Skip to content
Dependency-Track

Know exactly what is in your software.

Dependency-Track is the open source platform that over 20,000 organizations use to inventory components, find vulnerabilities, and enforce policy across the software supply chain.

Get started Read the 5.0 announcement
Home/DashboardSearch72492979041978Portfolio VulnerabilitiesProjects at RiskVulnerable ComponentsInherited Risk ScorePortfolio VulnerabilitiesLast measured 2026-06-03 02:00Vulnerable ProjectsViolations AuditedVulnerable ComponentsFindings Audited290(0%)7900(0%)Policy ViolationsAuditing Progress
20,000+
Organizations in production
20,000+
SBOMs/hour in a single instance
1M+
SBOMs in a single instance
5B+
Components tracked globally
Why Dependency-Track

One platform for your entire software supply chain

Built around the software bill of materials, it tracks every component in every version of every project, and surfaces risk the moment it emerges.

Inventory

Know what you ship.

Ingest CycloneDX SBOMs and track libraries, containers, operating systems, firmware, and services across every version of every project in your portfolio.

Analyze

See risk as it emerges.

Continuously match every component against multiple vulnerability sources, verify upstream integrity, and prioritize what matters with EPSS.

Govern

Enforce your standards.

Codify policy in an expression engine, auto-triage findings, break the build on a fail, and route alerts to everywhere your teams work.

How it works

Operationalize software bill of materials

A continuous pipeline from SBOM production to intelligent response, with no step left to chance.

  1. 01

    Produce

    CycloneDX SBOMs are generated during CI/CD or acquired from suppliers.

  2. 02

    Ingest

    SBOMs are published to Dependency-Track via the REST API, CI plugins, or the web interface.

  3. 03

    Analyze

    Components are evaluated for security, operational, and license risk against live intelligence.

  4. 04

    Monitor

    The entire portfolio is continuously re-analyzed as new vulnerabilities and policy changes land.

  5. 05

    Respond

    Actionable findings flow to the tools teams already use through webhooks, chat-ops, and email.

Accurate, complete, full-stack inventory

Track libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services across every project. Full-stack traceability for the cloud, the enterprise, smart devices, and IoT.

Dependency-Track component inventory view

Identify and remediate vulnerable components

Bring vulnerable components to light with multiple sources of vulnerability intelligence, including the NVD, Sonatype OSS Index, GitHub Advisories, Snyk, and OSV.

Dependency-Track vulnerability findings view

Measure and enforce policy compliance

Security, operational, and license policies surface risk quickly across development teams, suppliers, and partners in the supply chain.

Dependency-Track policy violations view
New in 5.0

The largest redesign in the project's history

Codenamed Hyades, v5 rebuilds how Dependency-Track scales, survives failure, and reasons about risk: horizontal scaling and active/active high availability, durable processing that resumes after a crash, supply chain integrity verification, and an expression-based policy engine.

See what changed in 5.0
  • Horizontal scaling & active/active HA
  • Durable processing that survives crashes
  • Supply chain integrity verification
  • PostgreSQL only, fewer failure modes
Platform

Everything you need to manage supply chain risk

All features

Inventory

Build a complete, continuously updated record of everything you ship, from one SBOM standard.

  • Full-Stack Inventory
  • CycloneDX Native
  • Project Hierarchies
Explore

Analyze

Surface vulnerabilities, integrity failures, and risk the moment they emerge, not on a periodic scan.

  • Vulnerability Detection
  • Reproducible Analysis
  • Integrity Verification
Explore

Govern

Turn your standards into enforceable policy and the machine-readable evidence regulators now expect.

  • Expression-Based Policy
  • Vulnerability Policies
  • License Compliance
Explore

Operate at scale

The v5 redesign rebuilt the engine to stay up, never silently lose work, and run from one team to an enterprise portfolio.

  • Horizontal Scaling & HA
  • Durable Processing
  • One Database
Explore

Connectors & integrations

OWASP NVD Sonatype OSS Index GitHub Advisories OSV Snyk Jenkins Slack Microsoft Teams Jira DefectDojo npm
Get started

Run it in minutes

Spin up a full deployment with Docker Compose. Dependency-Track 5.0 ships as separate API server and frontend container images from Docker Hub and the GitHub Container Registry.

Read the docs Container images

Upgrading from 4.x? v5 does not upgrade in place. Plan a maintenance window and follow the v4 to v5 migration guide.

Docker Compose
curl -LO https://dependencytrack.org/docker-compose.yml
docker compose up -d
Then open http://localhost:8081 and sign in with admin / admin

Built by a community of contributors and adopters

Dependency-Track is free and open source. Join the teams across more than 20,000 organizations who help shape the project.

Join us on Slack Contribute on GitHub