Dependency-Track

Dependency-Track is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Built around the Bill of Materials (BOM) concept, it tracks component usage across every version of every project in your portfolio and surfaces known vulnerabilities, policy violations, and licensing risk as they emerge. An API-first design makes it a natural fit for CI/CD pipelines.

Documentation version

This documentation covers Dependency-Track v5. For v4, see the v4 documentation.

Getting started

Get Dependency-Track running locally in minutes with the quick start tutorial.

Explore the documentation using the navigation tabs:

• Tutorials: step-by-step walkthroughs for common workflows.
• Guides: task-oriented procedures for specific goals.
• Concepts: background material on how Dependency-Track works.
• Reference: technical descriptions of APIs, configuration, and internals.

Key concepts

• Projects: how Dependency-Track models the software you track.
• Vulnerability findings: how known vulnerabilities are surfaced and triaged.
• Component policies: codify what's acceptable in your portfolio.
• Access control: teams, permissions, and project hierarchy.

Coming from v4?

See About changes in v5 for what changed and why, and Migrating from v4 to v5 for the one-shot data migration procedure.

Community

Dependency-Track is an open source project maintained by a community of contributors. Join the monthly community meeting to hear project updates, ask questions, and meet other users and maintainers.