Upload a CycloneDX SBOM to Dependency-Track via the REST API or the web UI, associating it with the correct project and version
Confirm that Dependency-Track has fetched vulnerability data from its configured analyzers for all ingested components
Navigate to the policy management section and define policies based on vulnerability severity, license type, or PURL pattern
Review the policy violations tab on the project to identify components that breach defined policies
Integrate Dependency-Track webhooks or notifications to alert on new violations when SBOMs are updated
Export a findings report in a structured format for compliance review or ticketing
Known gotchas
Dependency-Track's vulnerability analysis depends on background workers that may not complete immediately after SBOM upload; querying for violations too soon returns incomplete results
Component identity resolution relies on PURL accuracy in the SBOM; components without a valid PURL may not be matched to vulnerability records
Policy violations are evaluated at ingestion time; changes to policy definitions after ingestion will not retroactively flag existing components until the SBOM is re-ingested or a manual re-analysis is triggered
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp