Dependency-Track logo Dependency-Track

The Dependency-Track Jenkins plugin aids in publishing CycloneDX and SPDX Bill-of-Material (BOM) documents as well as Dependency-Check XML reports to the Dependency-Track platform.

Publishing BOMs can be performed asynchronously or synchronously.

Asynchronous publishing simply uploads the BOM to Dependency-Track and the job continues. Synchronous publishing waits for Dependency-Track to process the BOM after being uploaded. Synchronous publishing has the benefit of displaying interactive job trends and per build findings.

Job Trending Job Findings

Job Configuration

Once configured with a valid URL and API key, simply configure a job to publish the artifact.

Job Publish Config

Job Publish Thresholds

When Synchronous mode is enabled, thresholds can be defined which can optionally put the job into an UNSTABLE or FAILURE state.

Global Configuration

To setup, navigate to Jenkins ยป System Configuration and complete the Dependency-Track section.

System Configuration


The following permission should be assigned to the API key configured above.

Permission Description
BOM_UPLOAD Allows the uploading of CycloneDX and SPDX BOMs
SCAN_UPLOAD Allows the uploading of Dependency-Check XML reports
VIEW_PORTFOLIO Allows the plugin to list the projects in the dropdown
VULNERABILITY_ANALYSIS Allows access to the findings API for trending and results (synchronous mode only)
PROJECT_CREATION_UPLOAD Allows the dynamic creation of projects (if enabled by the plugin)