Configuration Properties¶

Glossary¶

Required Properties¶

Properties marked with * are required. A required property must never be unset.

Property Types¶

Configuration properties may use the following types:

Type	Description
`boolean`	`true` or `false`
`cron`	A cron expression (e.g. `0 0 * * *`)
`double`	A decimal number (e.g. `3.14`)
`duration`	An ISO 8601 duration (e.g. `PT30S`, `PT5M`, `PT1H`)
`enum`	One of a fixed set of values, refer to Valid Values
`integer`	A whole number (e.g. `42`)
`string`	A text value

CORS¶

dt.cors.allow.credentials ¶

Controls the content of the Access-Control-Allow-Credentials response header.
Has no effect when dt.cors.enabled is false.

Type	`boolean`
Default	`true`
ENV	`DT_CORS_ALLOW_CREDENTIALS`

dt.cors.allow.headers ¶

Controls the content of the Access-Control-Allow-Headers response header.
Has no effect when dt.cors.enabled is false.

Type	`string`
Default	`Origin,Content-Type,Authorization,X-Requested-With,Content-Length,Accept,Origin,X-Api-Key,X-Total-Count,*`
ENV	`DT_CORS_ALLOW_HEADERS`

dt.cors.allow.methods ¶

Controls the content of the Access-Control-Allow-Methods response header.
Has no effect when dt.cors.enabled is false.

Type	`string`
Default	`GET,POST,PUT,PATCH,DELETE,OPTIONS`
ENV	`DT_CORS_ALLOW_METHODS`

dt.cors.allow.origin ¶

Controls the content of the Access-Control-Allow-Origin response header.
Has no effect when dt.cors.enabled is false.

Type	`string`
Default	`*`
ENV	`DT_CORS_ALLOW_ORIGIN`

dt.cors.enabled ¶

Defines whether Cross Origin Resource Sharing (CORS) headers shall be included in REST API responses.

Type	`boolean`
Default	`true`
ENV	`DT_CORS_ENABLED`

dt.cors.expose.headers ¶

Controls the content of the Access-Control-Expose-Headers response header.
Has no effect when dt.cors.enabled is false.

Type	`string`
Default	`Origin,Content-Type,Authorization,X-Requested-With,Content-Length,Accept,Origin,X-Api-Key,X-Total-Count`
ENV	`DT_CORS_EXPOSE_HEADERS`

dt.cors.max.age ¶

Controls the content of the Access-Control-Max-Age response header.
Has no effect when dt.cors.enabled is false.

Type	`integer`
Default	`3600`
ENV	`DT_CORS_MAX_AGE`

Cache¶

dt.cache."package-metadata-resolver.cargo.responses".ttl-ms ¶

Defines the TTL in milliseconds for Cargo package metadata resolver response cache entries.

Type	`integer`
Default	`7200000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_CARGO_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.composer.responses".ttl-ms ¶

Defines the TTL in milliseconds for Composer package metadata resolver response cache entries.

Type	`integer`
Default	`7200000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_COMPOSER_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.cpan.responses".ttl-ms ¶

Defines the TTL in milliseconds for CPAN package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_CPAN_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.gem.responses".ttl-ms ¶

Defines the TTL in milliseconds for RubyGems package metadata resolver response cache entries.

Type	`integer`
Default	`7200000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_GEM_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.github.responses".ttl-ms ¶

Defines the TTL in milliseconds for GitHub package metadata resolver response cache entries.

Type	`integer`
Default	`3600000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_GITHUB_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.gomodules.responses".ttl-ms ¶

Defines the TTL in milliseconds for Go Modules package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_GOMODULES_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.hackage.responses".ttl-ms ¶

Defines the TTL in milliseconds for Hackage package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_HACKAGE_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.hex.responses".ttl-ms ¶

Defines the TTL in milliseconds for Hex package metadata resolver response cache entries.

Type	`integer`
Default	`7200000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_HEX_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.maven.responses".ttl-ms ¶

Defines the TTL in milliseconds for Maven package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_MAVEN_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.nixpkgs.responses".ttl-ms ¶

Defines the TTL in milliseconds for Nixpkgs package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_NIXPKGS_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.npm.responses".ttl-ms ¶

Defines the TTL in milliseconds for npm package metadata resolver response cache entries.

Type	`integer`
Default	`3600000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_NPM_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.nuget.responses".ttl-ms ¶

Defines the TTL in milliseconds for NuGet package metadata resolver response cache entries.

Type	`integer`
Default	`14400000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_NUGET_RESPONSES__TTL_MS`

dt.cache."package-metadata-resolver.pypi.responses".ttl-ms ¶

Defines the TTL in milliseconds for PyPI package metadata resolver response cache entries.

Type	`integer`
Default	`7200000`
ENV	`DT_CACHE__PACKAGE_METADATA_RESOLVER_PYPI_RESPONSES__TTL_MS`

dt.cache."vuln-analyzer.oss-index.results".max-size ¶

Defines the maximum number of entries in the OSS Index result cache.

Type	`integer`
Default	`30000`
ENV	`DT_CACHE__VULN_ANALYZER_OSS_INDEX_RESULTS__MAX_SIZE`

dt.cache."vuln-analyzer.oss-index.results".ttl-ms ¶

Defines the TTL in milliseconds for OSS Index result cache entries.

Type	`integer`
Default	`43200000`
ENV	`DT_CACHE__VULN_ANALYZER_OSS_INDEX_RESULTS__TTL_MS`

dt.cache."vuln-analyzer.snyk.results".max-size ¶

Defines the maximum number of entries in the Snyk result cache.

Type	`integer`
Default	`30000`
ENV	`DT_CACHE__VULN_ANALYZER_SNYK_RESULTS__MAX_SIZE`

dt.cache."vuln-analyzer.snyk.results".ttl-ms ¶

Defines the TTL in milliseconds for Snyk result cache entries.

Type	`integer`
Default	`43200000`
ENV	`DT_CACHE__VULN_ANALYZER_SNYK_RESULTS__TTL_MS`

dt.cache.provider * ¶

Defines the cache provider to use.

Type	`enum`
Default	`database`
Valid Values	`[database]`
ENV	`DT_CACHE_PROVIDER`

dt.cache.provider.database.datasource.name ¶

Defines the name of the data source to be used by the database cache provider.

Type	`string`
Default	`default`
ENV	`DT_CACHE_PROVIDER_DATABASE_DATASOURCE_NAME`

dt.cache.provider.database.maintenance.initial-delay-ms ¶

Defines the initial delay in milliseconds after which the database cache provider first performs its maintenance activities, e.g. entry expiration.

Type	`integer`
Default	`60000`
ENV	`DT_CACHE_PROVIDER_DATABASE_MAINTENANCE_INITIAL_DELAY_MS`

dt.cache.provider.database.maintenance.interval-ms ¶

Defines the interval in milliseconds in which the database cache provider performs its maintenance activities, e.g. entry expiration.

Type	`integer`
Default	`300000`
ENV	`DT_CACHE_PROVIDER_DATABASE_MAINTENANCE_INTERVAL_MS`

Database¶

dt.database.password ¶

Specifies the password to use when authenticating to the database.

Deprecated

Since 5.7.0. Use dt.datasource.password instead.

Type	`string`
Default	`dtrack`
ENV	`DT_DATABASE_PASSWORD`

dt.database.pool.enabled ¶

Specifies if the database connection pool is enabled.

Deprecated

Since 5.7.0. Use dt.datasource.pool.enabled instead.

Type	`boolean`
Default	`true`
ENV	`DT_DATABASE_POOL_ENABLED`

dt.database.pool.idle.timeout ¶

This property controls the maximum amount of time that a connection is allowed to sit idle in the pool.

Deprecated

Since 5.7.0. Use dt.datasource.pool.idle-timeout-ms instead.

Type	`integer`
Default	`300000`
ENV	`DT_DATABASE_POOL_IDLE_TIMEOUT`

dt.database.pool.max.lifetime ¶

This property controls the maximum lifetime of a connection in the pool. An in-use connection will never be retired, only when it is closed will it then be removed.

Deprecated

Since 5.7.0. Use dt.datasource.pool.max-lifetime-ms instead.

Type	`integer`
Default	`600000`
ENV	`DT_DATABASE_POOL_MAX_LIFETIME`

dt.database.pool.max.size ¶

This property controls the maximum size that the pool is allowed to reach, including both idle and in-use connections.

Deprecated

Since 5.7.0. Use dt.datasource.pool.max-size instead.

Type	`integer`
Default	`30`
ENV	`DT_DATABASE_POOL_MAX_SIZE`

dt.database.pool.min.idle ¶

This property controls the minimum number of idle connections in the pool. This value should be equal to or less than dt.database.pool.max.size. Warning: If the value is less than dt.database.pool.max.size, dt.database.pool.idle.timeout will have no effect.

Deprecated

Since 5.7.0. Use dt.datasource.pool.min-idle instead.

Type	`integer`
Default	`15`
ENV	`DT_DATABASE_POOL_MIN_IDLE`

dt.database.url ¶

Specifies the JDBC URL to use when connecting to the database. For best performance, set the reWriteBatchedInserts query parameter to true.

Deprecated

Since 5.7.0. Use dt.datasource.url instead.

Type	`string`
Default	`null`
Example	`jdbc:postgresql://localhost:5432/dtrack?reWriteBatchedInserts=true`
ENV	`DT_DATABASE_URL`

dt.database.username ¶

Specifies the username to use when authenticating to the database.

Deprecated

Since 5.7.0. Use dt.datasource.username instead.

Type	`string`
Default	`dtrack`
ENV	`DT_DATABASE_USERNAME`

dt.datasource.password ¶

Defines the password to use for the default data source.

Type	`string`
Default	`${dt.database.password}`
ENV	`DT_DATASOURCE_PASSWORD`

dt.datasource.pool.enabled * ¶

Defines whether connection pooling is enabled for the default data source.

Type	`boolean`
Default	`${dt.database.pool.enabled}`
ENV	`DT_DATASOURCE_POOL_ENABLED`

dt.datasource.pool.idle-timeout-ms ¶

Defines the maximum time in milliseconds that a connection is allowed to sit idle in the pool.

Type	`integer`
Default	`${dt.database.pool.idle.timeout}`
ENV	`DT_DATASOURCE_POOL_IDLE_TIMEOUT_MS`

dt.datasource.pool.max-lifetime-ms ¶

Defines the maximum time in milliseconds for which connections should be kept in the pool for the default data source. Required when dt.datasource.pool.enabled is true.

Type	`integer`
Default	`${dt.database.pool.max.lifetime}`
ENV	`DT_DATASOURCE_POOL_MAX_LIFETIME_MS`

dt.datasource.pool.max-size ¶

Defines the maximum size of the connection pool for the default data source. Required when dt.datasource.pool.enabled is true.

Type	`integer`
Default	`${dt.database.pool.max.size}`
ENV	`DT_DATASOURCE_POOL_MAX_SIZE`

dt.datasource.pool.min-idle ¶

Defines the minimum number of idle connections in the pool for the default data source. Required when dt.datasource.pool.enabled is true.

Type	`integer`
Default	`${dt.database.pool.min.idle}`
ENV	`DT_DATASOURCE_POOL_MIN_IDLE`

dt.datasource.url * ¶

Defines the JDBC URL to use for the default data source.

Type	`string`
Default	`${dt.database.url}`
Example	`jdbc:postgresql://localhost:5432/dtrack?reWriteBatchedInserts=true`
ENV	`DT_DATASOURCE_URL`

dt.datasource.username ¶

Defines the username to use for the default data source.

Type	`string`
Default	`${dt.database.username}`
ENV	`DT_DATASOURCE_USERNAME`

dt.dex-engine.datasource.name ¶

Defines the name of the data source to be used by the durable execution engine. For larger deployments, it is recommended to use a separate, non-default data source.

Type	`string`
Default	`default`
ENV	`DT_DEX_ENGINE_DATASOURCE_NAME`

dt.dex-engine.migration.datasource.name ¶

Defines the name of the data source to use for executing database migrations of the durable execution engine.

Type	`string`
Default	`null`
ENV	`DT_DEX_ENGINE_MIGRATION_DATASOURCE_NAME`

dt.init.tasks.datasource.close-after-use * ¶

Defines whether the data source used by init tasks should be closed after all tasks completed. This is useful when a non-default data source was configured, that is not used anywhere else.

Type	`boolean`
Default	`false`
ENV	`DT_INIT_TASKS_DATASOURCE_CLOSE_AFTER_USE`

dt.init.tasks.datasource.name * ¶

Defines the name of the data source to be used by init tasks.

Type	`string`
Default	`default`
ENV	`DT_INIT_TASKS_DATASOURCE_NAME`

Development¶

dt.dev.services.enabled ¶

Whether dev services shall be enabled.

When enabled, Dependency-Track will automatically launch containers for:

Frontend
PostgreSQL

at startup, and configures itself to use them. They are disposed when Dependency-Track stops. The containers are exposed on randomized ports, which will be logged during startup.

Trying to enable dev services in a production build will prevent the application from starting.

Note that the containers launched by the API server can not currently be discovered and re-used by other Hyades services. This is a future enhancement tracked in https://github.com/DependencyTrack/hyades/issues/1188.

Type	`boolean`
Default	`false`
ENV	`DT_DEV_SERVICES_ENABLED`

dt.dev.services.image.frontend ¶

The image to use for the frontend dev services container.

Type	`string`
Default	`ghcr.io/dependencytrack/hyades-frontend:snapshot`
ENV	`DT_DEV_SERVICES_IMAGE_FRONTEND`

dt.dev.services.image.postgres ¶

The image to use for the PostgreSQL dev services container.

Type	`string`
Default	`postgres:14-alpine`
ENV	`DT_DEV_SERVICES_IMAGE_POSTGRES`

dt.dev.services.port.frontend ¶

The port on which the frontend dev services container shall be exposed on the host.

Type	`integer`
Default	`8081`
ENV	`DT_DEV_SERVICES_PORT_FRONTEND`

Durable Execution¶

dt.dex-engine.activity-task-heartbeat-buffer.flush-interval-ms ¶

Defines the time in milliseconds between flushes of the activity task heartbeat buffer.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_ACTIVITY_TASK_HEARTBEAT_BUFFER_FLUSH_INTERVAL_MS`

dt.dex-engine.activity-task-heartbeat-buffer.max-batch-size ¶

Defines the maximum number of items of the activity task heartbeat buffer.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_ACTIVITY_TASK_HEARTBEAT_BUFFER_MAX_BATCH_SIZE`

dt.dex-engine.activity-task-scheduler.poll-interval-ms ¶

Defines the interval in milliseconds in which the activity task scheduler polls for tasks to enqueue for execution.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_ACTIVITY_TASK_SCHEDULER_POLL_INTERVAL_MS`

dt.dex-engine.activity-worker.artifact-import.enabled ¶

Defines whether the artifact import activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_ARTIFACT_IMPORT_ENABLED`

dt.dex-engine.activity-worker.artifact-import.max-concurrency * ¶

Defines the maximum concurrency of the artifact import activity worker.

