Full-Stack Inventory
Track libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services.
Platform
An intelligent component analysis platform
Dependency-Track helps organizations identify and reduce risk in the software supply chain, from a single team to enterprise portfolios of hundreds of thousands of projects.
Inventory
Build a complete, continuously updated record of everything you ship, from one SBOM standard.
CycloneDX Native
Consume, analyze, and produce CycloneDX SBOM, HBOM, VEX, and VDR, an international standard.
Project Hierarchies
Model your portfolio by product, team, or environment with parent and child project hierarchies.
Collection Projects
Roll up metrics across versions, services, and environments without forcing a single tag scheme.
Version History
Keep every release of a project side by side and flag the current one as the latest version.
API-First Design
A well documented REST API makes Dependency-Track a natural fit for modern CI/CD pipelines.
Analyze
Surface vulnerabilities, integrity failures, and risk the moment they emerge, not on a periodic scan.
Vulnerability Detection
Match components against the NVD, GitHub Advisories, and OSV, plus OSS Index, Snyk, Trivy, and VulnDB.
Reproducible Analysis
The internal analyzer matches against mirrored data with no outbound calls, so analysis is fast and repeatable.
Integrity Verification
Flag components whose published hashes diverge from the upstream registry, catching typosquatting and tampering.
Exploit Prediction
Prioritize mitigation with integrated support for the Exploit Prediction Scoring System (EPSS).
Auditing Workflow
Triage every finding with analysis state, justification, and a permanent, exportable audit trail.
Time-Series Metrics
Trend the risk score and finding counts of every project and the whole portfolio over time.
Govern
Turn your standards into enforceable policy and the machine-readable evidence regulators now expect.
Expression-Based Policy
A Common Expression Language (CEL) engine evaluates component policies and breaks the build on a fail.
Vulnerability Policies
Automatically audit or suppress findings before they reach analysts or trigger a notification.
License Compliance
Ban copyleft licenses, allow-list with SPDX expressions, and group licenses for readable rules.
VEX & VDR
Produce and consume CycloneDX Vulnerability Exploitability eXchange and Disclosure Reports.
Portfolio Access Control
Least-privilege access by team and project hierarchy, now generally available with bounded overhead.
Smart Notifications
Route alerts to Slack, Teams, Mattermost, email, and webhooks, filtered on any field with CEL.
Operate at scale
The v5 redesign rebuilt the engine to stay up, never silently lose work, and run from one team to an enterprise portfolio.
Horizontal Scaling & HA
Stateless instances coordinate through PostgreSQL alone, with no broker, for active/active high availability across zones.
Durable Processing
BOM processing, analysis, and notifications resume from the exact step they reached and retry automatically with backoff.
One Database
Standardizes on PostgreSQL and moves search, caching, and metrics into the database, retiring the local index.
Built for Operations
A dedicated management port exposes Prometheus metrics and Kubernetes liveness and readiness probes.
Centralized Secrets
Integration credentials live behind one pluggable provider, so you rotate and audit in a single place.
Enterprise Ready
Single Sign-On via OpenID Connect, with Active Directory and LDAP, plus configurable data retention.
CycloneDX
Consumes and produces SBOM, VEX, VDR, and more in the OWASP CycloneDX standard.
NIST & CISA aligned
Output that meets or exceeds NIST SP 800-161 and CISA minimum SBOM guidance.
Regulation ready
Maintain the complete, current inventory the EU Cyber Resilience Act expects.
Connectors & integrations
Built by a community of contributors and adopters
Dependency-Track is free and open source. Join the teams across more than 20,000 organizations who help shape the project.