Reduce Supply Chain Risk

Continuous SBOM Analysis Platform

Continuous Integration

Consume and analyze SBOMs at high-velocity. Ideal for use with modern build pipelines.

Continuous Insight

Identify risk across all assets and applications. Quickly answer what is affected and where.

Continuous Transparency

Full-stack component inventory. Optionally republish SBOMs to others in the supply chain.

Accurate and complete full-stack inventory

Track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects in the Dependency-Track portfolio. Get full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT.

Identify and remediate vulnerable components

Bring vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, NPM Advisories, and VulnDB from Risk Based Security.

Measure and enforce policy compliance

Security, operational, and license policies ensure that associated risk is quickly identified across development teams, suppliers, and partners in the supply chain

Platform Features

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Vulnerability Detection

Identify known vulnerabilities in third-party and opensource components from multiple sources of vulnerability intelligence

Policy Evaluation

Measure and enforce security, operational, and license policy compliance for individual projects or the entire portfolio

Impact Analysis

Rapidly respond to identified vulnerabilities for projects which are affected from vulnerable components

Time Series Metrics

Provides trending details of the inherited risk and policy violations for all projects and components in the portfolio

Auditing Workflow

Quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail

Outdated Version Detection

Identifies components that are not the most recent available which indirectly impact project health and risk

Full-Stack Inventory

Tracks usage of libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services.

Bill of Materials (BOM)

Consumes, analyzes, and produces CycloneDX Software Bill of Materials (SBOM), an open source industry standard.

Vulnerability Aggregation

Native integration with multiple application risk platforms providing organizations a consolidated view of prioritized findings

Enterprise Ready

Supports Single Sign On (SSO) via OpenID Connect (OIDC) and supports Active Directory and LDAP authentication

API and Integration

Well documented API-first design integrates easily with other systems providing endless possibilities


Send notifications to Slack, Microsoft Teams, outbound webhooks, and email, enabling new levels of collaboration and automation


CycloneDX Vulnerability Exploitability Exchange (VEX) communicates security risk to software consumers.

Open Source

Community-driven project distributed under the Apache 2.0 license Large and active community of contributors and adopters.


curl -LO
docker-compose up -d
curl -LO
docker swarm init
docker stack deploy -c docker-compose.yml dtrack