Type	`integer`
Default	`5`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_ARTIFACT_IMPORT_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.default.enabled ¶

Defines whether the default activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_DEFAULT_ENABLED`

dt.dex-engine.activity-worker.default.max-concurrency * ¶

Defines the maximum concurrency of the default activity worker.

Type	`integer`
Default	`25`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_DEFAULT_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.metrics-update.enabled ¶

Defines whether the metrics update activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_METRICS_UPDATE_ENABLED`

dt.dex-engine.activity-worker.metrics-update.max-concurrency * ¶

Defines the maximum concurrency of the metrics update activity worker.

Type	`integer`
Default	`5`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_METRICS_UPDATE_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.notification.enabled ¶

Defines whether the notification activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_ENABLED`

dt.dex-engine.activity-worker.notification.max-concurrency * ¶

Defines the maximum concurrency of the notification activity worker.

Type	`integer`
Default	`5`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.notification.poll-backoff.initial-delay-ms ¶

Defines the initial poll backoff delay in milliseconds of the notification activity worker.

Type	`integer`
Default	`200`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_POLL_BACKOFF_INITIAL_DELAY_MS`

dt.dex-engine.activity-worker.notification.poll-backoff.max-delay-ms ¶

Defines the max poll backoff delay in milliseconds of the notification activity worker.

Type	`integer`
Default	`10000`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_POLL_BACKOFF_MAX_DELAY_MS`

dt.dex-engine.activity-worker.notification.poll-backoff.multiplier ¶

Defines the poll backoff delay multiplier of the notification activity worker.

Type	`double`
Default	`2.0`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_POLL_BACKOFF_MULTIPLIER`

dt.dex-engine.activity-worker.notification.poll-backoff.randomization-factor ¶

Defines the poll backoff randomization factor of the notification activity worker.

Type	`double`
Default	`0.2`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_NOTIFICATION_POLL_BACKOFF_RANDOMIZATION_FACTOR`

dt.dex-engine.activity-worker.package-metadata-resolution.enabled ¶

Defines whether the package metadata activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_PACKAGE_METADATA_RESOLUTION_ENABLED`

dt.dex-engine.activity-worker.package-metadata-resolution.max-concurrency * ¶

Defines the maximum concurrency of the package metadata activity worker.

Note that a concurrency of N means that at most N PURLs batches will be resolved concurrently. Each batch performs HTTP requests against package registries.

Type	`integer`
Default	`3`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_PACKAGE_METADATA_RESOLUTION_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.policy-evaluation.enabled ¶

Defines whether the policy evaluation activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_POLICY_EVALUATION_ENABLED`

dt.dex-engine.activity-worker.policy-evaluation.max-concurrency * ¶

Defines the maximum concurrency of the policy evaluation activity worker.

Type	`integer`
Default	`5`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_POLICY_EVALUATION_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.vuln-analysis-reconciliation.enabled ¶

Defines whether the vulnerability analysis reconciliation activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_VULN_ANALYSIS_RECONCILIATION_ENABLED`

dt.dex-engine.activity-worker.vuln-analysis-reconciliation.max-concurrency * ¶

Defines the maximum concurrency of the vulnerability analysis reconciliation activity worker.

Type	`integer`
Default	`5`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_VULN_ANALYSIS_RECONCILIATION_MAX_CONCURRENCY`

dt.dex-engine.activity-worker.vuln-analysis.enabled ¶

Defines whether the notification activity worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_VULN_ANALYSIS_ENABLED`

dt.dex-engine.activity-worker.vuln-analysis.max-concurrency * ¶

Defines the maximum concurrency of the notification activity worker.

Type	`integer`
Default	`10`
ENV	`DT_DEX_ENGINE_ACTIVITY_WORKER_VULN_ANALYSIS_MAX_CONCURRENCY`

dt.dex-engine.external-event-buffer.flush-interval-ms ¶

Defines the time in milliseconds between flushes of the external event buffer.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_EXTERNAL_EVENT_BUFFER_FLUSH_INTERVAL_MS`

dt.dex-engine.external-event-buffer.max-batch-size ¶

Defines the maximum number of items of the external event buffer.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_EXTERNAL_EVENT_BUFFER_MAX_BATCH_SIZE`

dt.dex-engine.leader-election.enabled ¶

Whether leader election in the durable execution engine should be enabled.

Disabling leader election also disables the workflow task scheduler, activity task scheduler, and maintenance worker, as only the leader node is meant to handle those responsibilities.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_LEADER_ELECTION_ENABLED`

dt.dex-engine.leader-election.lease-check-interval-ms ¶

Defines the interval in milliseconds in which leadership lease acquisition or extension is attempted.

Must be smaller than dt.dex-engine.leader-election.lease-duration-ms to avoid frequent leadership changes.

Type	`integer`
Default	`15000`
ENV	`DT_DEX_ENGINE_LEADER_ELECTION_LEASE_CHECK_INTERVAL_MS`

dt.dex-engine.leader-election.lease-duration-ms ¶

Defines the duration in milliseconds for which leadership leases are acquired.

Type	`integer`
Default	`30000`
ENV	`DT_DEX_ENGINE_LEADER_ELECTION_LEASE_DURATION_MS`

dt.dex-engine.maintenance.run-deletion-batch-size ¶

Defines the maximum number of completed workflow runs to delete during a single execution of the maintenance worker. Deletion of large volumes of runs in one pass can lead to I/O spikes and increased table bloat.

If retention is not able to keep up with the volumes of runs, consider increasing the interval of the maintenance worker first.

Type	`integer`
Default	`1000`
ENV	`DT_DEX_ENGINE_MAINTENANCE_RUN_DELETION_BATCH_SIZE`

dt.dex-engine.maintenance.run-retention-duration ¶

Defines the duration in ISO 8601 format after which completed workflow runs become eligible for deletion.

Type	`duration`
Default	`P1D`
ENV	`DT_DEX_ENGINE_MAINTENANCE_RUN_RETENTION_DURATION`

dt.dex-engine.maintenance.worker.initial-delay-ms ¶

Defines the initial delay in milliseconds after which the maintenance worker will execute for the first time.

Note that only the leader node in the cluster will actually perform maintenance work. For nodes that are not leaders, maintenance is a no-op.

Type	`integer`
Default	`60000`
ENV	`DT_DEX_ENGINE_MAINTENANCE_WORKER_INITIAL_DELAY_MS`

dt.dex-engine.maintenance.worker.interval-ms ¶

Defines the interval in milliseconds at which the maintenance worker will execute.

Note that only the leader node in the cluster will actually perform maintenance work. For nodes that are not leaders, maintenance is a no-op.

Type	`integer`
Default	`1800000`
ENV	`DT_DEX_ENGINE_MAINTENANCE_WORKER_INTERVAL_MS`

dt.dex-engine.metrics.collector.enabled ¶

Defines whether the metrics collector should be enabled.

The collector is responsible for collecting metrics from the database, such as the distribution of workflow run statuses, task queue capacities and depths, and more.

It is recommended to keep it enabled for monitoring purposes, but may be disabled in case it generates undesired load.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_METRICS_COLLECTOR_ENABLED`

dt.dex-engine.metrics.collector.initial-delay-ms ¶

Defines the initial delay in milliseconds after which the metrics collector will first run.

Type	`integer`
Default	`15000`
ENV	`DT_DEX_ENGINE_METRICS_COLLECTOR_INITIAL_DELAY_MS`

dt.dex-engine.metrics.collector.interval-ms ¶

Defines the interval in milliseconds in which the metrics collector runs.

Type	`integer`
Default	`30000`
ENV	`DT_DEX_ENGINE_METRICS_COLLECTOR_INTERVAL_MS`

dt.dex-engine.run-history-cache.evict-after-access-ms ¶

Defines the time in milliseconds for which workflow run event histories are cached.

Histories are only cached for non-terminal runs, to improve performance of replay. Cached histories are automatically evicted when the corresponding run terminates.

Type	`integer`
Default	`300000`
ENV	`DT_DEX_ENGINE_RUN_HISTORY_CACHE_EVICT_AFTER_ACCESS_MS`

dt.dex-engine.run-history-cache.max-size ¶

Defines the maximum number of workflow runs for which histories may be cached.

Type	`integer`
Default	`1000`
ENV	`DT_DEX_ENGINE_RUN_HISTORY_CACHE_MAX_SIZE`

dt.dex-engine.task-event-buffer.flush-interval-ms ¶

Defines the time in milliseconds between flushes of the task event buffer.

Increasing this interval may yield better throughput while reducing the database load, but also increases end-to-end latency of workflow and activity executions.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_TASK_EVENT_BUFFER_FLUSH_INTERVAL_MS`

dt.dex-engine.task-event-buffer.max-batch-size ¶

Defines the maximum number of items that will be flushed at once.

Increasing this value may yield better throughput, at the expense of higher latency and potentially larger blast radius in case a task event causes failures during the flush.

Since flushes are atomic, a single event failing to be flushed impacts the entire batch.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_TASK_EVENT_BUFFER_MAX_BATCH_SIZE`

dt.dex-engine.workers.enabled ¶

Whether all durable execution task workers should be enabled.

Acts as a global kill switch that takes precedence over individual worker settings.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_WORKERS_ENABLED`

dt.dex-engine.workflow-task-scheduler.poll-interval-ms ¶

Defines the interval in milliseconds in which the workflow task scheduler polls for tasks to enqueue for execution.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_WORKFLOW_TASK_SCHEDULER_POLL_INTERVAL_MS`

dt.dex-engine.workflow-worker.default.enabled ¶

Defines whether the default workflow worker should be enabled.

Type	`boolean`
Default	`true`
ENV	`DT_DEX_ENGINE_WORKFLOW_WORKER_DEFAULT_ENABLED`

dt.dex-engine.workflow-worker.default.max-concurrency * ¶

Defines the maximum concurrency of the default workflow worker.

Note that workflow workers do not perform any I/O (although they may block while waiting for semaphores and buffer flushes), and are executed with virtual threads. This means that it's usually perfectly fine to have a high degree of concurrency, without risking excessive resource usage or I/O thrashing.

Type	`integer`
Default	`100`
ENV	`DT_DEX_ENGINE_WORKFLOW_WORKER_DEFAULT_MAX_CONCURRENCY`

General¶

dt.api.key.prefix ¶

Defines the prefix to be used for API keys. A maximum prefix length of 251 characters is supported. The prefix may also be left empty.

Type	`string`
Default	`odt_`
ENV	`DT_API_KEY_PREFIX`

dt.auth.session-timeout-ms ¶

Defines the user session timeout in milliseconds.

Type	`integer`
Default	`28800000`
ENV	`DT_AUTH_SESSION_TIMEOUT_MS`

dt.bcrypt.rounds * ¶

Specifies the number of bcrypt rounds to use when hashing a user's password. The higher the number the more secure the password, at the expense of hardware resources and additional time to generate the hash.

Type	`integer`
Default	`14`
ENV	`DT_BCRYPT_ROUNDS`

dt.config.log.values ¶

Defines whether config value lookups should be logged.

Logging happens at DEBUG level. To make the logs visible, you must configure dt.logging.level."io.smallrye.config"=DEBUG.

Note that this will not mask or omit any secrets. Do not use in production environments!

Type	`boolean`
Default	`false`
ENV	`DT_CONFIG_LOG_VALUES`

dt.config.profile ¶

Defines the configuration profile to apply.

For example, the web profile may be used to disable any background processing, effectively turning the node into a web-only instance.

Type	`string`
Default	`null`
ENV	`DT_CONFIG_PROFILE`

dt.data.directory * ¶

Defines the path to the data directory. This directory will hold logs, keys, and any database or index files along with application-specific files or directories.

Type	`string`
Default	`${user.home}/.dependency-track`
ENV	`DT_DATA_DIRECTORY`

dt.init.and.exit ¶

Whether to only execute initialization tasks and exit.

Type	`boolean`
Default	`false`
ENV	`DT_INIT_AND_EXIT`

dt.init.task.database.migration.enabled ¶

Whether to enable the database migration init task. Has no effect unless dt.init.tasks.enabled is true.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASK_DATABASE_MIGRATION_ENABLED`

dt.init.task.database.partition.maintenance.enabled ¶

Whether to enable the database partition maintenance init task. Has no effect unless dt.init.tasks.enabled is true.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASK_DATABASE_PARTITION_MAINTENANCE_ENABLED`

dt.init.task.database.seeding.enabled ¶

Whether to enable the database seeding init task. Seeding involves populating the database with default objects, such as permissions, users, licenses, etc. Has no effect unless dt.init.tasks.enabled is true.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASK_DATABASE_SEEDING_ENABLED`

dt.init.task.dex.engine.database.migration.enabled ¶

Whether to enable the durable execution engine database migration init task. Has no effect unless dt.init.tasks.enabled is true.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASK_DEX_ENGINE_DATABASE_MIGRATION_ENABLED`

dt.init.task.key.generation.enabled ¶

Whether to enable the key generation init task. Has no effect unless dt.init.tasks.enabled is true.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASK_KEY_GENERATION_ENABLED`

dt.init.tasks.enabled ¶

Whether to execute initialization tasks on startup.

Type	`boolean`
Default	`true`
ENV	`DT_INIT_TASKS_ENABLED`

dt.telemetry.submission.enabled.default ¶

Defines the default value for the telemetry submission enabled setting.

This is only used during initial database seeding. Once the setting exists in the database, it can be toggled via the REST API or the admin UI.

To opt out of telemetry before first startup, set this to false.

Type	`boolean`
Default	`true`
ENV	`DT_TELEMETRY_SUBMISSION_ENABLED_DEFAULT`

dt.tmp.delay.bom.processed.notification ¶

Delays the BOM_PROCESSED notification until the vulnerability analysis associated with a given BOM upload is completed. The intention being that it is then "safe" to query the API for any identified vulnerabilities. This is specifically for cases where polling the /api/v1/bom/token/ endpoint is not feasible. THIS IS A TEMPORARY FUNCTIONALITY AND MAY BE REMOVED IN FUTURE RELEASES WITHOUT FURTHER NOTICE.

Type	`boolean`
Default	`false`
ENV	`DT_TMP_DELAY_BOM_PROCESSED_NOTIFICATION`

dt.vulnerability.policy.bundle.auth.bearer.token ¶

Defines the bearer token to be used for authentication against the service hosting the vulnerability policy bundle.

Type	`string`
Default	`null`
ENV	`DT_VULNERABILITY_POLICY_BUNDLE_AUTH_BEARER_TOKEN`

dt.vulnerability.policy.bundle.auth.password ¶

Defines the password to be used for basic authentication against the service hosting the vulnerability policy bundle.

Type	`string`
Default	`null`
ENV	`DT_VULNERABILITY_POLICY_BUNDLE_AUTH_PASSWORD`

dt.vulnerability.policy.bundle.auth.username ¶

Defines the username to be used for basic authentication against the service hosting the vulnerability policy bundle.

