Software is a patchwork of third-party components, and keeping tabs on what’s running under the hood has become a challenge. The open-source platform Dependency-Track tackles that problem head-on. Rather than treating software composition as a one-time scan, it continuously monitors every version of every application, giving organizations a live view of risk across their entire portfolio.
By leaning on the power of Software Bills of Materials (SBOMs), it delivers insight and precision. Built with developers in mind, its API-first design fits into CI/CD workflows, making security a built-in part of the build process.
Dependency-Track features
Dependency-Track works seamlessly with CycloneDX, consuming and producing SBOM and VEX formats, ensuring compatibility with supply chain security standards. The platform supports every kind of component imaginable, from applications and libraries to operating systems, containers, firmware, and even hardware, tracking their use across an organization’s portfolio.
IT doesn’t stop at finding known issues. It identifies outdated or modified components, flags license risks, and pulls in vulnerability data from multiple intelligence sources, including NVD, GitHub Advisories, Sonatype OSS Index, Snyk, Trivy, OSV, and VulnDB. By incorporating the Exploit Prediction Scoring System (EPSS), it helps security teams focus their efforts on the vulnerabilities most likely to be exploited.
The platform includes a policy engine to enforce global or per-project rules covering security, license, and operational compliance. It is ecosystem agnostic, supporting popular repositories such as Maven, NPM, PyPI, NuGet, Cargo, and more, while also detecting APIs and external service components to map data flows and trust boundaries.
Dependency-Track’s auditing workflow simplifies triage, and notifications can be tailored through Slack, Microsoft Teams, Jira, email, or webhooks. Metrics are presented clearly across projects and portfolios, and integrations with tools like Kenna Security, Fortify SSC, ThreadFix, and DefectDojo extend its reach into existing workflows.
With an API-first design, OpenAPI documentation, and support for OAuth 2.0, OpenID Connect, LDAP, and API keys, the platform is built for flexibility and scale.
Dependency-Track is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
