Skip to content

Dependencymanager

Dependency Manager Integrations

Introduction

By default, Metaport will attempt to query its own database for dependencies and vulnerabilities with data derived from agents configured to periodically report-in. However, Metaport is also capable of querying alternative backend systems such as Dependabot and DependencyTrack.

Setup

Navigate to an applications' "Settings" area and expand the "Dependency Source Settings" accordion. If there's a connection error with a backend system, the dependency manager icon in application dashboards will change from having a green tick (check) to a red cross. Mousing over it will show "Connection: Error".

Metaport/Agent

No further configuration is necessary as Metaport is the system-wide default. In this mode, data is received from an agent.

When data is received, local Dependency and Vulnrability records are created. These are not used, in favour of live API requests when alternative dependency backends are in use.

DependencyTrack

DependencyTrack requires a DependencyTrack team and application identifier to be set in your Metaport application records.

The settings are as follows:

  • Host field: e.g. https://dependencytrack.yourorg.org:8443
  • API Key or Token field: Use a valid team-level API token
  • Team Identifier field: Use the DependencyTrack team's UUID
  • Project Identifier field: Use the DependencyTrack project's UUID

Dependabot

Dependabot is part of Github's API. It doesn't require a team identifier to be set, but an application identifier is required on each application record.

The settings are as follows:

  • Host field: https://api.github.com
  • API Key or Token field: Use a valid Github API token
  • Team Identifier field: Leave this blank
  • Project Identifier field: Use the repository name i.e. <org_name>/<repo_name>

Tip

The repository you configure here needs to have "Dependencies" and "Dependabot" properly set-up in Github itself. Check the settings available at <org>/<repo>/network/updates and <org>/<repo>/settings/security_analysis.

!!tip The Github API token needs to be created with several permissions before dependency and vulnerability data will be successfully pulled into Metaport.