Dependency Track is an open source platform that analyzes software bills of materials. It helps you find known vulnerabilities, license risks, and policy violations across your portfolio. Teams feed SBOMs from their pipelines into Dependency Track. The platform then keeps a living inventory and highlights what is affected and where, so you can act with context.
The Dependencytrack Backstage plugin brings those insights into your developer portal. It surfaces metrics and findings for each catalog entity, so engineers can review risk without leaving Backstage. You get a quick view of vulnerability counts and severity. You can drill into recent findings to see what changed and what needs attention. The goal is simple. Put supply chain risk next to the code and services your teams own.
This plugin is useful if you already run Dependency Track and want a single place for service health and security signals. Security teams can use it to keep policy and license issues visible during everyday work. Service owners can spot new problems early and plan fixes alongside other tasks. Platform teams can standardize how risk is shown across many services. If you are investing in SBOMs and portfolio hygiene, this plugin helps your engineers turn that data into action where they spend their time.
Installation Instructions
These instructions apply to self-hosted Backstage only.
Install the frontend package
- From the app package directory
cd packages/app
yarn add @trimm/plugin-dependencytrack
Configure the service and proxy
- Add the base url and proxy config in your app config
# app-config.yaml
dependencytrack:
baseUrl: ${DEPENDENCYTRACK_BASE_URL}
proxy:
endpoints:
'/dependencytrack':
target: ${DEPENDENCYTRACK_BASE_URL}
allowedMethods: [ 'GET' ]
headers:
X-Api-Key: ${DEPENDENCYTRACK_API_KEY}
- Set these env vars in your runtime environment
export DEPENDENCYTRACK_BASE_URL="https://your.dependencytrack.example"
export DEPENDENCYTRACK_API_KEY="your_api_key"
The frontend will call the backend proxy at
/api/proxy/dependencytrack
The proxy will forward to your Dependency Track server and add the API key header.
Enable the proxy on the backend
If your backend already includes the proxy plugin you can skip this.
New backend system
- Add the proxy plugin to the backend
// packages/backend/src/index.ts
import { createBackend } from '@backstage/backend-defaults';
import { catalogPlugin } from '@backstage/plugin-catalog-backend';
import { proxyPlugin } from '@backstage/plugin-proxy-backend';
const backend = createBackend();
// add your other backend plugins
backend.add(catalogPlugin());
// add the proxy plugin
backend.add(proxyPlugin());
backend.start();
Old backend system
- Create a proxy plugin file
// packages/backend/src/plugins/proxy.ts
import { createRouter } from '@backstage/plugin-proxy-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
export default async function createPlugin(env: PluginEnvironment): Promise<Router> {
return await createRouter({
logger: env.logger,
config: env.config,
});
}
- Mount it in the backend
// packages/backend/src/index.ts
import proxy from './plugins/proxy';
// inside the main bootstrap function after you create apiRouter and env
const proxyRouter = await proxy(env);
apiRouter.use('/proxy', proxyRouter);
Add the cards to the entity overview page
- Import the components and helper
// packages/app/src/components/catalog/EntityPage.tsx
import {
EntityDependencytrackSummaryCard,
EntityDependencytrackFindingCard,
isDependencytrackAvailable,
} from '@trimm/plugin-dependencytrack';
- Add the cards in the overview content
// inside your overviewContent or Overview section
<EntitySwitch>
<EntitySwitch.Case if={isDependencytrackAvailable}>
<Grid item md={6}>
<EntityDependencytrackSummaryCard />
</Grid>
</EntitySwitch.Case>
</EntitySwitch>
<EntitySwitch>
<EntitySwitch.Case if={isDependencytrackAvailable}>
<Grid item md={12}>
<EntityDependencytrackFindingCard />
</Grid>
</EntitySwitch.Case>
</EntitySwitch>
Annotate your catalog entities
- Add the project id annotation in your entity yaml
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: example
annotations:
dependencytrack/project-id: e63d5397-5e9e-494a-4755-368c2b1dc446
spec:
type: service
owner: guests
lifecycle: production
That is all you need to wire the plugin. The cards will render for entities that have the annotation. The data loads through the proxy path you configured.
Changelog
The Dependencytrack plugin has not seen any significant changes since a year ago.
Set up Backstage in minutes with Roadie
Focus on using Backstage, rather than building and maintaining it.