Generate an API key in Dependency-Track under Administration > Access Management > Teams; assign the team the Portfolio Management or Automation permission as needed for your use case.
Create or look up a project via the PUT /api/v1/project endpoint, supplying name and version in the JSON body; note the returned project UUID.
Upload the SBOM (CycloneDX JSON or XML) using the PUT /api/v1/bom endpoint with the project UUID and the SBOM content as a base64-encoded string or as a multipart form; Dependency-Track queues analysis after upload.
Poll the GET /api/v1/bom/token/{token} endpoint with the token returned from the upload until the processing status is PROCESSED, indicating the vulnerability and license analysis is complete.
Query GET /api/v1/violation/project/{uuid} to retrieve policy violations for the project; parse the response for violationState (FAIL, WARN, INFO) to fail or flag a CI pipeline.
Known gotchas
Dependency-Track processes SBOMs asynchronously; polling the token endpoint is necessary before trusting violation counts — querying violations immediately after upload will return stale data.
Policy violations in Dependency-Track are driven by configured policies under Administration; if no policies are configured, no violations will be returned even if vulnerabilities exist.
API key permissions are scoped per team; ensure the team associated with the API key has access to the project being queried, otherwise the API returns empty results rather than a 403 error.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp