### Update 12/13/25: The scope of GA has expanded to include additional features. Future work is tracked at the new parent epic for this epic here https://gitlab.com/groups/gitlab-org/-/work_items/20456. ### Problem to solve Full Dependency Scanning scans on SBOM changes have been enabled in %17.5 with https://gitlab.com/gitlab-org/gitlab/-/issues/395692. Though, this only covered the default branch workflow. Currently, this full SBOM scan is executed additionally to the existing CI based security scanning, so that users are not impacted by the existing feature parity gap. To pursue on our vision to replace CI based Dependency Scanning analysis with SBOM based Dependency Scanning analysis, we need to expand it to cover all existing workflows and reach an acceptable level of parity. This epics contains the work required to reach the GA level (Generally available) https://docs.gitlab.com/ee/policy/experiment-beta-support.html#generally-available-ga ### Proposal These are high level tasks to give an overview of the work to be done. SSOT will be attached issues and epics. ### Requirements As a reminder, please check the criteria for [Public Availability](https://docs.gitlab.com/policy/development_stages_support/#public-availability) 1. The Dependency Scanning CI job must provide security scan results upon its completion, while the pipeline is still running. 2. The provided enablement solution for DS using SBOM should use the new DS analyzer by default without additional configuration (AKA no opt-in approach). This applies to onboarding new customers or new projects only. Transitioning all existing customers will be addressed as a follow-up in https://gitlab.com/groups/gitlab-org/-/epics/15727 3. The DS uisng SBOM feature should be usable with Scan Execution Policies and Pipeline Execution Policies **WIP** - Should the new DS analyer FIPS compliant? - Should the new DS analyzer be the various[Operating Systems](https://docs.gitlab.com/runner/install/#supported-operating-systems) and [architectures](https://docs.gitlab.com/runner/install/#supported-architectures) supported by the GitLab runner (e.g. amd64, arm64, windows, etc.) - Should the new DS analyer FIPS compliant? ### Timeline ~~The delivery of Dependency Scanning using SBOM GA is currently planned for FY26Q2, which means the targetted milestone is 18.2.~~ Limited Availability released in 18.5 General Availability TBD.