Self-Hosted Dependency Visualization & Component Analysis — Dependency-Track vs ORT vs Trivy

Software supply chain security has become critical infrastructure for every engineering team. When your application depends on hundreds of open-source packages, knowing what’s inside your dependencies — and whether they contain known vulnerabilities — is no longer optional. While SBOM analysis tools focus on generating bills of materials, dependency visualization goes further: it maps relationships between components, tracks risk across your entire dependency tree, and surfaces actionable intelligence about outdated or compromised packages.

In this guide, we compare three leading self-hosted dependency visualization and component analysis platforms: OWASP Dependency-Track, OSS Review Toolkit (ORT), and Aqua Trivy. Each takes a different approach to dependency intelligence — from continuous monitoring to CI-integrated scanning — and we’ll help you choose the right tool for your workflow.

What Is Dependency Visualization?

Dependency visualization transforms raw package manifests into interactive, navigable graphs that show how components relate to each other. Instead of a flat list of libraries, you get a hierarchical view that reveals:

• Direct vs. transitive dependencies — which packages you explicitly depend on vs. those pulled in automatically
• Vulnerability propagation paths — how a CVE in a deep transitive dependency affects your application
• License compliance chains — whether a permissive-licensed package pulls in copyleft-licensed sub-dependencies
• Version drift — where different parts of your project use different versions of the same library

The three tools we’re comparing each address these needs differently. Dependency-Track provides continuous monitoring with a web UI dashboard. ORT offers comprehensive compliance analysis with detailed dependency tree reports. Trivy delivers fast, CI-friendly scanning with both CLI and dashboard options.

Comparison Table

OWASP Dependency-Track

Dependency-Track is an intelligent Component Analysis platform from the OWASP foundation. It continuously monitors your software supply chain by ingesting Software Bill of Materials (SBOM) files and correlating components against known vulnerability databases.

Key strengths:

• Real-time vulnerability monitoring with email and webhook notifications
• Policy engine for automated risk gating (e.g., “block builds with critical CVEs”)
• Full REST API for integration with CI/CD pipelines
• Portfolio management — track multiple projects and versions

When to use: Best for teams that need continuous monitoring and want a centralized dashboard for all project dependencies.

Docker Compose Deployment

Dependency-Track ships with an official Docker image and requires a PostgreSQL backend for production use:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

version: '3.8'
services:
  dtrack-postgres:
    image: postgres:16-alpine
    container_name: dtrack-postgres
    environment:
      POSTGRES_DB: dependencytrack
      POSTGRES_USER: dtrack
      POSTGRES_PASSWORD: dtrack-password
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - dtrack-network

  dtrack-api:
    image: dependencytrack/apiserver:latest
    container_name: dtrack-api
    depends_on:
      - dtrack-postgres
    environment:
      - ALPINE_DATABASE_URL=jdbc:postgresql://dtrack-postgres:5432/dependencytrack
      - ALPINE_DATABASE_USERNAME=dtrack
      - ALPINE_DATABASE_PASSWORD=dtrack-password
      - ALPINE_DATABASE_POOL_ENABLED=true
    ports:
      - "8081:8080"
    volumes:
      - dtrack-data:/data
    networks:
      - dtrack-network
    restart: unless-stopped

  dtrack-frontend:
    image: dependencytrack/frontend:latest
    container_name: dtrack-frontend
    depends_on:
      - dtrack-api
    environment:
      - API_BASE_URL=http://localhost:8081
    ports:
      - "8080:8080"
    networks:
      - dtrack-network
    restart: unless-stopped

volumes:
  postgres-data:
  dtrack-data:

networks:
  dtrack-network:
    driver: bridge

Install and access:

1
2
3
4

docker compose up -d
# Frontend: http://localhost:8080
# API: http://localhost:8081
# Default admin: admin / admin

OSS Review Toolkit (ORT)

ORT is a comprehensive suite of tools from the OSS community that automates software compliance checks across your entire dependency tree. It analyzes your source code, resolves dependencies, downloads sources, scans for vulnerabilities, and generates detailed compliance reports.

Key strengths:

• End-to-end pipeline: analyzer → downloader → scanner → evaluator → reporter
• Support for 30+ package managers (Maven, Gradle, npm, pip, Go, Cargo, etc.)
• Curated license catalog with policy evaluation
• Generates detailed HTML, PDF, and SPDX reports

When to use: Best for organizations with strict compliance requirements that need detailed dependency analysis reports for audits.

Docker Deployment

ORT provides Docker images for each tool in the suite. Here’s a Docker Compose setup for running ORT analyzer and reporter:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

version: '3.8'
services:
  ort-analyzer:
    image: ghcr.io/oss-review-toolkit/ort:latest
    container_name: ort-analyzer
    volumes:
      - ./project:/project:ro
      - ./ort-output:/output
    working_dir: /project
    command: >
      analyze
      --package-curations-file /output/curations.yml
      --repository-directory .
      --output-formats CycloneDX,SPDX
      --output-dir /output/analyzer
    networks:
      - ort-network

  ort-scanner:
    image: ghcr.io/oss-review-toolkit/ort:latest
    container_name: ort-scanner
    depends_on:
      - ort-analyzer
    volumes:
      - ./ort-output:/output
      - ./ort-config:/config:ro
    command: >
      scan
      --scan-file /output/analyzer/analyzer-result.yml
      --storage-types HTTP
      --storage-http-url http://ort-storage:8080
      --output-dir /output/scanner
    networks:
      - ort-network

volumes:
  ort-output:
  ort-config:

networks:
  ort-network:
    driver: bridge

Run the analysis pipeline:

1
2

docker compose up ort-analyzer
# Results in ./ort-output/analyzer/

Aqua Trivy

Trivy by Aqua Security is a comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and license issues. While primarily known as a CLI tool, Trivy has evolved into a full platform with Trivy UI (dashboard) and Trivy Operator for Kubernetes.

