Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42

14 files changed, 342 insertions, 121 deletions

diff --git a/doc/user/compliance/compliance_report/index.md b/doc/user/compliance/compliance_report/index.md
index 0d33dfce30b..04609026793 100644
--- a/doc/user/compliance/compliance_report/index.md
+++ b/doc/user/compliance/compliance_report/index.md
@@ -55,9 +55,9 @@ The following is a list of violations that are either:
 
 | Violation                            | Severity level  | Category                                                                               | Description                                                                                                                                                                                      | Availability                                                                    |
 |:-------------------------------------|:----------------|:---------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------|
-| Author approved merge request        | High            | [Separation of duties](#separation-of-duties)                                          | The author of the merge request approved their own merge request. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author).                                   | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
-| Committers approved merge request    | High            | [Separation of duties](#separation-of-duties)                                          | The committers of the merge request approved the merge request they contributed to. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
-| Fewer than two approvals             | High            | [Separation of duties](#separation-of-duties)                                          | The merge request was merged with fewer than two approvals. [Learn more](../../project/merge_requests/approvals/rules.md).                                                                       | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
+| Author approved merge request        | High            | [Separation of duties](#separation-of-duties)                                          | The author of the merge request approved their own merge request. For more information, see [Prevent approval by author](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author).                                   | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
+| Committers approved merge request    | High            | [Separation of duties](#separation-of-duties)                                          | The committers of the merge request approved the merge request they contributed to. For more information, see [Prevent approvals by users who add commits](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
+| Fewer than two approvals             | High            | [Separation of duties](#separation-of-duties)                                          | The merge request was merged with fewer than two approvals. For more information, see [Merge request approval rules](../../project/merge_requests/approvals/rules.md).                                                                       | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
 | Pipeline failed                      | Medium          | [Pipeline results](../../../ci/pipelines/index.md)                                     | The merge requests pipeline failed and was merged.                                                                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
 | Pipeline passed with warnings        | Info            | [Pipeline results](../../../ci/pipelines/index.md)                                     | The merge request pipeline passed with warnings and was merged.                                                                                                                                  | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
 | Code coverage down more than 10%     | High            | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of more than 10%.                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
@@ -95,12 +95,35 @@ Our criteria for the separation of duties is as follows:
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213364) in GitLab 13.3.
 > - Chain of Custody reports sent using email [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/342594) in GitLab 15.3 with a flag named `async_chain_of_custody_report`. Disabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/370100) in GitLab 15.5. Feature flag `async_chain_of_custody_report` removed.
+> - Chain of Custody report includes all commits (instead of just merge commits) [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267601) in GitLab 15.9 with a flag named `all_commits_compliance_report`. Disabled by default.
+
+FLAG:
+On self-managed GitLab, by default the Chain of Custody report only contains information on merge commits. To make the report contain information on all commits to projects within a group, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `all_commits_compliance_report`. On GitLab.com, this feature is not available.
 
 The Chain of Custody report allows customers to export a list of merge commits within the group.
 The data provides a comprehensive view with respect to merge commits. It includes the merge commit SHA,
 merge request author, merge request ID, merge user, date merged, pipeline ID, group name, project name, and merge request approvers.
 Depending on the merge strategy, the merge commit SHA can be a merge commit, squash commit, or a diff head commit.
 
+With the `all_commits_compliance_report` flag enabled, the Chain of Custody report provides a 1 month trailing window of any commit into a project under the group.
+
+To generate the report for all commits, GitLab:
+
+1. Fetches all projects under the group.
+1. For each project, fetches the last 1 month of commits. Each project is capped at 1024 commits. If there are more than 1024 commits in the 1-month window, they
+   are truncated.
+1. Writes the commits to a CSV file. The file is truncated at 15 MB because the report is emailed as an attachment.
+
+The expanded report includes the commit SHA, commit author, committer, date committed, the group, and the project.
+If the commit has a related merge commit, then the following are also included:
+
+- Merge commit SHA.
+- Merge request ID.
+- User who merged the merge request.
+- Merge date.
+- Pipeline ID.
+- Merge request approvers.
+
 To generate the Chain of Custody report:
 
