Integrate Dependency-Track into your Azure DevOps pipelines to automatically upload and assess SBOM (Software Bill of Materials) files for known vulnerabilities.
- Upload SBOMs (CycloneDX format) to Dependency-Track
- Automatically create projects if they don’t exist
- Fail builds based on vulnerability thresholds and policies
- Supports both manual API key input and service connections
Install the extension from the Azure DevOps Marketplace.
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- script: |
npm install
npm install -g @cyclonedx/cyclonedx-npm
displayName: 'npm install'
- script: |
cyclonedx-npm --version
cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
displayName: 'Create BOM'
- task: upload-bom-dtrack@1
displayName: 'Upload SBOM to Dependency-Track'
inputs:
bomFilePath: '$(Build.TempDirectory)/bom.xml'
dtrackProjName: 'my-app'
dtrackProjVersion: '1.0.0'
dtrackAPIKey: '$(DTRACK_API_KEY)'
dtrackURI: 'https://dependency-track.example.com/'
dtrackProjAutoCreate: true
thresholdAction: 'warn'
thresholdCritical: 0
thresholdHigh: 5| Name | Description |
|---|---|
bomFilePath |
Path to the SBOM file (e.g. **/bom.xml) |
serviceConnection, or dtrackAPIKey and dtrackURI |
Service connection or API key and URL to Dependency-Track |
Provide one of the following:
| Name | Description |
|---|---|
dtrackProjId |
Existing project UUID |
dtrackProjName and dtrackProjVersion |
Project name and version (with optional auto-create) |
| Name | Description |
|---|---|
dtrackProjAutoCreate |
Auto-create project if project doesn’t exist |
dtrackProjDescription |
Set the project description |
dtrackProjTags |
Set the prohject tags. (Each tag on a new line) |
dtrackProjSwidTagId |
Set the project SWID Tag Id |
dtrackProjGroup |
Set the project Namespace / group / vendor identifier |
dtrackProjClassifier |
Classifier (e.g., APPLICATION, FRAMEWORK, etc.) |
dtrackParentProjName |
Parent project name (with optional auto-create) |
dtrackParentProjVersion |
Parent project version (with optional auto-create) |
dtrackIsLatest |
Sets the project as the latest version. Defaults to false. |
The following table outlines the minimum permissions required in Dependency-Track for each operation:
| Use Case | Required Permissions |
|---|---|
| Basic upload to existing project | BOM_UPLOAD |
| Upload and create project | BOM_UPLOAD + PROJECT_CREATION_UPLOAD |
| Use thresholds | VIEW_PORTFOLIO |
| Update project properties | PORTFOLIO_MANAGEMENT |
For most CI/CD scenarios:
BOM_UPLOAD + PROJECT_CREATION_UPLOAD + VIEW_PORTFOLIO
Add PORTFOLIO_MANAGEMENT if you need to set project descriptions, tags, or other properties.
Use these inputs to warn or fail the build based on detected vulnerabilities:
| Name | Description |
|---|---|
thresholdAction |
none (default), warn, or error |
thresholdCritical |
Max allowed critical vulnerabilities |
thresholdHigh |
Max allowed high vulnerabilities |
thresholdMedium |
Max allowed medium vulnerabilities |
thresholdLow |
Max allowed low vulnerabilities |
thresholdUnassigned |
Max allowed unassigned vulnerabilities |
thresholdpolicyViolationsFail |
Max allowed failed policy violations |
thresholdpolicyViolationsWarn |
Max allowed warn policy violations |
thresholdpolicyViolationsInfo |
Max allowed info policy violations |
thresholdpolicyViolationsTotal |
Max allowed total policy violations |
These settings are used when Dependency Track is using a self-signed certificate or an internal CA provider for it's TLS configuration.
| Name | Description |
|---|---|
caFilePath |
File path to PEM encoded CA certificate |
- SBOM must be in CycloneDX format.
- Use
dtrackProjAutoCreate: trueif the project might not exist yet.