| CARVIEW |
SBOM Production
CycloneDX Software Bill of Materials created during CI/CD or acquired from suppliers
SBOM Ingestion
SBOMs published to Dependency-Track via REST, Jenkins plugin, or uploaded through web interface
SBOM Analysis
Analyzes components for security, operational, and license risk
Intelligence Streams
Produces real-time analysis and security events delivering actionable findings to external systems
Continuous Monitoring
Continuously analyzes portfolio for risk and policy compliance
Intelligent Response
Events delivered via webhooks or chat-ops and findings published to risk management and vulnerability aggregation platforms
Continuous Integration
Consume and analyze SBOMs at high-velocity. Ideal for use with modern build pipelines.
Continuous Insight
Identify risk across all assets and applications. Quickly answer what is affected and where.
Continuous Transparency
Full-stack component inventory. Optionally republish SBOMs to others in the supply chain.
Accurate and complete full-stack inventory
Track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects in the Dependency-Track portfolio. Get full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT.
Identify and remediate vulnerable components
Bring vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, GitHub Advisories, Snyk, OSV, and VulnDB from Risk Based Security.
Measure and enforce policy compliance
Security, operational, and license policies ensure that associated risk is quickly identified across development teams, suppliers, and partners in the supply chain
Platform Features
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Vulnerability Detection
Identify known vulnerabilities in third-party components via integration with the NVD, OSS Index, GitHub, Snyk, OSV, and VulnDB
Policy Evaluation
Measure and enforce security, operational, and license policy compliance for individual projects or the entire portfolio
Impact Analysis
Rapidly respond to identified vulnerabilities for projects which are affected from vulnerable components
Exploit Prediction
Prioritize mitigation by leveraging integrated support for the Exploit Prediction Scoring System (EPSS)
Auditing Workflow
Quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail
Outdated Version Detection
Identifies components that are not the most recent available which indirectly impact project health and risk
Full-Stack Inventory
Tracks usage of libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services
Bill of Materials (BOM)
Consumes, analyzes, and produces CycloneDX Software Bill of Materials (SBOM), an OWASP and industry standard
Vulnerability Aggregation
Native integration with multiple application risk platforms providing organizations a consolidated view of prioritized findings
NIST VDR
Produces CycloneDX Vulnerability Disclosure Reports (VDR) that exceed requirements defined in NIST SP 800-161
CISA VEX
Produces and consumes CycloneDX Vulnerability Exploitability eXchange (VEX) exceeding CISA recommendations
Notifications
Automates notifications to Slack, Microsoft Teams, Mattermost, Cisco WebEx, outbound webhooks, and email
Enterprise Ready
Supports Single Sign On (SSO) via OpenID Connect (OIDC) and supports Active Directory and LDAP authentication
API and Integration
Well documented API-first design integrates easily with other systems providing endless possibilities
Time Series Metrics
Provides trending details of the inherited risk and policy violations for all projects and components in the portfolio
Open Source
Community-driven project distributed under the Apache 2.0 license Large and active community of contributors and adopters.
Connectors & Integrations
Installation
curl -LO https://dependencytrack.org/docker-compose.yml docker-compose up -d
curl -LO https://dependencytrack.org/docker-compose.yml docker swarm init docker stack deploy -c docker-compose.yml dtrack
