Integrate Dependency-Track into your Azure DevOps pipelines to automatically upload and assess SBOM (Software Bill of Materials) files for known vulnerabilities.
- Upload SBOMs (CycloneDX format) to Dependency-Track
- Automatically create projects if they don’t exist
- Fail builds based on vulnerability thresholds and policies
- Supports both manual API key input and service connections
Install the extension from the Azure DevOps Marketplace.
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- script: |
npm install
npm install -g @cyclonedx/cyclonedx-npm
displayName: 'npm install'
- script: |
cyclonedx-npm --version
cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
displayName: 'Create BOM'
- task: upload-bom-dtrack@1
displayName: 'Upload SBOM to Dependency-Track'
inputs:
bomFilePath: '$(Build.TempDirectory)/bom.xml'
dtrackProjName: 'my-app'
dtrackProjVersion: '1.0.0'
dtrackAPIKey: '$(DTRACK_API_KEY)'
dtrackURI: 'https://dependency-track.example.com/'
dtrackProjAutoCreate: true
thresholdAction: 'warn'
thresholdCritical: 0
thresholdHigh: 5| Name | Description |
|---|---|
bomFilePath |
Path to the SBOM file (e.g. **/bom.xml) |
serviceConnection, or dtrackAPIKey and dtrackURI |
Service connection or API key and URL to Dependency-Track |
Provide one of the following:
| Name | Description |
|---|---|
dtrackProjId |
Existing project UUID |
dtrackProjName and dtrackProjVersion |
Project name and version (with optional auto-create) |
| Name | Description |
|---|---|
dtrackProjAutoCreate |
Auto-create project if project doesn’t exist |
dtrackProjDescription |
Set the project description |
dtrackProjTags |
Set the prohject tags. (Each tag on a new line) |
dtrackProjSwidTagId |
Set the project SWID Tag Id |
dtrackProjGroup |
Set the project Namespace / group / vendor identifier |
dtrackProjClassifier |
Classifier (e.g., APPLICATION, FRAMEWORK, etc.) |
dtrackParentProjName |
Parent project name (with optional auto-create) |
dtrackParentProjVersion |
Parent project version (with optional auto-create) |
dtrackIsLatest |
Sets the new child project as the latest version. Requires parent project name and version to be specified. Only works if Auto Create Project is set to TRUE. Defaults to false. |
Use these inputs to warn or fail the build based on detected vulnerabilities:
| Name | Description |
|---|---|
thresholdAction |
none (default), warn, or error |
thresholdCritical |
Max allowed critical vulnerabilities |
thresholdHigh |
Max allowed high vulnerabilities |
thresholdMedium |
Max allowed medium vulnerabilities |
thresholdLow |
Max allowed low vulnerabilities |
thresholdUnassigned |
Max allowed unassigned vulnerabilities |
thresholdpolicyViolationsFail |
Max allowed failed policy violations |
thresholdpolicyViolationsWarn |
Max allowed warn policy violations |
thresholdpolicyViolationsInfo |
Max allowed info policy violations |
thresholdpolicyViolationsTotal |
Max allowed total policy violations |
These settings are used when Dependency Track is using a self-signed certificate or an internal CA provider for it's TLS configuration.
| Name | Description |
|---|---|
caFilePath |
File path to PEM encoded CA certificate |
- SBOM must be in CycloneDX format.
- Use
dtrackProjAutoCreate: trueif the project might not exist yet.