 1. On the top bar, select **Main menu > Groups** and find your group.
diff --git a/doc/user/compliance/license_compliance/img/denied_licenses_v15_3.png b/doc/user/compliance/img/denied_licenses_v15_3.png
index 4ed84047133..4ed84047133 100644
--- a/doc/user/compliance/license_compliance/img/denied_licenses_v15_3.png
+++ b/doc/user/compliance/img/denied_licenses_v15_3.png
diff --git a/doc/user/compliance/license_compliance/img/license-check_v13_4.png b/doc/user/compliance/img/license-check_v13_4.png
index bc80f938395..bc80f938395 100644
--- a/doc/user/compliance/license_compliance/img/license-check_v13_4.png
+++ b/doc/user/compliance/img/license-check_v13_4.png
diff --git a/doc/user/compliance/img/license_approval_policy_v15_9.png b/doc/user/compliance/img/license_approval_policy_v15_9.png
new file mode 100644
index 00000000000..43b1f89a07c
--- /dev/null
+++ b/doc/user/compliance/img/license_approval_policy_v15_9.png
diff --git a/doc/user/compliance/license_compliance/img/license_list_v13_0.png b/doc/user/compliance/img/license_list_v13_0.png
index 3c15d4fc99a..3c15d4fc99a 100644
--- a/doc/user/compliance/license_compliance/img/license_list_v13_0.png
+++ b/doc/user/compliance/img/license_list_v13_0.png
diff --git a/doc/user/compliance/license_compliance/img/policies_maintainer_add_v14_3.png b/doc/user/compliance/img/policies_maintainer_add_v14_3.png
index 7a27899f8c9..7a27899f8c9 100644
--- a/doc/user/compliance/license_compliance/img/policies_maintainer_add_v14_3.png
+++ b/doc/user/compliance/img/policies_maintainer_add_v14_3.png
diff --git a/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v14_3.png b/doc/user/compliance/img/policies_maintainer_edit_v14_3.png
index 256c66bf7d8..256c66bf7d8 100644
--- a/doc/user/compliance/license_compliance/img/policies_maintainer_edit_v14_3.png
+++ b/doc/user/compliance/img/policies_maintainer_edit_v14_3.png
diff --git a/doc/user/compliance/license_compliance/img/policies_v13_0.png b/doc/user/compliance/img/policies_v13_0.png
index 4918a0e6b62..4918a0e6b62 100644
--- a/doc/user/compliance/license_compliance/img/policies_v13_0.png
+++ b/doc/user/compliance/img/policies_v13_0.png
diff --git a/doc/user/compliance/license_approval_policies.md b/doc/user/compliance/license_approval_policies.md
new file mode 100644
index 00000000000..32c90a1d317
--- /dev/null
+++ b/doc/user/compliance/license_approval_policies.md
@@ -0,0 +1,58 @@
+---
+type: reference, howto
+stage: Govern
+group: Security Policies
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License Approval Policies **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8092) in GitLab 15.9 [with a flag](../../administration/feature_flags.md) named `license_scanning_policies`. Disabled by default.
+
+License Approval Policies allow you to specify multiple types of criteria that define when approval is required before a merge request can be merged in.
+
+## Create a new license approval policy
+
+Create a license approval policy to enforce license compliance.
+
+To create a license approval policy:
+
+1. [Link a security policy project](../application_security/policies/index.md#managing-the-linked-security-policy-project) to your development group, subgroup, or project (the Owner role is required).
+1. On the top bar, select **Main menu > Projects** and find your project.
+1. On the left sidebar, select **Security & Compliance > Policies**.
+1. Create a new [Scan Result Policy](../application_security/policies/scan-result-policies.md).
+1. In your policy rule, select **License scanning**.
+
+## Criteria defining which licenses require approval
+
+The following types of criteria can be used to determine which licenses are "approved" or "denied" and require approval.
+
+- When any license in a list of explicitly prohibited licenses is detected.
+- When any license is detected except for licenses that have been explicitly listed as acceptable.
+
+## Criteria comparing licenses detected in the merge request branch to licenses detected in the default branch
+
+The following types of criteria can be used to determine whether or not approval is required based on the licenses that exist in the default branch:
+
+- Denied licenses can be configured to only require approval if the denied license is part of a dependency that does not already exist in the default branch.
+- Denied licenses can be configured to require approval if the denied license exists in any component that already exists in the default branch.
+
+![License approval policy](img/license_approval_policy_v15_9.png)
+
+If a license is found that violates the license approval policy, it blocks the merge request and instructs the developer to remove it. Note, the merge request is not able to be merged until the `denied` license is removed unless an eligible approver for the License Approval Policy approves the merge request.
+
+![Merge request with denied licenses](img/denied_licenses_v15_3.png)
+
+## Troubleshooting
+
+### The License Compliance widget is stuck in a loading state
+
+A loading spinner is displayed in the following scenarios:
+
+- While the pipeline is in progress.
+- If the pipeline is complete, but still parsing the results in the background.
+- If the license scanning job is complete, but the pipeline is still running.
+
