dependency-track
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches official deployment templates and Helm charts from the Dependency-Track project website (dependencytrack.org) and its official GitHub organization.
- [EXTERNAL_DOWNLOADS]: References official security tools such as Syft and CycloneDX from well-known community sources for SBOM generation.
- [COMMAND_EXECUTION]: Provides Bash and Python utility scripts that interact with the Dependency-Track REST API using standard tools like
curland therequestslibrary to automate supply chain security tasks. - [PROMPT_INJECTION]: The skill documents workflows for ingesting external SBOM data (JSON/XML) into the agent's context. While this creates an indirect prompt injection surface common to SCA tools, the risk is mitigated by the structured nature of the data and the intended use case of security analysis.
- Ingestion points: SBOM files processed in CI/CD pipeline examples (e.g.,
references/cicd/github-action.yaml). - Boundary markers: Not explicitly defined in the example integration scripts.
- Capability inventory: Platform management via
docker,helm, andkubectl; API interaction viacurlandpython. - Sanitization: Standard API-level validation is performed by the Dependency-Track server upon upload.
Audit Metadata