Skip to main content

Managed Software Supply Chain / SCA

Managed Dependency-Track Hosting

Continuous software supply chain risk monitoring

License: Apache-2.0 GitHub: 3.9K stars Infra: 4–8 GB RAM, 2–4 vCPU, 20 GB+ storage

What is Dependency-Track?

Dependency-Track is an OWASP flagship platform for software supply chain security. It ingests SBOMs and continuously monitors your components for known vulnerabilities, outdated libraries, and license risk, even long after a build has shipped.

Use cases

  • NIS2 and DORA software supply chain risk management
  • Continuous SBOM monitoring after release
  • License compliance across application dependencies
  • Complement to DefectDojo for full vulnerability coverage

Features

  • SBOM ingestion (CycloneDX, SPDX)
  • Continuous component vulnerability monitoring
  • License risk and policy violation tracking
  • Sourced from NVD, OSV, and GitHub Advisories
  • Policy engine for security and license gates
  • REST API and CI/CD pipeline integration
  • Per-project risk scoring and dashboards
  • Feeds findings into DefectDojo

Simple, transparent pricing

Same software, fraction of the cost.

Starter

Up to 10 projects

From $40 /mo
  • Dependency-Track platform
  • Up to 10 monitored projects
  • SBOM upload and analysis
  • Daily vulnerability feed sync
  • Email alerting
  • Daily backups
Contact us

Most popular

Business

Up to 50 projects

From $90 /mo
  • Everything in Starter
  • Up to 50 monitored projects
  • Custom policy rules
  • CI/CD pipeline webhooks
  • DefectDojo integration
  • Priority support
Contact us

Enterprise

Unlimited projects

From $180 /mo
  • Everything in Business
  • Unlimited projects
  • SSO / LDAP
  • Custom integrations
  • Audit-ready compliance reports
  • SLA-backed uptime
Contact us

Every plan includes

Managed hosting

Dedicated bare-metal servers

Automated backups

Daily backups with 30-day retention

SSL included

Automatic HTTPS with Let's Encrypt

Monitoring

24/7 uptime monitoring and alerting

Compliance-ready hosting

Every managed deployment runs on EU infrastructure. Data Processing Agreement available on request. All services covered under a single DPA.

View compliance documentation →

Frequently asked questions

Which SBOM formats does Dependency-Track accept?

Dependency-Track ingests CycloneDX (JSON and XML) and SPDX. You can upload SBOMs manually, via the REST API, or push them automatically from a CI/CD pipeline on Business and Enterprise plans.

Where does Dependency-Track pull vulnerability data from?

It queries NVD, OSV, and GitHub Advisories and correlates findings against your component inventory. The feeds sync daily on all plans so new CVEs appear in your dashboard without any manual step.

How does managed Dependency-Track address NIS2 Article 21 and DORA supply chain obligations?

Dependency-Track gives you continuous visibility into third-party component risk and generates audit-ready reports mapping findings to affected projects. That evidence trail directly supports the software supply chain risk documentation required under NIS2 Article 21 and DORA.

Can I set license and security policy gates to block risky components?

Yes, from the Business plan. The policy engine lets you define rules such as blocking components with CVSS scores above a threshold or flagging copyleft licenses. Violations trigger alerts and can fail CI/CD pipeline webhooks.

Ready to get started with Dependency-Track?

Your instance is provisioned in minutes. No credit card required for a consultation.

Contact us