Skip to main content

Dependency-Track

Dependency-Track reporter that uploads CycloneDX SBOMs to Dependency-Track and transforms the found vulnerabilities to OCSF format.

How to use

Open-Source

  1. Add the component to the workflow:
# file ./my-workflow/workflow.yml
description: Dependency-Track based workflow
name: dependency-track
components:
  - component: ghcr.io/smithy-security/smithy/manifests/components/targets/git-clone:v1.4.0
  - component: ghcr.io/smithy-security/smithy/manifests/components/scanners/cdxgen:v1.0.0
  - component: file://components/reporters/dependency-track/component.yaml
  - component: ghcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.0.2
  1. Configure the run parameters of the component in the overrides file:
# file: ./my-workflow/overrides.yaml
git-clone:
  - name: "repo_url"
    type: "string"
    value: "https://github.com/example/my-project.git"
  - name: "reference"
    type: "string"
    value: "main"
dependency-track:
  - name: "dependencytrack_base_url"
    type: "string"
    value: "https://your-dependency-track-instance.com"
  - name: "dependencytrack_api_token"
    type: "string"
    value: "your-api-token-here"
  - name: "project_name"
    type: "string"
    value: "my-project"
  - name: "project_version"
    type: "string"
    value: "1.0.0"
  - name: "sbom_file_path"
    type: "string"
    value: "/path/to/sbom.json"

SaaS

  1. In the Smithy UI, open the page to create a new workflow.
  2. Find the Dependency-Track component in the Reporters dropdown.
  3. Fill the form on the right

Options

You can configure this component with the following options. The options that have a default value are optional:

Option NameDescriptionDefaultType
[Required] dependencytrack_base_urlThe base URL to your Dependency-Track instance.String
[Required] dependencytrack_api_tokenThe API token for authenticating with your Dependency-Track instance.String
[Required] project_nameThe name of the project in Dependency-Track where the SBOM will be uploaded.String
[Required] project_versionThe version of the project in Dependency-Track where the SBOM will be uploaded.String
[Required] sbom_file_pathThe file path to the CycloneDX SBOM file that will be uploaded to Dependency-Track.String