Dependency list export API

Every call to this endpoint requires authentication.

Create a pipeline-level dependency list export

Version history

Create a new CycloneDX JSON export for all the project dependencies detected in a pipeline.

If an authenticated user does not have permission to read_dependency, this request returns a 403 Forbidden status code.

SBOM exports can be only accessed by the export’s author.

POST /pipelines/:id/dependency_list_exports
Attribute Type Required Description
id integer yes The ID of the pipeline which the authenticated user has access to.
export_type string yes This must be set to sbom.
curl --request POST --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/pipelines/1/dependency_list_exports" --data "export_type=sbom"

The created dependency list export is automatically deleted after 1 hour.

Example response:

{
  "id": 2,
  "has_finished": false,
  "self": "http://gitlab.example.com/api/v4/dependency_list_exports/2",
  "download": "http://gitlab.example.com/api/v4/dependency_list_exports/2/download"
}

Get single dependency list export

Get a single dependency list export.

GET /dependency_list_exports/:id
Attribute Type Required Description
id integer yes The ID of the dependency list export.
curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/dependency_list_exports/2"

The status code is 202 Accepted when the dependency list export is being generated, and 200 OK when it’s ready.

Example response:

{
  "id": 4,
  "has_finished": true,
  "self": "http://gitlab.example.com/api/v4/dependency_list_exports/4",
  "download": "http://gitlab.example.com/api/v4/dependency_list_exports/4/download"
}

Download dependency list export

Download a single dependency list export.

GET /dependency_list_exports/:id/download
Attribute Type Required Description
id integer yes The ID of the dependency list export.
curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/dependency_list_exports/2/download"

The response is 404 Not Found if the dependency list export is not finished yet or was not found.

Example response:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:aec33827-20ae-40d0-ae83-18ee846364d2",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "Gitlab",
        "name": "Gemnasium",
        "version": "2.34.0"
      }
    ],
    "authors": [
      {
        "name": "Gitlab",
        "email": "support@gitlab.com"
      }
    ],
    "properties": [
      {
        "name": "gitlab:dependency_scanning:input_file",
        "value": "package-lock.json"
      }
    ]
  },
  "components": [
    {
      "name": "com.fasterxml.jackson.core/jackson-core",
      "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.2",
      "version": "2.9.2",
      "type": "library",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "url": "https://spdx.org/licenses/MIT.html"
          }
        },
        {
          "license": {
            "id": "BSD-3-Clause",
            "url": "https://spdx.org/licenses/BSD-3-Clause.html"
          }
        }
      ]
    }
  ]
}