+The License Compliance widget polls every few seconds for updated results. When the pipeline is complete, the first poll after pipeline completion triggers the parsing of the results. This can take a few seconds depending on the size of the generated report.
+
+The final state is when a successful pipeline run has been completed, parsed, and the licenses displayed in the widget.
diff --git a/doc/user/compliance/license_check_rules.md b/doc/user/compliance/license_check_rules.md
new file mode 100644
index 00000000000..968cf49ffdf
--- /dev/null
+++ b/doc/user/compliance/license_check_rules.md
@@ -0,0 +1,84 @@
+---
+type: reference, howto
+stage: Govern
+group: Security Policies
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License Check Policies (DEPRECATED) **(ULTIMATE)**
+
+> [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/390417) in GitLab 15.9.
+
+WARNING:
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/390417) in GitLab 15.9. Users should migrate over to use [License Approval Policies](license_approval_policies.md) prior to GitLab 16.0.
+
+License check policies allow you to specify licenses that are `allowed` or `denied` in a project. If a `denied`
+license is newly committed it blocks the merge request and instructs the developer to remove it.
+Note, the merge request is not able to be merged until the `denied` license is removed.
+You may add a [`License-Check` approval rule](#enabling-license-approvals-within-a-project),
+which enables a designated approver that can approve and then merge a merge request with `denied` license.
+
+These policies can be configured by using the [Managed Licenses API](../../api/managed_licenses.md).
+
+![Merge request with denied licenses](img/denied_licenses_v15_3.png)
+
+The **Policies** tab in the project's license compliance section displays your project's license
+policies. Project maintainers can specify policies in this section.
+
+![Edit Policy](img/policies_maintainer_edit_v14_3.png)
+
+![Add Policy](img/policies_maintainer_add_v14_3.png)
+
+Developers of the project can view the policies configured in a project.
+
+![View Policies](img/policies_v13_0.png)
+
+## Enabling License Approvals within a project
+
+Prerequisites:
+
+- Maintainer or Owner role.
+
+`License-Check` is a [merge request approval](../project/merge_requests/approvals/index.md) rule
+you can enable to allow an individual or group to approve a merge request that contains a `denied`
+license.
+
+You can enable `License-Check` one of two ways:
+
+1. On the top bar, select **Main menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > General**.
+1. Expand **Merge request approvals**.
+1. Select **Enable** or **Edit**.
+1. Add or change the **Rule name** to `License-Check` (case sensitive).
+
+![License Check Approver Rule](img/license-check_v13_4.png)
+
+- Create an approval group in the [project policies section for License Compliance](license_check_rules.md#license-check-policies-deprecated).
+  You must set this approval group's number of approvals required to greater than zero. After you
+  enable this group in your project, the approval rule is enabled for all merge requests.
+
+Any code changes cause the approvals required to reset.
+
+An approval is required when a license report:
+
+- Contains a dependency that includes a software license that is `denied`.
+- Is not generated during pipeline execution.
+
+An approval is optional when a license report:
+
+- Contains no software license violations.
+- Contains only new licenses that are `allowed` or unknown.
+
+## Troubleshooting
+
+### The License Compliance widget is stuck in a loading state
+
+A loading spinner is displayed in the following scenarios:
+
+- While the pipeline is in progress.
+- If the pipeline is complete, but still parsing the results in the background.
+- If the license scanning job is complete, but the pipeline is still running.
+
+The License Compliance widget polls every few seconds for updated results. When the pipeline is complete, the first poll after pipeline completion triggers the parsing of the results. This can take a few seconds depending on the size of the generated report.
+
+The final state is when a successful pipeline run has been completed, parsed, and the licenses displayed in the widget.
diff --git a/doc/user/compliance/license_compliance/img/license_compliance_v13_0.png b/doc/user/compliance/license_compliance/img/license_compliance_v13_0.png
deleted file mode 100644
index 20ed30a21e7..00000000000
--- a/doc/user/compliance/license_compliance/img/license_compliance_v13_0.png
+++ /dev/null
diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md
index cf9fac6b25d..43e88e89c18 100644
--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -5,9 +5,13 @@ group: Composition Analysis
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# License compliance **(ULTIMATE)**
+# License compliance (DEPRECATED) **(ULTIMATE)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5483) in GitLab 11.0.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5483) in GitLab 11.0.
+> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/387561) in GitLab 15.9.
+
+WARNING:
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/387561) in GitLab 15.9. Users should migrate over to use the [new method of license scanning](../license_scanning_of_cyclonedx_files/index.md) prior to GitLab 16.0.
 
