Dependency Control is a centralized security and compliance platform for managing software supply chain risks. It aggregates SBOMs, secret scans, SAST, and IaC analysis to provide a unified view of your project's security posture.
| Category | Capabilities |
|---|---|
| Security Analysis | Vulnerability scanning (Trivy, Grype, OSV), Secret detection, SAST, Malware & Typosquatting detection |
| Compliance | License compliance checking, End-of-Life monitoring, Policy enforcement with waivers |
| Management | Project & Team management, Role-based access control, 2FA authentication |
| Integrations | GitLab CI/CD (OIDC), GitHub Actions, Webhooks, Email/Slack/Mattermost notifications |
| Visibility | Risk scoring, Trend analysis, SBOM inventory, Centralized dashboard |
Dependency Control integrates with leading open-source security tools to provide comprehensive coverage.
These tools run in your pipeline and send data to Dependency Control:
- Syft - Generates Software Bill of Materials (SBOM) from container images and filesystems.
- TruffleHog - Scans for leaked credentials and secrets in your codebase.
- OpenGrep - Fast and lightweight Static Application Security Testing (SAST).
- Bearer - Code security scanning focusing on sensitive data flows and privacy.
- KICS - Finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in IaC.
Once an SBOM is ingested, the backend performs deep analysis using:
- Trivy & Grype - Vulnerability scanning against the SBOM.
- OSV.dev - Distributed vulnerability database.
- Deps.dev - Insights on dependency health and security.
- End-of-Life - Checks for software components that have reached their end of life.
- Malware Detection - Checks packages against known open-source malware databases.
- Typosquatting - Detects potential typosquatting attacks in dependency names.
- License Compliance - Analyzes licenses for compliance and risk.
The easiest way to run Dependency Control locally.
Add the following to your /etc/hosts file to route traffic correctly via Traefik:
127.0.0.1 dependencycontrol.local api.dependencycontrol.local metabase.local
docker compose up -d --build- Frontend Dashboard: https://dependencycontrol.local
- Backend API Docs: https://api.dependencycontrol.local/docs
- Metabase (Analytics): https://metabase.local
Note: Accept the self-signed certificate warning in your browser.
Dependency Control is designed to sit in your CI/CD pipeline.
Enable GitLab Integration in the System Settings, then use the CI_JOB_TOKEN to authenticate. No manual API Key management required!
dependency-scan:
script:
- |
curl -X POST "https://api.dependencycontrol.local/api/v1/ingest" \
-H "Content-Type: application/json" \
-H "JOB-TOKEN: $CI_JOB_TOKEN" \
-d @payload.jsonFor other systems (GitHub Actions, Jenkins), generate a Project API Key in the dashboard and use the X-API-Key header.
curl -X POST "https://api.dependencycontrol.local/api/v1/ingest" \
-H "x-api-key: $DEP_CONTROL_API_KEY" \
...👉 See ci-cd/ for complete pipeline examples.
A Helm chart is available for production deployments.
helm upgrade --install dependency-control ./helm/dependency-control \
--namespace dependency-control --create-namespace \
--set backend.secrets.secretKey="CHANGE_ME"MIT License. See LICENSE for details.