Managed Software Supply Chain / SCA
Managed Dependency-Track Hosting
Continuous software supply chain risk monitoring
What is Dependency-Track?
Dependency-Track is an OWASP flagship platform for software supply chain security. It ingests SBOMs and continuously monitors your components for known vulnerabilities, outdated libraries, and license risk, even long after a build has shipped.
Use cases
- NIS2 and DORA software supply chain risk management
- Continuous SBOM monitoring after release
- License compliance across application dependencies
- Complement to DefectDojo for full vulnerability coverage
Features
- SBOM ingestion (CycloneDX, SPDX)
- Continuous component vulnerability monitoring
- License risk and policy violation tracking
- Sourced from NVD, OSV, and GitHub Advisories
- Policy engine for security and license gates
- REST API and CI/CD pipeline integration
- Per-project risk scoring and dashboards
- Feeds findings into DefectDojo
Simple, transparent pricing
Same software, fraction of the cost.
Starter
Up to 10 projects
- Dependency-Track platform
- Up to 10 monitored projects
- SBOM upload and analysis
- Daily vulnerability feed sync
- Email alerting
- Daily backups
Most popular
Business
Up to 50 projects
- Everything in Starter
- Up to 50 monitored projects
- Custom policy rules
- CI/CD pipeline webhooks
- DefectDojo integration
- Priority support
Enterprise
Unlimited projects
- Everything in Business
- Unlimited projects
- SSO / LDAP
- Custom integrations
- Audit-ready compliance reports
- SLA-backed uptime
Every plan includes
Managed hosting
Dedicated bare-metal servers
Automated backups
Daily backups with 30-day retention
SSL included
Automatic HTTPS with Let's Encrypt
Monitoring
24/7 uptime monitoring and alerting
Compliance-ready hosting
Every managed deployment runs on EU infrastructure. Data Processing Agreement available on request. All services covered under a single DPA.
Frequently asked questions
Which SBOM formats does Dependency-Track accept?
Dependency-Track ingests CycloneDX (JSON and XML) and SPDX. You can upload SBOMs manually, via the REST API, or push them automatically from a CI/CD pipeline on Business and Enterprise plans.
Where does Dependency-Track pull vulnerability data from?
It queries NVD, OSV, and GitHub Advisories and correlates findings against your component inventory. The feeds sync daily on all plans so new CVEs appear in your dashboard without any manual step.
How does managed Dependency-Track address NIS2 Article 21 and DORA supply chain obligations?
Dependency-Track gives you continuous visibility into third-party component risk and generates audit-ready reports mapping findings to affected projects. That evidence trail directly supports the software supply chain risk documentation required under NIS2 Article 21 and DORA.
Can I set license and security policy gates to block risky components?
Yes, from the Business plan. The policy engine lets you define rules such as blocking components with CVSS scores above a threshold or flagging copyleft licenses. Violations trigger alerts and can fail CI/CD pipeline webhooks.
Ready to get started with Dependency-Track?
Your instance is provisioned in minutes. No credit card required for a consultation.
Contact us