 If you're using [GitLab CI/CD](../../../ci/index.md), you can use License Compliance to search your
 project's dependencies for their licenses. You can then decide whether to allow or deny the use of
@@ -21,12 +25,17 @@ For the job to activate, License Finder needs to find a compatible package defin
 GitLab checks the License Compliance report, compares the
 licenses between the source and target branches, and shows the information right on the merge
 request. Denied licenses are indicated by a `x` red icon next to them as well as new licenses that
-need a decision from you. In addition, you can [manually allow or deny](#policies) licenses in your
+need a decision from you. In addition, you can [manually allow or deny](../license_check_rules.md) licenses in your
 project's license compliance policy section. If a denied license is detected in a new commit,
 GitLab blocks any merge requests containing that commit and instructs the developer to remove the
 license.
 
 NOTE:
+Starting with GitLab 15.9, License Compliance can detect the licenses in use
+[using Dependency Scanning CI jobs](../license_scanning_of_cyclonedx_files/index.md)
+instead of the License Scanning ones.
+
+NOTE:
 If the license compliance report doesn't have anything to compare to, no information
 is displayed in the merge request area. That is the case when you add the
 `license_scanning` job in your `.gitlab-ci.yml` for the first time.
@@ -40,23 +49,11 @@ that you can later download and analyze.
 WARNING:
 License Compliance Scanning does not support run-time installation of compilers and interpreters.
 
-![License Compliance Widget](img/license_compliance_v13_0.png)
-
-You can select a license to see more information.
-
-When GitLab detects a **Denied** license, you can view it in the [license list](#license-list).
-
-![License List](img/license_list_v13_0.png)
-
-You can view and modify existing policies from the [policies](#policies) tab.
-
-![Edit Policy](img/policies_maintainer_edit_v14_3.png)
-
 ## License expressions
 
-GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/SPDX-license-expressions/).
+GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/).
 License compliance can read multiple licenses, but always considers them combined using the `AND` operator. For example,
-if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](#policies),
+if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](../license_check_rules.md),
 GitLab evaluates the composite license as _denied_, as this is the safer option.
 The ability to support other license expression operators (like `OR`, `WITH`) is tracked
 in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6571).
@@ -696,117 +693,18 @@ Additional configuration may be needed for connecting to private registries for:
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/212388) in GitLab 13.3.
 
-Prior to GitLab 13.3, offline environments required an exact name match for [project policies](#policies).
-In GitLab 13.3 and later, GitLab matches the name of [project policies](#policies)
+Prior to GitLab 13.3, offline environments required an exact name match for [project policies](../license_check_rules.md).
+In GitLab 13.3 and later, GitLab matches the name of [project policies](../license_check_rules.md)
 with identifiers from the [SPDX license list](https://spdx.org/licenses/).
 A local copy of the SPDX license list is distributed with the GitLab instance. If needed, the GitLab
 instance's administrator can manually update it with a [Rake task](../../../raketasks/spdx.md).
 