Type	`string`
Default	`null`
ENV	`DT_VULNERABILITY_POLICY_BUNDLE_AUTH_USERNAME`

dt.vulnerability.policy.bundle.url ¶

Defines where to fetch the vulnerability policy bundle from.

Type	`string`
Default	`null`
Example	`https://example.com/bundles/bundle.zip`
ENV	`DT_VULNERABILITY_POLICY_BUNDLE_URL`

HTTP¶

dt.http.proxy.address ¶

HTTP proxy address. If set, then dt.http.proxy.port must be set too.

Type	`string`
Default	`null`
Example	`proxy.example.com`
ENV	`DT_HTTP_PROXY_ADDRESS`

dt.http.proxy.password ¶

Type	`string`
Default	`null`
ENV	`DT_HTTP_PROXY_PASSWORD`

dt.http.proxy.port ¶

Type	`integer`
Default	`null`
Example	`8888`
ENV	`DT_HTTP_PROXY_PORT`

dt.http.proxy.username ¶

Type	`string`
Default	`null`
ENV	`DT_HTTP_PROXY_USERNAME`

dt.http.timeout.connection ¶

Defines the connection timeout in seconds for outbound HTTP connections.

Type	`integer`
Default	`30`
ENV	`DT_HTTP_TIMEOUT_CONNECTION`

dt.http.timeout.pool ¶

Defines the request timeout in seconds for outbound HTTP connections.

Type	`integer`
Default	`60`
ENV	`DT_HTTP_TIMEOUT_POOL`

dt.http.timeout.socket ¶

Defines the socket / read timeout in seconds for outbound HTTP connections.

Type	`integer`
Default	`30`
ENV	`DT_HTTP_TIMEOUT_SOCKET`

dt.no.proxy ¶

Type	`string`
Default	`null`
Example	`localhost,127.0.0.1`
ENV	`DT_NO_PROXY`

LDAP¶

dt.ldap.attribute.mail ¶

Specifies the LDAP attribute used to store a users email address

Type	`string`
Default	`mail`
ENV	`DT_LDAP_ATTRIBUTE_MAIL`

dt.ldap.attribute.name ¶

Specifies the Attribute that identifies a users ID.

Example (Microsoft Active Directory):

userPrincipalName

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

uid

Type	`string`
Default	`userPrincipalName`
ENV	`DT_LDAP_ATTRIBUTE_NAME`

dt.ldap.auth.username.format ¶

Specifies if the username entered during login needs to be formatted prior to asserting credentials against the directory. For Active Directory, the userPrincipal attribute typically ends with the domain, whereas the samAccountName attribute and other directory server implementations do not. The %s variable will be substituted with the username asserted during login.

Example (Microsoft Active Directory):

%s@example.com

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

%s

Type	`string`
Default	`null`
Example	`%s@example.com`
ENV	`DT_LDAP_AUTH_USERNAME_FORMAT`

dt.ldap.basedn ¶

Specifies the base DN that all queries should search from

Type	`string`
Default	`null`
Example	`dc=example,dc=com`
ENV	`DT_LDAP_BASEDN`

dt.ldap.bind.password ¶

If anonymous access is not permitted, specify a password for the username used to bind.

Type	`string`
Default	`null`
ENV	`DT_LDAP_BIND_PASSWORD`

dt.ldap.bind.username ¶

If anonymous access is not permitted, specify a username with limited access to the directory, just enough to perform searches. This should be the fully qualified DN of the user.

Type	`string`
Default	`null`
ENV	`DT_LDAP_BIND_USERNAME`

dt.ldap.enabled ¶

Defines if LDAP will be used for user authentication. If enabled, dt.ldap.* properties should be set accordingly.

Type	`boolean`
Default	`false`
ENV	`DT_LDAP_ENABLED`

dt.ldap.groups.filter ¶

Specifies the LDAP search filter used to retrieve all groups from the directory.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames))

Type	`string`
Default	`(&(objectClass=group)(objectCategory=Group))`
ENV	`DT_LDAP_GROUPS_FILTER`

dt.ldap.groups.search.filter ¶

Specifies the LDAP search filter used to search for groups by their name. The {SEARCH_TERM} variable will be substituted at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames)(cn={SEARCH_TERM}))

Type	`string`
Default	`(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))`
ENV	`DT_LDAP_GROUPS_SEARCH_FILTER`

dt.ldap.security.auth ¶

Specifies the LDAP security authentication level to use. Its value is one of the following strings: "none", "simple", "strong". If this property is empty or unspecified, the behaviour is determined by the service provider.

Type	`enum`
Default	`simple`
Valid Values	`[none, simple, strong]`
ENV	`DT_LDAP_SECURITY_AUTH`

dt.ldap.server.url ¶

Specifies the LDAP server URL.

Examples (Microsoft Active Directory):

ldap://ldap.example.com:3268
ldaps://ldap.example.com:3269

Examples (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

ldap://ldap.example.com:389
ldaps://ldap.example.com:636

Type	`string`
Default	`null`
ENV	`DT_LDAP_SERVER_URL`

dt.ldap.team.synchronization ¶

This option will ensure that team memberships for LDAP users are dynamic and synchronized with membership of LDAP groups. When a team is mapped to an LDAP group, all local LDAP users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the LDAP group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via an external directory.

Type	`boolean`
Default	`false`
ENV	`DT_LDAP_TEAM_SYNCHRONIZATION`

dt.ldap.user.groups.filter ¶

Specifies the LDAP search filter to use to query a user and retrieve a list of groups the user is a member of. The {USER_DN} variable will be substituted with the actual value of the users DN at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(member={USER_DN}))

Example (Microsoft Active Directory - with nested group support):

(member:1.2.840.113556.1.4.1941:={USER_DN})

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))

Type	`string`
Default	`(member:1.2.840.113556.1.4.1941:={USER_DN})`
ENV	`DT_LDAP_USER_GROUPS_FILTER`

dt.ldap.user.provisioning ¶

Specifies if mapped LDAP accounts are automatically created upon successful authentication. When a user logs in with valid credentials but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which ldap users can access the system and which users cannot. When this value is set to true, a local ldap user will be created and mapped to the ldap account automatically. This automatic provisioning only affects authentication, not authorization.

Type	`boolean`
Default	`false`
ENV	`DT_LDAP_USER_PROVISIONING`

dt.ldap.users.search.filter ¶

Specifies the LDAP search filter used to search for users by their name. The {SEARCH_TERM} variable will be substituted at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=inetOrgPerson)(cn={SEARCH_TERM}))

Type	`string`
Default	`(&(objectClass=user)(objectCategory=Person)(cn={SEARCH_TERM}))`
ENV	`DT_LDAP_USERS_SEARCH_FILTER`

Notification¶

dt.notification-publisher.console.enabled ¶

Defines whether the console notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_CONSOLE_ENABLED`

dt.notification-publisher.email.allow-local-connections ¶

Defines whether the email notification publisher is allowed to connect to local hosts.

Type	`boolean`
Default	`false`
ENV	`DT_NOTIFICATION_PUBLISHER_EMAIL_ALLOW_LOCAL_CONNECTIONS`

dt.notification-publisher.email.enabled ¶

Defines whether the email notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_EMAIL_ENABLED`

dt.notification-publisher.jira.enabled ¶

Defines whether the Jira notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_JIRA_ENABLED`

dt.notification-publisher.kafka.allow-local-connections ¶

Defines whether the Kafka notification publisher is allowed to connect to local hosts.

