Yet another command-line interface for interacting with Dependency Track.
[TOC]
Upload SBOMs and VEX files to your Dependency Track instance and get immediate feedback on policy violations.
dt-cli audit -n "My project" -v 1.00 -b target/bom.xml -x vex.json
Above call will fail if policy violations are found (this should fail your CI build).
See detailed usage in AUDIT.MD.
Configure your Dependency Track server using YAML files.
policies:
- name: Default License Policy
operator: ALL
violationState: FAIL
policyConditions:
- subject: LICENSE_GROUP
operator: IS_NOT
value: PermissiveThere is also a feature for safely deleting temporary projects (e.g. created for Merge Requests).
See detailed usage in FORM.MD.
Interact with the Dependency Track API using shell commands.
put-project <<<'{
"name": "TestProject",
"version": "1.0.0",
"description": "A testproject"
}'See detailed usage in API.MD.
Convenience wrapper around the stock Docker Compose files.
See detailed usage in LOCAL.MD.
Recommended way to install is to use git submodules.
See INSTALL.MD for details
See USAGE.MD for general usage instructions. See the links above for detailed usage of each feature.
There are other tools that allow you to upload SBOMs to Dependency Track: 1, 2, 3. Except for the first one, the projects look to be abandoned, the documentation is scarce and none of the projects has any test coverage.
What makes this project different is:
- VEX file support
- Allows you to correct SBOMs using component overrides.
- Configuring Dependency Track server as Code (CasC).
- Shell API bindings
- Comprehensive test coverage.
- Minimal dependencies (only requires
bash,curlandjq). - Useful documentation.
Some useful information, not directly related to the tool itself: