Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.
OWASP Dependency Track API client for CI/CD
Go
Branch: master
Clone or download
Latest commit da700f0 Jan 20, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd/dtrack-audit Fix issue #4. Implement auto creation of project Jan 17, 2020
internal/dtrack Add handling for permission error. Fix issue #3. Jan 20, 2020
.gitignore Alpha version Oct 11, 2019
COPYING Add license file Oct 14, 2019
README.md Update README.md Jan 20, 2020

README.md

dtrack-audit

OWASP Dependency Track API client for your security CI/CD pipeline. See Dependency-Track docs: Continuous Integration & Delivery for use case.

Install

Local Installation

go get github.com/ozonru/dtrack-audit/cmd/dtrack-audit

Features

  • Fully configurable via environment variables
  • Async and sync modes. In async mode dtrack-audit simply sends SBOM file to DTrack API (like cURL but in much more comfortable way). Sync mode means: upload SBOM file, wait for the scan result, show it and exit with non-zero code. So you can break corresponding CI/CD job to make developers pay attention to findings
  • You can filter the results. With Sync mode enabled show result and fail an audit if the results include a vulnerability with a severity of specified level or higher. Severity levels are: critical, high, medium, low, info, unassigned
  • Auto creation of projects. With this feautre you can configure SCA (with dtrack-audit) step globally for your CI/CD and it will create project, e.g. with name from environment variable like $CI_PROJECT_NAME. So you don't need to configure it manually for each project

Sample output

$ cyclonedx-bom -o bom.xml
$ dtrack-audit -s -g high

SBOM file is successfully uploaded to DTrack API. Result token is 12345f5e-4ccb-45fe-b8fd-1234a8bf0081

2 vulnerabilities found!

 > HIGH: Arbitrary File Write
   Component: adm-zip 0.4.7
   More info: https://dtrack/vulnerability/?source=NPM&vulnId=994

 > CRITICAL: Prototype Pollution
   Component: handlebars 4.0.11
   More info: https://dtrack/vulnerability/?source=NPM&vulnId=755
You can’t perform that action at this time.