Package: Invicti AppSec Enterprise (on-premise, on-demand)
Dependency-Track SCA integration
Invicti AppSec supports Dependency-Track as an SCA (Software Composition Analysis) scanner. This guide explains how to activate and configure the Dependency-Track integration.
Dependency-Track is an open-source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. It monitors all versions of every component used across the portfolio and identifies components with known vulnerabilities.
Prerequisites
Before starting the integration, ensure you have the following information from your Dependency-Track instance:
| Field | Description | Required |
|---|---|---|
| Token | API key generated from your Dependency-Track instance | Yes |
| Api URL | The API endpoint URL of your Dependency-Track instance (e.g., https://deptrack.yourcompany.com/api) | Yes |
| UI URL | The web interface URL of your Dependency-Track instance (optional, used for linking) | No |
| Insecure | Skip SSL certificate verification (not recommended for production) | No |
Get Credentials (on Dependency-Track Side)
- Log in to your Dependency-Track instance.
- Navigate to Administration > Access Management > Teams.
- Select the team you want to use for the integration (or create a new one).
- Under API Keys, click Generate to create a new API key.
- Copy the generated API key and save it securely.
Get credentials
- Log in to your Dependency-Track instance.
- Go to Administration > Access Management > Teams.
- Select or create a team, then generate an API Key.
- Copy and save the API key securely.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SCA Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SCA tab.
Step 3: Find and Activate Dependency-Track
Scroll through the list of SCA scanners to find Dependency-Track.
- If Dependency-Track is not activated, you will see an "Activate" button. Click it to enable the integration.
- If Dependency-Track is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.
The scan method badge on the Dependency-Track card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Dependency-Track card to open the configuration panel. Fill in the required fields:
- Token: Paste the API key you generated from Dependency-Track.
- Api URL: Enter your Dependency-Track API endpoint URL (e.g.,
https://deptrack.yourcompany.com/api). - UI URL (optional): Enter your Dependency-Track web interface URL for direct linking to projects and findings.
- Insecure: Enable this checkbox only if your Dependency-Track instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.
- If the connection is successful, the integration is ready to use.
- If the connection fails, verify your Token and Api URL values.
- For existing integrations, you can use the "Retest Connection" button at the top of the panel.
Step 6: Advanced Settings (Optional)
Click on "Advanced Settings" to expand additional options:
| Setting | Description | Default |
|---|---|---|
| Allow team leads to scan this instance | Permits team leads to trigger scans using this Dependency-Track instance | Off |
| Allow team leads to create new instances | Permits team leads to create additional Dependency-Track instances | Off |
After modifying advanced settings, click "Save Advanced Settings" to apply changes.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SCA tab under Scanners |
| 3 | Find Dependency-Track and click Activate (if not already active) |
| 4 | Click the gear icon and fill in Token, Api URL, optionally UI URL, and Insecure |
| 5 | Click Test Connection to verify |
| 6 | (Optional) Configure Advanced Settings for team lead permissions |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center