docker.recipes

Dependency-Track

intermediate

Software composition analysis and supply chain security.

Overview

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform designed to identify, track, and reduce risk across software supply chains through continuous monitoring of third-party and open source components. The dependency-track-api serves as the core engine, processing Software Bills of Materials (SBOMs), correlating component data with vulnerability databases like the National Vulnerability Database (NVD), OSS Index, and GitHub Security Advisories, while performing license risk analysis and policy enforcement. The dependency-track-frontend provides an intuitive web interface for visualization, reporting, and management of component inventories and security findings. This PostgreSQL-backed deployment creates a comprehensive supply chain security monitoring system capable of ingesting SBOMs in CycloneDX, SPDX, and SWID formats while providing real-time vulnerability intelligence, policy violation alerts, and detailed risk metrics across your entire software portfolio. Organizations implementing DevSecOps practices, compliance teams managing software inventories, and security teams responsible for third-party risk assessment will find this stack essential for maintaining visibility into component vulnerabilities, license compliance issues, and supply chain threats throughout the software development lifecycle.

Key Features

  • Multi-format SBOM ingestion supporting CycloneDX, SPDX 2.2/2.3, and SWID tag formats with automated component identification and cataloging
  • Continuous vulnerability monitoring against multiple intelligence sources including NVD, OSS Index, GitHub Security Advisories, and VulnDB with real-time updates
  • Component risk scoring and prioritization using CVSS metrics, EPSS probability scores, and exploitability assessments
  • License risk analysis and compliance tracking with configurable policy enforcement for prohibited, restricted, and approved licenses
  • Portfolio-wide vulnerability trending and metrics with executive dashboards showing risk reduction over time
  • Webhook and notification integrations supporting Slack, Microsoft Teams, email alerts, and custom endpoints for policy violations
  • RESTful API with comprehensive endpoints for SBOM uploads, vulnerability queries, and integration with CI/CD pipelines
  • Component aging analysis identifying outdated dependencies and recommending version upgrades with security impact assessment

Common Use Cases

  • 1Enterprise software composition analysis for tracking vulnerabilities across hundreds of applications and their third-party dependencies
  • 2DevSecOps pipeline integration for automated SBOM analysis during CI/CD builds with build-breaking policy violations
  • 3Regulatory compliance reporting for industries requiring software inventory documentation like healthcare, finance, and government contracting
  • 4Vendor risk assessment programs where procurement teams evaluate third-party software components for security and licensing risks
  • 5Incident response support for rapidly identifying which applications contain specific vulnerable components during security events
  • 6Open source governance programs managing approved component libraries and enforcing corporate licensing policies
  • 7Supply chain security monitoring for detecting newly disclosed vulnerabilities in previously approved software components

Prerequisites

  • Minimum 4GB RAM allocated to Docker with 8GB recommended for organizations processing large SBOM portfolios
  • PostgreSQL database storage planning with at least 10GB initial space, scaling based on component inventory size and retention policies
  • Port availability for 8080 (frontend), 8081 (API), and 5432 (PostgreSQL) with firewall configurations allowing access from client networks
  • Understanding of SBOM generation tools like CycloneDX CLI, Syft, or Trivy for creating software inventories from your applications
  • Network connectivity for vulnerability database synchronization requiring outbound HTTPS access to NVD, OSS Index, and other intelligence sources
  • Database password configuration through environment variables with secure credential management practices

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  dtrack-api: 
3    image: dependencytrack/apiserver:latest
4    container_name: dtrack-api
5    restart: unless-stopped
6    environment: 
7      ALPINE_DATABASE_MODE: external
8      ALPINE_DATABASE_URL: jdbc:postgresql://dtrack-db:5432/dtrack
9      ALPINE_DATABASE_DRIVER: org.postgresql.Driver
10      ALPINE_DATABASE_USERNAME: dtrack
11      ALPINE_DATABASE_PASSWORD: ${DB_PASSWORD}
12    ports: 
13      - "8081:8080"
14    volumes: 
15      - dtrack_data:/data
16    depends_on: 
17      - dtrack-db
18
19  dtrack-frontend: 
20    image: dependencytrack/frontend:latest
21    container_name: dtrack-frontend
22    restart: unless-stopped
23    environment: 
24      API_BASE_URL: http://localhost:8081
25    ports: 
26      - "8080:8080"
27    depends_on: 
28      - dtrack-api
29
30  dtrack-db: 
31    image: postgres:15-alpine
32    container_name: dtrack-db
33    restart: unless-stopped
34    environment: 
35      POSTGRES_USER: dtrack
36      POSTGRES_PASSWORD: ${DB_PASSWORD}
37      POSTGRES_DB: dtrack
38    volumes: 
39      - dtrack_db:/var/lib/postgresql/data
40
41volumes: 
42  dtrack_data: 
43  dtrack_db:

