Dependencytrack is a tool for scanning dependencies for vulnerabilities.
NAIS maintains this repository, which includes:
- 📦 Helm charts for Kubernetes deployments
- 🔧 Pre-install and post-install bootstrap configuration
- 🗄️ StatefulSet configuration for persistence and zero-downtime deployments
This repository includes a Go client for Dependencytrack, making it easy to integrate with your implementations. The client is designed to be extensible—feel free to expand the interface with additional functionality as needed.
To use the client in your projects, import it as follows:
go get -u github.com/nais/dependencytrack@HEADInstall the required tools:
asdf install-
Start Dependencytrack locally:
make compose
-
Configure environment variables:
- Copy
.env.sampleto.env - Fill in the necessary configuration values
- Copy
-
Access the services:
- Dependencytrack UI: http://localhost:9000
- API: http://localhost:9001
- Swagger UI: http://localhost:9002
The users.yaml file contains pre-configured users for automated testing. You can modify this file to add or update test users as needed.
The container images are signed using Sigstore cosign for authenticity verification.
cosign verify \
--certificate-identity "https://github.com/nais/depedencytrack/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/dependencytrack@sha256:<shasum>Images are attested with CycloneDX SBOMs. To verify the attestation:
cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/depedencytrack/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/dependencytrack@sha256:<shasum>nais/Dependencytrack is licensed under the MIT License. See LICENSE.md for details.