Dependencytrack logo

Backstage Dependencytrack Plugin

Created by TRIMM

Dependency Track is an open source platform that analyzes software bills of materials. It helps you find known vulnerabilities, license risks, and policy violations across your portfolio. Teams feed SBOMs from their pipelines into Dependency Track. The platform then keeps a living inventory and highlights what is affected and where, so you can act with context.

The Dependencytrack Backstage plugin brings those insights into your developer portal. It surfaces metrics and findings for each catalog entity, so engineers can review risk without leaving Backstage. You get a quick view of vulnerability counts and severity. You can drill into recent findings to see what changed and what needs attention. The goal is simple. Put supply chain risk next to the code and services your teams own.

This plugin is useful if you already run Dependency Track and want a single place for service health and security signals. Security teams can use it to keep policy and license issues visible during everyday work. Service owners can spot new problems early and plan fixes alongside other tasks. Platform teams can standardize how risk is shown across many services. If you are investing in SBOMs and portfolio hygiene, this plugin helps your engineers turn that data into action where they spend their time.

Installation Instructions

These instructions apply to self-hosted Backstage only.

Install the frontend package

  1. From the app package directory
Copy
cd packages/app
yarn add @trimm/plugin-dependencytrack

Configure the service and proxy

  1. Add the base url and proxy config in your app config
Copy
# app-config.yaml
dependencytrack:
  baseUrl: ${DEPENDENCYTRACK_BASE_URL}

proxy:
  endpoints:
    '/dependencytrack':
      target: ${DEPENDENCYTRACK_BASE_URL}
      allowedMethods: [ 'GET' ]
      headers:
        X-Api-Key: ${DEPENDENCYTRACK_API_KEY}
  1. Set these env vars in your runtime environment
Copy
export DEPENDENCYTRACK_BASE_URL="https://your.dependencytrack.example"
export DEPENDENCYTRACK_API_KEY="your_api_key"

The frontend will call the backend proxy at

Copy
/api/proxy/dependencytrack

The proxy will forward to your Dependency Track server and add the API key header.

Enable the proxy on the backend

If your backend already includes the proxy plugin you can skip this.

New backend system

  1. Add the proxy plugin to the backend
Copy
// packages/backend/src/index.ts
import { createBackend } from '@backstage/backend-defaults';
import { catalogPlugin } from '@backstage/plugin-catalog-backend';
import { proxyPlugin } from '@backstage/plugin-proxy-backend';

const backend = createBackend();

// add your other backend plugins
backend.add(catalogPlugin());

// add the proxy plugin
backend.add(proxyPlugin());

backend.start();

Old backend system

  1. Create a proxy plugin file
Copy
// packages/backend/src/plugins/proxy.ts
import { createRouter } from '@backstage/plugin-proxy-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';

export default async function createPlugin(env: PluginEnvironment): Promise<Router> {
  return await createRouter({
    logger: env.logger,
    config: env.config,
  });
}
  1. Mount it in the backend
Copy
// packages/backend/src/index.ts
import proxy from './plugins/proxy';

// inside the main bootstrap function after you create apiRouter and env
const proxyRouter = await proxy(env);
apiRouter.use('/proxy', proxyRouter);

Add the cards to the entity overview page

  1. Import the components and helper
Copy
// packages/app/src/components/catalog/EntityPage.tsx
import {
  EntityDependencytrackSummaryCard,
  EntityDependencytrackFindingCard,
  isDependencytrackAvailable,
} from '@trimm/plugin-dependencytrack';
  1. Add the cards in the overview content
Copy
// inside your overviewContent or Overview section
<EntitySwitch>
  <EntitySwitch.Case if={isDependencytrackAvailable}>
    <Grid item md={6}>
      <EntityDependencytrackSummaryCard />
    </Grid>
  </EntitySwitch.Case>
</EntitySwitch>

<EntitySwitch>
  <EntitySwitch.Case if={isDependencytrackAvailable}>
    <Grid item md={12}>
      <EntityDependencytrackFindingCard />
    </Grid>
  </EntitySwitch.Case>
</EntitySwitch>

Annotate your catalog entities

  1. Add the project id annotation in your entity yaml
Copy
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: example
  annotations:
    dependencytrack/project-id: e63d5397-5e9e-494a-4755-368c2b1dc446
spec:
  type: service
  owner: guests
  lifecycle: production

That is all you need to wire the plugin. The cards will render for entities that have the annotation. The data loads through the proxy path you configured.

Changelog

The Dependencytrack plugin has not seen any significant changes since a year ago.

Set up Backstage in minutes with Roadie