-## License list
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13582) in GitLab 12.7.
-
-The License list allows you to see your project's licenses and key
-details about them.
-
-For the licenses to appear under the license list, the following
-requirements must be met:
-
-1. The License Compliance CI/CD job must be [enabled](#enable-license-compliance) for your project.
-1. Your project must use at least one of the
-   [supported languages and package managers](#supported-languages-and-package-managers).
-
-When everything is configured, on the left sidebar, select **Security & Compliance > License Compliance**.
-
-The licenses are displayed, where:
-
-- **Name:** The name of the license.
-- **Component:** The components which have this license.
-- **Policy Violation:** The license has a [license policy](#policies) marked as **Deny**.
-
-![License List](img/license_list_v13_0.png)
-
-## Policies
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/22465) in GitLab 12.9.
-
-Policies allow you to specify licenses that are `allowed` or `denied` in a project. If a `denied`
-license is newly committed it blocks the merge request and instructs the developer to remove it.
-Note, the merge request is not able to be merged until the `denied` license is removed.
-You may add a [`License-Check` approval rule](#enabling-license-approvals-within-a-project),
-which enables a designated approver that can approve and then merge a merge request with `denied` license.
-
-These policies can be configured by using the [Managed Licenses API](../../../api/managed_licenses.md).
-
-![Merge request with denied licenses](img/denied_licenses_v15_3.png)
-
-The **Policies** tab in the project's license compliance section displays your project's license
-policies. Project maintainers can specify policies in this section.
-
-![Edit Policy](img/policies_maintainer_edit_v14_3.png)
-
-![Add Policy](img/policies_maintainer_add_v14_3.png)
-
-Developers of the project can view the policies configured in a project.
-
-![View Policies](img/policies_v13_0.png)
-
-## Enabling License Approvals within a project
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13067) in GitLab 12.3.
-
-Prerequisites:
-
-- Maintainer or Owner role.
-
-`License-Check` is a [merge request approval](../../project/merge_requests/approvals/index.md) rule
-you can enable to allow an individual or group to approve a merge request that contains a `denied`
-license.
-
-You can enable `License-Check` one of two ways:
-
-1. On the top bar, select **Main menu > Projects** and find your project.
-1. On the left sidebar, select **Settings > General**.
-1. Expand **Merge request approvals**.
-1. Select **Enable** or **Edit**.
-1. Add or change the **Rule name** to `License-Check` (case sensitive).
-
-![License Check Approver Rule](img/license-check_v13_4.png)
-
-- Create an approval group in the [project policies section for License Compliance](#policies).
-  You must set this approval group's number of approvals required to greater than zero. Once you
-  enable this group in your project, the approval rule is enabled for all merge requests.
-
-Any code changes cause the approvals required to reset.
-
-An approval is required when a license report:
-
-- Contains a dependency that includes a software license that is `denied`.
-- Is not generated during pipeline execution.
-
-An approval is optional when a license report:
-
-- Contains no software license violations.
-- Contains only new licenses that are `allowed` or unknown.
-
 ## Warnings
 
 We recommend that you use the most recent version of all containers, and the most recent supported version of all package managers and languages. Using previous versions carries an increased security risk because unsupported versions may no longer benefit from active security reporting and backporting of security fixes.
 
 ## Troubleshooting
 
-### The License Compliance widget is stuck in a loading state
-
-A loading spinner is displayed in the following scenarios:
-
-- While the pipeline is in progress.
-- If the pipeline is complete, but still parsing the results in the background.
-- If the license scanning job is complete, but the pipeline is still running.
-
-The License Compliance widget polls every few seconds for updated results. When the pipeline is complete, the first poll after pipeline completion triggers the parsing of the results. This can take a few seconds depending on the size of the generated report.
-
-The final state is when a successful pipeline run has been completed, parsed, and the licenses displayed in the widget.
-
 ### ASDF_PYTHON_VERSION does not automatically install the version
 
