GitLab 19.0 introduces SBOM-based dependency scanning as a generally available feature for Ultimate customers. Unlike the legacy Gemnasium analyzer, it inventories all direct and transitive dependencies using a CycloneDX SBOM, traces how vulnerable packages entered a project, and checks reachability for Java, JavaScript/TypeScript, and Python to help teams prioritize real exposure. It supports 24+ package ecosystems, integrates with merge requests and vulnerability dashboards, and can be enforced across hundreds of projects via security configuration profiles and scan execution policies without modifying individual CI files.
Table of contents
How GitLab uncovers vulnerable dependenciesWhat’s possible with SBOM-based dependency scanningSee SBOM-based dependency scanning in actionSupported languages and file formatsConfigure dependency scanning once, enforce it everywhereGet started todayRead more about what's in GitLab 19.0Sort: