Dependency-Track
Continuous SBOM analysis platform tracking component vulnerabilities, policies, and audit trails for supply chain risk.
Why it is included
OWASP flagship for SBOM governance beyond one-off CLI scans.
Best for
Product security teams ingesting CycloneDX SPDX from CI.
Strengths
- Policy engine
- API
- Multi-project portfolio
Limitations
- Requires disciplined SBOM ingestion pipeline
Good alternatives
DefectDojo · GitHub Dependabot (SaaS)
Related tools
Security & Privacy
Syft
CLI and library for generating SBOMs (SPDX, CycloneDX) from images, directories, and archives.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.
Security & Privacy
DefectDojo
Application vulnerability management: ingest findings from scanners, dedupe, risk scoring, metrics, and Jira/CI hooks.
Security & Privacy
Grype
Vulnerability scanner for container images and filesystems using Anchore’s vulnerability DB and Syft SBOM input.
Security & Privacy
Wazuh
Open security platform combining SIEM, XDR, file integrity monitoring, and compliance checks across endpoints and cloud.
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.