 Defining a non-latest Python version in ASDF_PYTHON_VERSION [doesn't have it automatically installed](https://gitlab.com/gitlab-org/gitlab/-/issues/325604). If your project requires a non-latest version of Python:
diff --git a/doc/user/compliance/license_list.md b/doc/user/compliance/license_list.md
new file mode 100644
index 00000000000..7f55ba50c5b
--- /dev/null
+++ b/doc/user/compliance/license_list.md
@@ -0,0 +1,35 @@
+---
+type: reference, howto
+stage: Govern
+group: Threat Insights
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License list **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13582) in GitLab 12.7.
+
+The License list allows you to see your project's licenses and key
+details about them.
+
+For the licenses to appear under the license list, the following
+requirements must be met:
+
+1. You must be generating an SBOM file with components from one of our [one of our supported languages](license_scanning_of_cyclonedx_files/index.md#supported-languages-and-package-managers).
+1. If using our [`Dependency-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml) to generate the SBOM file, then your project must use at least one of the [supported languages and package managers](license_compliance/index.md#supported-languages-and-package-managers).
+
+Alternatively, licenses will also appear under the license list when using our deprecated [`License-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml) as long as the following requirements are met:
+
+1. The License Compliance CI/CD job must be [enabled](license_compliance/index.md#enable-license-compliance) for your project.
+1. Your project must use at least one of the
+   [supported languages and package managers](license_compliance/index.md#supported-languages-and-package-managers).
+
+When everything is configured, on the left sidebar, select **Security & Compliance > License Compliance**.
+
+The licenses are displayed, where:
+
+- **Name:** The name of the license.
+- **Component:** The components which have this license.
+- **Policy Violation:** The license has a [license policy](license_approval_policies.md) marked as **Deny**.
+
+![License List](img/license_list_v13_0.png)
diff --git a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
new file mode 100644
index 00000000000..483c15d648c
--- /dev/null
+++ b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
@@ -0,0 +1,123 @@
+---
+type: reference, howto
+stage: Secure
+group: Composition Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License scanning of CycloneDX files **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384932) in GitLab 15.9 [with two flags](../../../administration/feature_flags.md) named `license_scanning_sbom_scanner` and `package_metadata_synchronization`. Both flags are disabled by default and both flags must be enabled for this feature to work.
+
+FLAG:
+On self-managed GitLab, this feature is not available.
+
+To detect the licenses in use, License Compliance relies on running the
+[Dependency Scanning CI Jobs](../../application_security/dependency_scanning/index.md),
+and analyzing the [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) generated by those jobs.
+Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for [one of our supported languages](#supported-languages-and-package-managers).
+This method of scanning is also capable of parsing and identifying over 500 different types of licenses
+and can extract license information from packages that are dual-licensed or have multiple different licenses that apply.
+
+To enable license detection using Dependency Scanning in a project,
+include the `Jobs/Dependency-Scanning.yml` template in its CI configuration,
+but do not include the `Jobs/License-Scanning.yml` template.
+
+## Requirements
+
+The license scanning requirements are the same as those for [Dependency Scanning](../../application_security/dependency_scanning/index.md#requirements).
+
+## Supported languages and package managers
+
+License scanning is supported for the following languages and package managers:
+
+<!-- markdownlint-disable MD044 -->
+<table class="supported-languages">
+  <thead>
+    <tr>
+      <th>Language</th>
+      <th>Package Manager</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>.NET</td>
+      <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
+    </tr>
+    <tr>
+      <td>C#</td>
+    </tr>
+    <tr>
+      <td>C</td>
+      <td rowspan="2"><a href="https://conan.io/">Conan</a></td>
+    </tr>
+    <tr>
+      <td>C++</td>
+    </tr>
+    <tr>
+      <td>Go</td>
+      <td><a href="https://go.dev/">Go</a></td>
+    </tr>
+    <tr>
+      <td rowspan="2">Java</td>
+      <td><a href="https://gradle.org/">Gradle</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://maven.apache.org/">Maven</a></td>
+    </tr>
+    <tr>
+      <td rowspan="2">JavaScript and TypeScript</td>
+      <td><a href="https://www.npmjs.com/">npm</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td>
+    </tr>
+    <tr>
+      <td>PHP</td>
+      <td><a href="https://getcomposer.org/">Composer</a></td>
+    </tr>
+    <tr>
+      <td rowspan="4">Python</td>
+      <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://pip.pypa.io/en/stable/">pip</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td>
+    </tr>
+    <tr>
+      <td><a href="https://python-poetry.org/">Poetry</a></td>
+    </tr>
+    <tr>
+      <td>Ruby</td>
+      <td><a href="https://bundler.io/">Bundler</a></td>
+    </tr>
+    <tr>
+      <td>Scala</td>
+      <td><a href="https://www.scala-sbt.org/">sbt</a></td>
+    </tr>
+  </tbody>
+</table>
+<!-- markdownlint-disable MD044 -->
+
+The supported files and versions are the ones supported by
+[Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers).
+
+## Configuration
+
+To enable license scanning of CycloneDX files,
+you must configure [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration).
+
+## License expressions
+
+GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/).
+License compliance can read multiple licenses, but always considers them combined using the `AND` operator. For example,
+if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](../license_approval_policies.md),
+GitLab evaluates the composite license as _denied_, as this is the safer option.
+The ability to support other license expression operators (like `OR`, `WITH`) is tracked
+in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6571).
+
+## Blocking merge requests based on detected licenses
+
+Users can require approval for merge requests based on the licenses that are detected by configuring a [license approval policy](../license_approval_policies.md).