Consume and analyze SBOMs at high-velocity. Ideal for use with modern build pipelines.
Identify risk across all assets and applications. Quickly answer what is affected and where.
Full-stack component inventory. Optionally republish SBOMs to others in the supply chain.
Track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects in the Dependency-Track portfolio. Get full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT.
Bring vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, NPM Advisories, and VulnDB from Risk Based Security.
Security, operational, and license policies ensure that associated risk is quickly identified across development teams, suppliers, and partners in the supply chain
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Identify known vulnerabilities in third-party and opensource components from multiple sources of vulnerability intelligence
Measure and enforce security, operational, and license policy compliance for individual projects or the entire portfolio
Rapidly respond to identified vulnerabilities for projects which are affected from vulnerable components
Provides trending details of the inherited risk and policy violations for all projects and components in the portfolio
Quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail
Identifies components that are not the most recent available which indirectly impact project health and risk
Tracks usage of libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services.
Consumes, analyzes, and produces CycloneDX Software Bill of Materials (SBOM), an open source industry standard.
Native integration with multiple application risk platforms providing organizations a consolidated view of prioritized findings
Supports Single Sign On (SSO) via OpenID Connect (OIDC) and supports Active Directory and LDAP authentication
Well documented API-first design integrates easily with other systems providing endless possibilities
Send notifications to Slack, Microsoft Teams, outbound webhooks, and email, enabling new levels of collaboration and automation
CycloneDX Vulnerability Exploitability Exchange (VEX) communicates security risk to software consumers.
Community-driven project distributed under the Apache 2.0 license Large and active community of contributors and adopters.
curl -LO https://dependencytrack.org/docker-compose.yml docker-compose up -d
curl -LO https://dependencytrack.org/docker-compose.yml docker swarm init docker stack deploy -c docker-compose.yml dtrack