Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM).Chainloop can be configured to automatically send any CycloneDX Software Bill Of Materials that has been received as part of an attestation to a Dependency-Track instance.
SBOM_CYCLONEDX_JSON
piece of evidence received during the attestation process will be sent to Dependency-Track.
See below an example of a contract that includes a SBOM_CYCLONEDX_JSON
material.
BOM_UPLOAD
, VIEW_PORTFOLIO
(to validate that the provided project ID exists) and optionally PROJECT_CREATION_UPLOAD
if project-auto-creation
is enabled, more on that later.
The API Key can be created by going to Settings -> Access Management -> Teams -> Select (or create) a Team -> Set permissions -> Copy API key
Register
button.SBOM_CYCLONEDX_JSON
material will be forwarded.
Attach
button.
projectID
or create a new one defined by the provided projectName
. For the latter to work, you need to make sure that the integration was setup with --allow-project-auto-create
option. Furthermore, you can request the new project is created as a child of an existing one parentID
, to enable you to group projects in Dependency Track.example-project
.
filter
option.
{{ .Material.Annotations.Component }}
or {{ .Attestation.Annotations.Asset }}
templates during attachment, for example
project-controlplane
or project-controlplane-oss
respectively.