Consume and analyze SBOMs at high-velocity. Ideal for use with modern build pipelines.
Identify risk across all assets and applications. Quickly answer what is affected and where.
Full-stack component inventory. Optionally republish SBOMs to others in the supply chain.
Track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects in the Dependency-Track portfolio. Get full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT.
Bring vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, GitHub Advisories, Snyk, OSV, and VulnDB from Risk Based Security.
Security, operational, and license policies ensure that associated risk is quickly identified across development teams, suppliers, and partners in the supply chain
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Identify known vulnerabilities in third-party components via integration with the NVD, OSS Index, GitHub, Snyk, OSV, and VulnDB
Measure and enforce security, operational, and license policy compliance for individual projects or the entire portfolio
Rapidly respond to identified vulnerabilities for projects which are affected from vulnerable components
Prioritize mitigation by leveraging integrated support for the Exploit Prediction Scoring System (EPSS)
Quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail
Identifies components that are not the most recent available which indirectly impact project health and risk
Tracks usage of libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services
Consumes, analyzes, and produces CycloneDX Software Bill of Materials (SBOM), an OWASP and industry standard
Native integration with multiple application risk platforms providing organizations a consolidated view of prioritized findings
Produces CycloneDX Vulnerability Disclosure Reports (VDR) that exceed requirements defined in NIST SP 800-161
Produces and consumes CycloneDX Vulnerability Exploitability eXchange (VEX) exceeding CISA recommendations
Automates notifications to Slack, Microsoft Teams, Mattermost, Cisco WebEx, outbound webhooks, and email
Supports Single Sign On (SSO) via OpenID Connect (OIDC) and supports Active Directory and LDAP authentication
Well documented API-first design integrates easily with other systems providing endless possibilities
Provides trending details of the inherited risk and policy violations for all projects and components in the portfolio
Community-driven project distributed under the Apache 2.0 license Large and active community of contributors and adopters.
curl -LO https://dependencytrack.org/docker-compose.yml docker-compose up -d
curl -LO https://dependencytrack.org/docker-compose.yml docker swarm init docker stack deploy -c docker-compose.yml dtrack