Integrate OWASP Dependency Track into CI/CD

What is OWASP Dependency Track?

Dependency Track is an open-source software composition analysis tool from an OWASP project.  It is good for examining source code repositories for vulnerable libraries and containers.

Dependency Track examines source code through a tool called ORT ( to make an SBOM ( This SBOM is then run through an analysis engine that flags up any known security vulnerabilities in the identified 3rd-party components.

Security Stage SCA (Software Composition Analysis)
Type OpenSource



1 You'll need a Git address to scan

How do I set it up?

Adding Dependency Track to your set of security tests involved adding this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.


  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.


  • Click 'Save'
  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'OWASP-tracker' as a tool.


  • Click Save.

Now any time you click 'Test Now' with that ToolKit, or make a request over the Uleska API or CLI with that ToolKit, the OWASP Dependency Track tool will be included in the test run and any results added to your vulnerabilities list.