Skip to content
Dependency-Track
Download

Deploy Dependency-Track 5.0

Free and open source under the Apache 2.0 license. Available now as container images from Docker Hub and the GitHub Container Registry.

Release notes Docker Hub
Get started

Quickstart with Docker Compose

Spin up a full deployment with Docker Compose. Dependency-Track 5.0 ships as separate API server and frontend container images from Docker Hub and the GitHub Container Registry.

Read the docs Container images

Upgrading from 4.x? v5 does not upgrade in place. Plan a maintenance window and follow the v4 to v5 migration guide.

Docker Compose
curl -LO https://dependencytrack.org/docker-compose.yml
docker compose up -d
Then open http://localhost:8081 and sign in with admin / admin

Two images, one platform

v5 separates the backend and the web interface so each scales and updates independently.

API Server

The stateless backend. Run one or many behind a load balancer for high availability.

docker pull dependencytrack/apiserver

Frontend

The single-page web interface, served as static assets from its own container.

docker pull dependencytrack/frontend

System requirements

PostgreSQL

v5 standardizes on PostgreSQL. H2, MySQL, and SQL Server are no longer supported.

Container runtime

Docker or any OCI-compatible runtime. Kubernetes is fully supported with liveness and readiness probes.

Resources

Scale horizontally by adding stateless API server instances. Smaller deployments run comfortably on modest hardware.

Upgrading from 4.x

Plan a migration, not an in-place upgrade

v5 runs on its own PostgreSQL cluster and ingests v4 data through an offline, one-time migrator, so teams should plan a maintenance window. Existing 4.x deployments continue to receive security and high-severity fixes on the 4.14.x line for at least roughly six months after this release.

Migration guide Release notes

Headline breaking changes

  • PostgreSQL is the only supported database, replacing H2, MySQL, and Microsoft SQL Server.
  • Notification payloads move to Protobuf, so existing templates need updating.
  • The REST API enforces pagination by default and changes some response schemas.
  • The bundled container image and executable WAR are discontinued in favor of separate API server and frontend images.
  • Lucene-based fuzzy vulnerability matching is removed.

Built by a community of contributors and adopters

Dependency-Track is free and open source. Join the teams across more than 20,000 organizations who help shape the project.

Join us on Slack Contribute on GitHub