1 files changed, 158 insertions, 0 deletions
diff --git a/doc/api/dependency_list_export.md b/doc/api/dependency_list_export.md
new file mode 100644
index 00000000000..083f7a640fc
--- /dev/null
+++ b/doc/api/dependency_list_export.md
@@ -0,0 +1,158 @@
+---
+stage: Govern
+group: Threat Insights
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Dependency list export API **(ULTIMATE ALL)**
+
+Every call to this endpoint requires authentication.
+
+## Create a pipeline-level dependency list export **(EXPERIMENT)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333463) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `merge_sbom_api`. Enabled by default. This feature is an [Experiment](../policy/experiment-beta-support.md#experiment).
+
+FLAG:
+On self-managed GitLab, by default this feature is available.
+To hide the feature, an administrator can [disable the feature flag](../administration/feature_flags.md) named `merge_sbom_api`.
+On GitLab.com, this feature is available.
+
+WARNING:
+This feature is an [Experiment](../policy/experiment-beta-support.md#experiment)
+and subject to change without notice.
+
+Create a new CycloneDX JSON export for all the project dependencies detected in a pipeline.
+
+If an authenticated user doesn't have permission to
+[read_dependency](../user/permissions.md#custom-role-requirements),
+this request returns a `403 Forbidden` status code.
+
+SBOM exports can be only accessed by the export's author.
+
+```plaintext
+POST /pipelines/:id/dependency_list_exports
+```
+
+| Attribute           | Type              | Required   | Description                                                                                                                  |
+| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
+| `id`                | integer           | yes        | The ID of the pipeline which the authenticated user has access to. |
+| `export_type`       | string            | yes        | This must be set to `sbom`. |
+
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/pipelines/1/dependency_list_exports" --data "export_type=sbom"
+```
+
+The created dependency list export is automatically deleted after 1 hour.
+
+Example response:
+
+```json
+{
+  "id": 2,
+  "has_finished": false,
+  "self": "http://gitlab.example.com/api/v4/dependency_list_exports/2",
+  "download": "http://gitlab.example.com/api/v4/dependency_list_exports/2/download"
+}
+```
+
+## Get single dependency list export
+
+Get a single dependency list export.
+
+```plaintext
+GET /security/dependency_list_exports/:id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id` | integer | yes | The ID of the dependency list export. |
+
+```shell
+curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/security/dependency_list_exports/2"
+```
+
+The status code is `202 Accepted` when the dependency list export is being generated, and `200 OK` when it's ready.
+
+Example response:
+
+```json
+{
+  "id": 4,
+  "has_finished": true,
+  "self": "http://gitlab.example.com/api/v4/dependency_list_exports/4",
+  "download": "http://gitlab.example.com/api/v4/dependency_list_exports/4/download"
+}
+```
+
+## Download dependency list export
+
+Download a single dependency list export.
+
+```plaintext
+GET /security/dependency_list_exports/:id/download
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id` | integer | yes | The ID of the dependency list export. |
+
+```shell
+curl --header "PRIVATE-TOKEN: <private_token>" "https://gitlab.example.com/api/v4/security/dependency_list_exports/2/download"
+```
+
+The response is `404 Not Found` if the dependency list export is not finished yet or was not found.
+
+Example response:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:aec33827-20ae-40d0-ae83-18ee846364d2",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "vendor": "Gitlab",
+        "name": "Gemnasium",
+        "version": "2.34.0"
+      }
+    ],
+    "authors": [
+      {
+        "name": "Gitlab",
+        "email": "support@gitlab.com"
+      }
+    ],
+    "properties": [
+      {
+        "name": "gitlab:dependency_scanning:input_file",
+        "value": "package-lock.json"
+      }
+    ]
+  },
+  "components": [
+    {
+      "name": "com.fasterxml.jackson.core/jackson-core",
+      "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.2",
+      "version": "2.9.2",
+      "type": "library",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "url": "https://spdx.org/licenses/MIT.html"
+          }
+        },
+        {
+          "license": {
+            "id": "BSD-3-Clause",
+            "url": "https://spdx.org/licenses/BSD-3-Clause.html"
+          }
+        }
+      ]
+    }
+  ]
+}
+
+```