## Proposal 1. The container scanning analyzer will output a Cyclone-DX formatted SBOM artifact of all dependencies. This artifact will be produced by default and will be in addition to all other artifacts that are produced. 1. The artifact file name will match the `gl-sbom-*.cdx.json` pattern (as decided in https://gitlab.com/gitlab-org/gitlab/-/issues/360766#note_989603545) 1. ~~This artifact will be produced regardless of which scanner is used (it will work for both `trivy` and `grype`)~~ For the MVC we will only provide SBOM artifact generation capability for the Trivy based image. Due to a blocker this MVC won't be generating an artifact of type `report`. Still the Container Scanning job is capable of generating a standard artifact, it just doesn't get ingested in the rails backend.