Skip to content

Publishers

Restricting local connections

For destinations that accept arbitrary endpoints, Dependency-Track blocks connections to local and loopback addresses by default to prevent server-side request forgery. Operators can override this per publisher via dt.notification-publisher.email.allow-local-connections and dt.notification-publisher.kafka.allow-local-connections. Leave both false outside of development and trusted single-host deployments.

Console

Publishes notifications by writing them to standard output.

This publisher targets testing scenarios. It exposes no configuration options.

Email

Publishes notifications as emails. The publisher supports the SMTP and SMTPS protocols.

Global Config

The global configuration defines how Dependency-Track connects to your email server.

email publisher global config

Alert Config

The alert configuration defines the recipients of email notifications, along with an optional subject prefix.

email publisher alert config

Beyond listing recipient addresses explicitly, you can also name one or more teams as recipients. When you name teams, the publisher delivers emails to every member of those teams.

You can mix explicit recipient addresses and teams, but you must configure at least one of the two.

Jira

Publishes notifications by creating issues in an Atlassian Jira instance.

Global Config

The global configuration defines how Dependency-Track connects to your Jira server.

Jira publisher global config

Alert Config

The alert configuration defines properties of the issues to create.

Jira publisher alert config

Note

Selecting teams as recipients has no effect for this publisher.

Kafka

Publishes notifications by emitting records to an Apache Kafka cluster.

Global Config

The global configuration defines how Dependency-Track connects to your Kafka cluster.

Kafka publisher global config

Configuring TLS

When enabling TLS, you must supply the certificate of the certificate authority (CA) that signed the certificate your Kafka brokers use. The certificate must be in PEM format and must not carry encryption, that is, not password-protected.

Configuring mTLS

When enabling mutual TLS, you must supply a client certificate and key in PEM format. Neither must carry encryption. The client key must be a managed secret.

Default Producer Configs

Dependency-Track applies the following configs to the underlying Kafka producer by default:

Alert Config

The alert config defines the destination and format of Kafka records emitted by the publisher.

Kafka publisher alert config

Note

Selecting teams as recipients has no effect for this publisher.

Protobuf

Publish notifications in Protobuf format whenever possible. Dependency-Track keeps changes to the Protobuf schema backward-compatible, which matters when a durable log like Kafka retains the notifications. See the Notification schema reference to download the .proto file and generate client code.

Templating

The Kafka publisher ships without a default template, since it targets Protobuf. If you prefer a different payload format, configure a custom template first.

Record Keys

If a notification's subject is a project (as for groups like BOM_CONSUMED, NEW_VULNERABILITY etc.), the Kafka record key holds the project's UUID. If the notification's subject is not a project, the key is null.

Mattermost

Publishes notifications as Mattermost messages.

Alert Config

The alert config defines the destination of Mattermost messages.

This should be the URL of an incoming Webhook.

Note

Selecting teams as recipients has no effect for this publisher.

Microsoft Teams

Publishes notifications as Microsoft Teams messages.

Alert Config

The alert config defines the destination of Microsoft Teams messages.

This should be the URL of an incoming Webhook.

Note

Selecting teams as recipients has no effect for this publisher.

Slack

Publishes notifications as Slack messages.

Alert Config

The alert config defines the destination of Microsoft Teams messages.

This should be the URL of an incoming Webhook.

Note

Selecting teams as recipients has no effect for this publisher.

Webex

Publishes notifications as Cisco Webex messages.

Alert Config

The alert config defines the destination of Microsoft Teams messages.

This should be the URL of an incoming Webhook.

Note

Selecting teams as recipients has no effect for this publisher.

Webhook

Publishes notifications as Webhooks.

Alert Config

Note

Selecting teams as recipients has no effect for this publisher.