Key strengths:

• Fast, comprehensive scanning of containers, filesystems, Git repos, and Kubernetes clusters
• Built-in vulnerability databases updated multiple times daily
• Multiple output formats: JSON, CycloneDX, SPDX, SARIF
• Trivy UI provides a web dashboard for scan results
• Trivy Operator runs natively in Kubernetes

When to use: Best for teams wanting fast, integrated scanning in CI/CD pipelines with optional dashboard visualization.

Docker Compose Deployment

Trivy can run as a standalone scanner or with the Trivy UI dashboard:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

version: '3.8'
services:
  trivy-scanner:
    image: aquasec/trivy:latest
    container_name: trivy-scanner
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./trivy-cache:/root/.cache/
      - ./scan-target:/scan:ro
    command: >
      image
      --format json
      --output /results/scan-results.json
      --scanners vuln,secret,license
      --cache-dir /root/.cache/
      nginx:latest
    networks:
      - trivy-network

  trivy-ui:
    image: aquasec/trivy-ui:latest
    container_name: trivy-ui
    ports:
      - "4040:8080"
    environment:
      - TRIVY_UI_SERVER_ADDR=0.0.0.0:8080
    volumes:
      - ./trivy-results:/results:ro
    networks:
      - trivy-network
    restart: unless-stopped

volumes:
  trivy-cache:
  scan-target:
  trivy-results:

networks:
  trivy-network:
    driver: bridge

Scan a container image:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Quick scan
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy:latest image nginx:latest

# Scan with SBOM output
docker run --rm aquasec/trivy:latest image --format spdx-json nginx:latest > sbom.json

# Upload SBOM to Dependency-Track
curl -X POST "http://localhost:8081/api/v1/bom" \
  -H "X-API-Key: your-api-key" \
  -F "project=your-project-uuid" \
  -F "bom=@sbom.json"

Integrating the Tools

These tools work best together in a defense-in-depth strategy:

1. Trivy in CI — Fast scanning on every commit for immediate feedback
2. ORT for compliance — Periodic deep analysis for audit-ready reports
3. Dependency-Track for monitoring — Continuous monitoring of all project SBOMs

You can chain them: Trivy generates SBOMs in CI → uploads to Dependency-Track → ORT runs weekly for compliance reports → all dashboards alert on new CVEs.

Why Self-Host Dependency Analysis?

Running dependency analysis tools on your own infrastructure gives you full control over sensitive data. Your SBOM reveals your entire technology stack — a valuable intelligence asset that shouldn’t leave your network. Self-hosting also means no per-project pricing, no API rate limits, and the ability to customize vulnerability thresholds to your organization’s risk tolerance.

For organizations managing complex container deployments, combining dependency analysis with container image scanning creates a complete supply chain security pipeline. And if you’re already managing dependency automation for version updates, dependency visualization adds the security intelligence layer that automated updates alone can’t provide.

FAQ

What is the difference between SBOM and dependency visualization?

An SBOM (Software Bill of Materials) is a structured inventory of all components in your software. Dependency visualization takes SBOM data and presents it as an interactive graph showing relationships, risk propagation paths, and version drift across your dependency tree. Think of SBOM as the raw data and visualization as the analytical interface.

Can these tools detect vulnerabilities in transitive dependencies?

Yes. All three tools resolve the full dependency tree, including transitive (indirect) dependencies. Dependency-Track tracks vulnerability data for every component in the SBOM. ORT’s analyzer resolves the complete dependency graph. Trivy’s scanner checks all layers of a container image and all resolved dependencies.

Do these tools require internet access for vulnerability databases?

By default, yes — they download vulnerability data from NVD, GitHub Advisories, and other sources. However, all three support offline operation: Dependency-Track can mirror vulnerability databases, ORT uses locally curated data, and Trivy supports offline vulnerability databases via its --download-db-only flag.

Which tool is best for Kubernetes environments?

Trivy has the strongest Kubernetes integration via Trivy Operator, which runs natively as a Kubernetes controller and continuously scans cluster resources. Dependency-Track can monitor Kubernetes deployments by ingesting SBOMs from your CI/CD pipeline. ORT integrates via CI pipelines that build container images for Kubernetes.

How often should I run dependency scans?

For active projects, run Trivy scans on every commit (CI integration). Run Dependency-Track continuous monitoring — it automatically checks new vulnerabilities against your uploaded SBOMs. Run ORT analysis weekly or before major releases for comprehensive compliance reports.

Can I use these tools with private/internal packages?

Yes. All three tools support private package registries. Dependency-Track accepts SBOMs from any source. ORT can be configured with custom repository credentials. Trivy scans local images and filesystems regardless of where packages originated.