File Storage

Dependency-Track uses file storage for intermediate data during background processing, including uploaded BOMs, vulnerability analysis results, and large notifications. Files are short-lived and automatically cleaned up after processing.

The storage provider is selected via dt.file-storage.provider.

Both providers compress stored files using zstd. The compression level is configurable per provider (default: 5, range: -7 to 22). Higher levels yield better compression at the cost of CPU.

Providers

Local

The local provider stores files on the local filesystem. This is the default.

dt.file-storage.provider=local
dt.file-storage.local.directory=/data/storage

When running multiple instances, all nodes must have access to the same directory. A shared persistent volume (e.g. NFS) works well for this.

Configuration:

• dt.file-storage.local.directory
• dt.file-storage.local.compression.level

S3

The s3 provider stores files in an S3-compatible object store (AWS S3, MinIO, etc.). Use this when a shared volume is impractical.

The bucket must exist before startup. Dependency-Track will verify its existence and fail to start if it's not found.

dt.file-storage.provider=s3
dt.file-storage.s3.endpoint=https://s3.amazonaws.com
dt.file-storage.s3.bucket=dtrack-files
dt.file-storage.s3.access.key=<access-key>
dt.file-storage.s3.secret.key=<secret-key>
dt.file-storage.s3.region=us-east-1

Configuration:

• dt.file-storage.s3.endpoint
• dt.file-storage.s3.bucket
• dt.file-storage.s3.access.key
• dt.file-storage.s3.secret.key
• dt.file-storage.s3.region
• dt.file-storage.s3.compression.level
• dt.file-storage.s3.connect-timeout-ms
• dt.file-storage.s3.read-timeout-ms
• dt.file-storage.s3.write-timeout-ms