Type	`boolean`
Default	`false`
ENV	`DT_NOTIFICATION_PUBLISHER_KAFKA_ALLOW_LOCAL_CONNECTIONS`

dt.notification-publisher.kafka.enabled ¶

Defines whether the Kafka notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_KAFKA_ENABLED`

dt.notification-publisher.mattermost.enabled ¶

Defines whether the Mattermost notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_MATTERMOST_ENABLED`

dt.notification-publisher.msteams.enabled ¶

Defines whether the Microsoft Teams notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_MSTEAMS_ENABLED`

dt.notification-publisher.slack.enabled ¶

Defines whether the Slack notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_SLACK_ENABLED`

dt.notification-publisher.webex.enabled ¶

Defines whether the WebEx notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_WEBEX_ENABLED`

dt.notification-publisher.webhook.enabled ¶

Defines whether the Webhook notification publisher is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_PUBLISHER_WEBHOOK_ENABLED`

dt.notification.outbox-relay.batch-size * ¶

Defines the number of notifications that the outbox relay will process in a batch.

Type	`integer`
Default	`100`
ENV	`DT_NOTIFICATION_OUTBOX_RELAY_BATCH_SIZE`

dt.notification.outbox-relay.enabled * ¶

Defines whether the notification outbox relay should be enabled. When disabled, notifications will still be emitted to the outbox table, but not be delivered. Should generally stay enabled, unless:

The relay has a critical issue that impacts the rest of the system
You run a multi-node cluster and want more granular control over which nodes run the relay

Type	`boolean`
Default	`true`
ENV	`DT_NOTIFICATION_OUTBOX_RELAY_ENABLED`

dt.notification.outbox-relay.large-notification-threshold-bytes * ¶

Defines the size in bytes at which notifications are considered "large".

Large notifications will be offloaded to file storage before being sent to the dex engine for publishing.

Type	`integer`
Default	`65536`
ENV	`DT_NOTIFICATION_OUTBOX_RELAY_LARGE_NOTIFICATION_THRESHOLD_BYTES`

dt.notification.outbox-relay.poll-interval-ms * ¶

Defines the interval in milliseconds in which the notification outbox relay will poll for records in the notification outbox table. Increasing this value will cause higher notification latencies, but incurs a lesser load on the database.

Type	`integer`
Default	`1000`
ENV	`DT_NOTIFICATION_OUTBOX_RELAY_POLL_INTERVAL_MS`

Observability¶

dt.management.host ¶

Defines the host for the management server, which exposes health and metrics endpoints independently of the main server.

Type	`string`
Default	`0.0.0.0`
ENV	`DT_MANAGEMENT_HOST`

dt.management.port ¶

Defines the port for the management server, which exposes health and metrics endpoints independently of the main server.

Type	`integer`
Default	`9000`
ENV	`DT_MANAGEMENT_PORT`

dt.metrics.auth.password ¶

Defines the password required to access metrics. Has no effect when dt.metrics.auth.username is not set.

Type	`string`
Default	`null`
ENV	`DT_METRICS_AUTH_PASSWORD`

dt.metrics.auth.username ¶

Defines the username required to access metrics. Has no effect when dt.metrics.auth.password is not set.

Type	`string`
Default	`null`
ENV	`DT_METRICS_AUTH_USERNAME`

dt.metrics.enabled ¶

Defines whether Prometheus metrics will be exposed. If enabled, metrics will be available via the /metrics endpoint of the management server.

Type	`boolean`
Default	`false`
ENV	`DT_METRICS_ENABLED`

OpenID Connect¶

dt.oidc.client.id ¶

Defines the client ID to be used for OpenID Connect. The client ID should be the same as the one configured for the frontend, and will only be used to validate ID tokens.

Type	`string`
Default	`null`
ENV	`DT_OIDC_CLIENT_ID`

dt.oidc.enabled ¶

Defines if OpenID Connect will be used for user authentication. If enabled, dt.oidc.* properties should be set accordingly.

Type	`boolean`
Default	`false`
ENV	`DT_OIDC_ENABLED`

dt.oidc.issuer ¶

Defines the issuer URL to be used for OpenID Connect. This issuer MUST support provider configuration via the /.well-known/openid-configuration endpoint. See also:

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Type	`string`
Default	`null`
ENV	`DT_OIDC_ISSUER`

dt.oidc.team.synchronization ¶

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles. When a team is mapped to an OpenID Connect group, all local OpenID Connect users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the OpenID Connect group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via the identity provider. Note that team synchronization is only performed during user provisioning and after successful authentication.

Type	`boolean`
Default	`false`
ENV	`DT_OIDC_TEAM_SYNCHRONIZATION`

dt.oidc.teams.claim ¶

Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint. The claim must be an array of strings, or a comma-delimited string. Most public identity providers do not support group or role management. When using a customizable / on-demand hosted identity provider, name, content, and inclusion in the userinfo endpoint will most likely need to be configured.

Type	`string`
Default	`groups`
ENV	`DT_OIDC_TEAMS_CLAIM`

dt.oidc.user.provisioning ¶

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication. When a user logs in with a valid access token but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which OpenID Connect users can access the system and which users cannot. When this value is set to true, a local OpenID Connect user will be created and mapped to the OpenID Connect account automatically. This automatic provisioning only affects authentication, not authorization.

Type	`boolean`
Default	`false`
ENV	`DT_OIDC_USER_PROVISIONING`

dt.oidc.username.claim ¶

Defines the name of the claim that contains the username in the provider's userinfo endpoint. Common claims are name, username, preferred_username or nickname. See also:

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

Type	`string`
Default	`name`
ENV	`DT_OIDC_USERNAME_CLAIM`

Secrets¶

dt.secret-management.cache.enabled * ¶

Defines whether secret caching should be enabled.

Type	`boolean`
Default	`false`
ENV	`DT_SECRET_MANAGEMENT_CACHE_ENABLED`

dt.secret-management.cache.expire-after-write-ms ¶

Defines the duration in milliseconds for which secrets should be cached.

Type	`integer`
Default	`60000`
ENV	`DT_SECRET_MANAGEMENT_CACHE_EXPIRE_AFTER_WRITE_MS`

dt.secret-management.cache.max-size ¶

Defines the maximum number of secrets to keep in the cache.

Type	`integer`
Default	`100`
ENV	`DT_SECRET_MANAGEMENT_CACHE_MAX_SIZE`

dt.secret-management.database.datasource.name ¶

Defines the name of the data source to be used by the database secret manager.

Required when dt.secret-management.provider is database.

Type	`string`
Default	`default`
ENV	`DT_SECRET_MANAGEMENT_DATABASE_DATASOURCE_NAME`

dt.secret-management.database.kek ¶

Defines a base64-encoded AES-256 key (32 bytes) to use as the key encryption key (KEK) for the database secret manager.

A secure key may be generated using OpenSSL like this: openssl rand -base64 32

When set, takes precedence over dt.secret-management.database.kek-keyset.path. Unlike the keyset file approach, this option does not support KEK rotation.

Must be the same for all nodes in the cluster. When different keys are detected, the application will fail to start.

Type	`string`
Default	`null`
ENV	`DT_SECRET_MANAGEMENT_DATABASE_KEK`

dt.secret-management.database.kek-keyset.create-if-missing ¶

Defines whether a key encryption keyset should be created if it doesn't already exist.

Type	`boolean`
Default	`true`
ENV	`DT_SECRET_MANAGEMENT_DATABASE_KEK_KEYSET_CREATE_IF_MISSING`

dt.secret-management.database.kek-keyset.path ¶

Defines the path to the key encryption keyset to use for the database secret manager.

Must point to the same file for all nodes in the cluster, e.g. using a shared volume or mounted k8s secret. When different keysets are detected, the application will fail to start.

Type	`string`
Default	`${dt.data.directory}/keys/secret-management-kek.json`
ENV	`DT_SECRET_MANAGEMENT_DATABASE_KEK_KEYSET_PATH`

dt.secret-management.provider * ¶

Defines the secret management type to use.

Type	`enum`
Default	`database`
Valid Values	`[database, env]`
ENV	`DT_SECRET_MANAGEMENT_PROVIDER`

Storage¶

dt.file-storage.local.compression.level ¶

Defines the zstd compression level to use for local file storage.

Type	`integer`
Default	`5`
Valid Values	`[-7..22]`
ENV	`DT_FILE_STORAGE_LOCAL_COMPRESSION_LEVEL`

dt.file-storage.local.directory ¶

Defines the local directory where files shall be stored.

Type	`string`
Default	`${dt.data.directory}/storage`
ENV	`DT_FILE_STORAGE_LOCAL_DIRECTORY`

dt.file-storage.provider ¶

Defines the file storage provider to use.

Type	`enum`
Default	`local`
Valid Values	`[local, memory, s3]`
ENV	`DT_FILE_STORAGE_PROVIDER`

dt.file-storage.s3.access.key ¶

Defines the S3 access key / username.

Type	`string`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_ACCESS_KEY`

dt.file-storage.s3.bucket ¶

Defines the name of the S3 bucket. The existence of the bucket will be verified during startup.

Type	`string`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_BUCKET`

dt.file-storage.s3.compression.level ¶

Defines the zstd compression level to use for S3 file storage.

Type	`integer`
Default	`5`
Valid Values	`[-7..22]`
ENV	`DT_FILE_STORAGE_S3_COMPRESSION_LEVEL`

dt.file-storage.s3.connect-timeout-ms ¶

Defines the HTTP connect timeout for S3 requests in milliseconds.

Type	`integer`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_CONNECT_TIMEOUT_MS`

dt.file-storage.s3.endpoint ¶

Defines the S3 endpoint URL.

Type	`string`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_ENDPOINT`

dt.file-storage.s3.read-timeout-ms ¶

Defines the HTTP read timeout for S3 requests in milliseconds.

Type	`integer`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_READ_TIMEOUT_MS`

dt.file-storage.s3.region ¶

Defines the region of the S3 bucket.

Type	`string`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_REGION`

dt.file-storage.s3.secret.key ¶

Defines the S3 secret key / password.

Type	`string`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_SECRET_KEY`

dt.file-storage.s3.write-timeout-ms ¶

Defines the HTTP write timeout for S3 requests in milliseconds.

Type	`integer`
Default	`null`
ENV	`DT_FILE_STORAGE_S3_WRITE_TIMEOUT_MS`

Task Execution¶

dt.worker.thread.multiplier * ¶

Defines a multiplier that is used to calculate the number of threads used by the event subsystem. This property is only used when dt.worker.threads is set to 0. A machine with 4 cores and a multiplier of 4, will use (at most) 16 worker threads.

Type	`integer`
Default	`4`
ENV	`DT_WORKER_THREAD_MULTIPLIER`

dt.worker.threads * ¶

Defines the number of worker threads that the event subsystem will consume. Events occur asynchronously and are processed by the Event subsystem. This value should be large enough to handle most production situations without introducing much delay, yet small enough not to pose additional load on an already resource-constrained server. A value of 0 will instruct Alpine to allocate 1 thread per CPU core. This can further be tweaked using the dt.worker.thread.multiplier property.

Type	`integer`
Default	`0`
ENV	`DT_WORKER_THREADS`

Task Scheduling¶

dt.task-scheduler.enabled ¶

Defines whether the task scheduler should be enabled.

May be disabled on specific nodes in the cluster to limit the amount of background processing they're doing. Can help with dedicating nodes to only serve web traffic.

Type	`boolean`
Default	`true`
ENV	`DT_TASK_SCHEDULER_ENABLED`

dt.task.defect.dojo.upload.cron * ¶

Cron expression of the DefectDojo upload task.

Type	`cron`
Default	`0 2 * * *`
ENV	`DT_TASK_DEFECT_DOJO_UPLOAD_CRON`

dt.task.epss.mirror.cron * ¶

Cron expression of the EPSS mirroring task.

Type	`cron`
Default	`0 1 * * *`
ENV	`DT_TASK_EPSS_MIRROR_CRON`

dt.task.epss.mirror.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the EPSS mirror task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_EPSS_MIRROR_LOCK_MAX_DURATION`

dt.task.epss.mirror.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the EPSS mirror task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_EPSS_MIRROR_LOCK_MIN_DURATION`

dt.task.expired-session-cleanup.cron * ¶

Cron expression of the expired session cleanup task.

Type	`cron`
Default	`0 * * * *`
ENV	`DT_TASK_EXPIRED_SESSION_CLEANUP_CRON`

dt.task.fortify.ssc.upload.cron * ¶

Cron expression of the Fortify SSC upload task.

Type	`cron`
Default	`0 2 * * *`
ENV	`DT_TASK_FORTIFY_SSC_UPLOAD_CRON`

dt.task.git.hub.advisory.mirror.cron * ¶

Cron expression of the vulnerability GitHub Advisories mirroring task.

Type	`cron`
Default	`0 2 * * *`
ENV	`DT_TASK_GIT_HUB_ADVISORY_MIRROR_CRON`

dt.task.internal.component.identification.cron * ¶

Cron expression of the internal component identification task.

Type	`cron`
Default	`25 /6 * *`
ENV	`DT_TASK_INTERNAL_COMPONENT_IDENTIFICATION_CRON`

dt.task.internal.component.identification.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the internal component identification task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_INTERNAL_COMPONENT_IDENTIFICATION_LOCK_MAX_DURATION`

dt.task.internal.component.identification.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the internal component identification task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT90S`
ENV	`DT_TASK_INTERNAL_COMPONENT_IDENTIFICATION_LOCK_MIN_DURATION`

dt.task.kenna.security.upload.cron * ¶

Cron expression of the Kenna Security upload task.

Type	`cron`
Default	`0 2 * * *`
ENV	`DT_TASK_KENNA_SECURITY_UPLOAD_CRON`

dt.task.ldap.sync.cron * ¶

Cron expression of the LDAP synchronization task.

Type	`cron`
Default	`0 /6 * *`
ENV	`DT_TASK_LDAP_SYNC_CRON`

dt.task.ldap.sync.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the LDAP synchronization task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_LDAP_SYNC_LOCK_MAX_DURATION`

dt.task.ldap.sync.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the LDAP synchronization task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT90S`
ENV	`DT_TASK_LDAP_SYNC_LOCK_MIN_DURATION`

dt.task.metrics.maintenance.cron * ¶

Cron expression of the metrics maintenance task.

The task creates new partitions for the day for the following tables And deletes records older than the configured metrics retention duration from the following tables:

DEPENDENCYMETRICS
PROJECTMETRICS

Type	`cron`
Default	`1 * * * *`
ENV	`DT_TASK_METRICS_MAINTENANCE_CRON`

dt.task.metrics.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the metrics maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_METRICS_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.metrics.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the metrics maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_METRICS_MAINTENANCE_LOCK_MIN_DURATION`

dt.task.nist.mirror.cron * ¶

Cron expression of the NIST / NVD mirroring task.

Type	`cron`
Default	`0 4 * * *`
ENV	`DT_TASK_NIST_MIRROR_CRON`

dt.task.osv.mirror.cron * ¶

Cron expression of the OSV mirroring task.

Type	`cron`
Default	`0 3 * * *`
ENV	`DT_TASK_OSV_MIRROR_CRON`

dt.task.package-metadata-resolution.cron * ¶

Cron expression of the package metadata resolution task.

Note that package metadata resolution is also triggered by other actions, such as BOM uploads. The scheduled execution is mostly relevant for deployments that may sit idle for a long time.

Type	`cron`
Default	`0 1 * * *`
ENV	`DT_TASK_PACKAGE_METADATA_RESOLUTION_CRON`

dt.task.package.metadata.maintenance.cron * ¶

Cron expression of the package metadata maintenance task.

The task deletes orphaned records from the PACKAGE_ARTIFACT_METADATA and PACKAGE_METADATA tables.

Type	`cron`
Default	`0 /12 * *`
ENV	`DT_TASK_PACKAGE_METADATA_MAINTENANCE_CRON`

dt.task.package.metadata.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the package metadata maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_PACKAGE_METADATA_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.package.metadata.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the package metadata maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_PACKAGE_METADATA_MAINTENANCE_LOCK_MIN_DURATION`

dt.task.portfolio-metrics-update.cron * ¶

Cron expression of the portfolio metrics update task.

Type	`cron`
Default	`10 * * * *`
ENV	`DT_TASK_PORTFOLIO_METRICS_UPDATE_CRON`

dt.task.project.maintenance.cron * ¶

Cron expression of the project maintenance task.

The task deletes inactive projects based on retention policy.

Type	`cron`
Default	`0 /4 * *`
ENV	`DT_TASK_PROJECT_MAINTENANCE_CRON`

dt.task.project.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the project maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_PROJECT_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.project.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the project maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_PROJECT_MAINTENANCE_LOCK_MIN_DURATION`

dt.task.scheduled-notification-dispatch.cron * ¶

Cron expression for polling scheduled notification rules that are due for dispatch.

Type	`cron`
Default	`* * * * *`
ENV	`DT_TASK_SCHEDULED_NOTIFICATION_DISPATCH_CRON`

dt.task.tag.maintenance.cron * ¶

Cron expression of the tag maintenance task.

The task deletes orphaned tags that are not used anymore.

Type	`cron`
Default	`0 /12 * *`
ENV	`DT_TASK_TAG_MAINTENANCE_CRON`

dt.task.tag.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the tag maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_TAG_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.tag.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the tag maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_TAG_MAINTENANCE_LOCK_MIN_DURATION`

dt.task.telemetry-submission.cron * ¶

Cron expression of the telemetry submission task.

The task enforces a 24-hour minimum interval between submissions, so the cron expression controls how often the task checks whether a submission is due.

Type	`cron`
Default	`0 /1 * *`
ENV	`DT_TASK_TELEMETRY_SUBMISSION_CRON`

dt.task.vulnerability-policy-bundle-sync.cron * ¶

Cron expression of the vulnerability policy bundle synchronization task.

Has no effect unless dt.vulnerability.policy.bundle.url is also configured.

Type	`cron`
Default	`/15 * * *`
ENV	`DT_TASK_VULNERABILITY_POLICY_BUNDLE_SYNC_CRON`

dt.task.vulnerability.analysis.cron * ¶

Cron expression of the portfolio vulnerability analysis task.

Type	`cron`
Default	`0 6 * * *`
ENV	`DT_TASK_VULNERABILITY_ANALYSIS_CRON`

dt.task.vulnerability.analysis.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the portfolio vulnerability analysis task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_VULNERABILITY_ANALYSIS_LOCK_MAX_DURATION`

dt.task.vulnerability.analysis.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the portfolio vulnerability analysis task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT90S`
ENV	`DT_TASK_VULNERABILITY_ANALYSIS_LOCK_MIN_DURATION`

dt.task.vulnerability.database.maintenance.cron * ¶

Cron expression of the vulnerability database maintenance task.

The task deletes orphaned records from the VULNERABLESOFTWARE table.

Type	`cron`
Default	`0 0 * * *`
ENV	`DT_TASK_VULNERABILITY_DATABASE_MAINTENANCE_CRON`

dt.task.vulnerability.database.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_VULNERABILITY_DATABASE_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.vulnerability.database.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_VULNERABILITY_DATABASE_MAINTENANCE_LOCK_MIN_DURATION`

dt.task.vulnerability.metrics.update.cron * ¶

Cron expression of the vulnerability metrics update task.

Type	`cron`
Default	`40 * * * *`
ENV	`DT_TASK_VULNERABILITY_METRICS_UPDATE_CRON`

dt.task.vulnerability.metrics.update.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the vulnerability metrics update task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT15M`
ENV	`DT_TASK_VULNERABILITY_METRICS_UPDATE_LOCK_MAX_DURATION`

dt.task.vulnerability.metrics.update.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the vulnerability metrics update task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT90S`
ENV	`DT_TASK_VULNERABILITY_METRICS_UPDATE_LOCK_MIN_DURATION`

dt.task.workflow.maintenance.cron * ¶

Cron expression of the workflow maintenance task.

The task:

Transitions workflow steps from PENDING to TIMED_OUT state
Transitions workflow steps from TIMED_OUT to FAILED state
Transitions children of FAILED steps to CANCELLED state
Deletes finished workflows according to the configured retention duration

Type	`cron`
Default	`/15 * * *`
ENV	`DT_TASK_WORKFLOW_MAINTENANCE_CRON`

dt.task.workflow.maintenance.lock.max.duration * ¶

Maximum duration in ISO 8601 format for which the workflow maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Type	`duration`
Default	`PT5M`
ENV	`DT_TASK_WORKFLOW_MAINTENANCE_LOCK_MAX_DURATION`

dt.task.workflow.maintenance.lock.min.duration * ¶

Minimum duration in ISO 8601 format for which the workflow maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Type	`duration`
Default	`PT1M`
ENV	`DT_TASK_WORKFLOW_MAINTENANCE_LOCK_MIN_DURATION`

Vulnerability Analysis¶

dt.vuln-analyzer.internal.datasource.name ¶

Defines the name of the data source to be used by the internal vulnerability analyzer.

The internal analyzer performs no database writes, so this data source could point to a read replica if needed.

Type	`string`
Default	`default`
ENV	`DT_VULN_ANALYZER_INTERNAL_DATASOURCE_NAME`

dt.vuln-analyzer.internal.enabled ¶

Defines whether the internal vulnerability analyzer is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_VULN_ANALYZER_INTERNAL_ENABLED`

dt.vuln-analyzer.oss-index.allow-local-connections ¶

Defines whether the OSS Index vulnerability analyzer is allowed to connect to local hosts.

Type	`boolean`
Default	`false`
ENV	`DT_VULN_ANALYZER_OSS_INDEX_ALLOW_LOCAL_CONNECTIONS`

dt.vuln-analyzer.oss-index.enabled ¶

Defines whether the OSS Index vulnerability analyzer is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_VULN_ANALYZER_OSS_INDEX_ENABLED`

dt.vuln-analyzer.snyk.api-version ¶

Defines the Snyk REST API version to use.

Should only be changed if the default version is discontinued by Snyk and an upgrade of Dependency-Track is not immediately possible.

Type	`string`
Default	`2025-11-05`
ENV	`DT_VULN_ANALYZER_SNYK_API_VERSION`

dt.vuln-analyzer.snyk.enabled ¶

Defines whether the Snyk vulnerability analyzer is enabled.

Type	`boolean`
Default	`true`
ENV	`DT_VULN_ANALYZER_SNYK_ENABLED`