Solve GitLab does not currently have a GA dependency scanning solution. There are currently two dependency scanning solutions: * [Gemnasium](https://docs.gitlab.com/user/application_security/dependency_scanning/) based scanning which is deprecated in GitLab 17.9 and proposed for removal in 20.0. * [Dependency scanning by using SBOM](https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/) which was released in GitLab 18.5 as Limited Availability. ## :chart_with_upwards_trend: Success Metrics 1. Overall Target: Increased adoption of the new Dependency Scanning Analyzer to 15% of our Ultimate Accounts. #### Scope * https://gitlab.com/groups/gitlab-org/-/work_items/20457+ * https://gitlab.com/gitlab-org/gitlab/-/issues/586921+ * https://gitlab.com/gitlab-org/gitlab/-/issues/585886+ * https://gitlab.com/gitlab-org/gitlab/-/issues/588788+ * https://gitlab.com/groups/gitlab-org/-/work_items/20461+ * https://gitlab.com/groups/gitlab-org/-/work_items/20459+ * https://gitlab.com/groups/gitlab-org/-/work_items/20458+ #### Dependencies * Team dependencies: \[List team dependencies\] * Epic/Issue dependencies - _Link to dependent epics/issues via the linked items widget below for ease of drill down_ #### DRIs * **PM**: @joelpatterson * **EM**: @nilieskou * **UX/PDM**: @marissa.henri * **Group(s)**: ~"group::composition analysis" * **Engineering Owner**: @rvider #### Initiative Driver - Product or Engineering? ~"Interlock Priority::P1" #### --- ### Hygiene Guidelines :bulb: \_See additional details about this process at https://handbook.gitlab.com/handbook/product-development/r-and-d-interlock/ ##### :one: Pre-Interlock - [ ] Update epic description with all relevant information - [ ] Ensure all dependencies are identified - [ ] Apply appropriate labels (see below) - [ ] Apply target delivery Milestone - [ ] Update interlock status as discussions progress (via label) ##### :two: Post-Interlock: once quarter begins - Update health status weekly (via label) - Document any newly identified risks or dependencies - Link to implementation epics/issues as work begins - Flag any scope or timeline changes immediately ## Release notes GitLab's SBOM-based dependency scanner is now generally available, is now generally available, giving Maven, Gradle, and Python projects complete visibility into vulnerabilities across their full dependency tree -- including vulnerable packages introduced transitively, not just those declared directly. The analyzer now includes automatic dependency resolution for Maven, Gradle, and Python projects. When a lockfile or resolved dependency graph is not present, the analyzer automatically invokes tooling to resolve the full transitive dependency graph before scanning. Dependency resolution is enabled by default and requires no additional configuration beyond including the v2 Dependency Scanning template. For projects where dependency resolution is not possible, the analyzer falls back to manifest scanning, parsing `pom.xml`, `requirements.txt`, `build.gradle`, and `build.gradle.kts` to identify direct dependencies. This ensures teams always get a starting point for vulnerability coverage, even for projects without lock or build files. Manifest scanning is enabled by default. Note that manifest scanning returns direct dependencies only -- enabling dependency resolution yields higher accuracy in scan results.