.env Template

.env
1DB_PASSWORD=changeme

Usage Notes

  1. 1Docs: https://docs.dependencytrack.org/
  2. 2Access at http://localhost:8080 (frontend) - default: admin/admin
  3. 3API at http://localhost:8081 - generate API key in UI for automation
  4. 4Upload SBOMs: CycloneDX (preferred), SPDX, or VEX formats
  5. 5Generate SBOM: cyclonedx-cli/syft/trivy for various ecosystems
  6. 6Policy violations and vulnerability alerts via webhooks/email

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

dtrack-api
dtrack-api:
  image: dependencytrack/apiserver:latest
  container_name: dtrack-api
  restart: unless-stopped
  environment:
    ALPINE_DATABASE_MODE: external
    ALPINE_DATABASE_URL: jdbc:postgresql://dtrack-db:5432/dtrack
    ALPINE_DATABASE_DRIVER: org.postgresql.Driver
    ALPINE_DATABASE_USERNAME: dtrack
    ALPINE_DATABASE_PASSWORD: ${DB_PASSWORD}
  ports:
    - "8081:8080"
  volumes:
    - dtrack_data:/data
  depends_on:
    - dtrack-db
dtrack-frontend
dtrack-frontend:
  image: dependencytrack/frontend:latest
  container_name: dtrack-frontend
  restart: unless-stopped
  environment:
    API_BASE_URL: http://localhost:8081
  ports:
    - "8080:8080"
  depends_on:
    - dtrack-api
dtrack-db
dtrack-db:
  image: postgres:15-alpine
  container_name: dtrack-db
  restart: unless-stopped
  environment:
    POSTGRES_USER: dtrack
    POSTGRES_PASSWORD: ${DB_PASSWORD}
    POSTGRES_DB: dtrack
  volumes:
    - dtrack_db:/var/lib/postgresql/data

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  dtrack-api:
5    image: dependencytrack/apiserver:latest
6    container_name: dtrack-api
7    restart: unless-stopped
8    environment:
9      ALPINE_DATABASE_MODE: external
10      ALPINE_DATABASE_URL: jdbc:postgresql://dtrack-db:5432/dtrack
11      ALPINE_DATABASE_DRIVER: org.postgresql.Driver
12      ALPINE_DATABASE_USERNAME: dtrack
13      ALPINE_DATABASE_PASSWORD: ${DB_PASSWORD}
14    ports:
15      - "8081:8080"
16    volumes:
17      - dtrack_data:/data
18    depends_on:
19      - dtrack-db
20
21  dtrack-frontend:
22    image: dependencytrack/frontend:latest
23    container_name: dtrack-frontend
24    restart: unless-stopped
25    environment:
26      API_BASE_URL: http://localhost:8081
27    ports:
28      - "8080:8080"
29    depends_on:
30      - dtrack-api
31
32  dtrack-db:
33    image: postgres:15-alpine
34    container_name: dtrack-db
35    restart: unless-stopped
36    environment:
37      POSTGRES_USER: dtrack
38      POSTGRES_PASSWORD: ${DB_PASSWORD}
39      POSTGRES_DB: dtrack
40    volumes:
41      - dtrack_db:/var/lib/postgresql/data
42
43volumes:
44  dtrack_data:
45  dtrack_db:
46EOF
47
48# 2. Create the .env file
49cat > .env << 'EOF'
50DB_PASSWORD=changeme
51EOF
52
53# 3. Start the services
54docker compose up -d
55
56# 4. View logs
57docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/dependency-track/run | bash

Troubleshooting

  • Database connection failures with 'could not connect to server': Verify PostgreSQL container startup and DB_PASSWORD environment variable matches between API server and database containers
  • Frontend showing 'API Server Unavailable': Check API_BASE_URL environment variable points to correct API server address and port 8081 accessibility from frontend container
  • SBOM upload failures with 'unsupported format' errors: Ensure SBOM files are valid CycloneDX JSON/XML, SPDX 2.2+ JSON, or contain proper component structure with required fields
  • Vulnerability data not updating with outdated CVE information: Verify outbound internet connectivity from API container and check vulnerability source configurations in administration settings
  • High memory usage during vulnerability analysis: Increase Docker memory limits and consider adjusting ALPINE_DATABASE_POOL_MAX_SIZE for connection optimization
  • Policy violations not triggering notifications: Confirm webhook URLs are accessible, notification rules are enabled, and policy conditions match your component criteria

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

dependency-track-apidependency-track-frontend

Tags

#dependency-track#sbom#security#vulnerabilities

Category

DevOps & CI/CD

Related Recipes

Ad Space