Upload to Dependency-Track / TRUSCA¶
This guide covers how the scanner uploads a generated SBOM and how to target TRUSCA's native ingest endpoint.
After a scan, the SBOM is uploaded by default (--generate-only saves locally and skips the upload). Choose the destination with UPLOAD_TARGET.
dependency-track(default): a regular Dependency-Track server. Authenticates withAPI_URLandAPI_KEY(X-Api-Key) and auto-creates the project.trusca: TRUSCA's native ingest endpoint. It is not Dependency-Track compatible, so the auth and inputs differ.
To upload to TRUSCA, prepare three things.
API_URL: the TRUSCA server URLAPI_KEY: a Bearer token issued by TRUSCA (starts withtos_, developer role)- project_id: the target TRUSCA project id (UUID). It must already exist; there is no auto-create.
API_URL="https://<TRUSCA host>" API_KEY="tos_..." \
./scripts/scan-sbom.sh \
--project "MyApp" --version "1.2.3" --all \
--trusca "<project_id>"
--trusca <id> is shorthand for --upload-target trusca plus TRUSCA_PROJECT_ID. Adjust the ref and release labels with TRUSCA_REF (default main) and TRUSCA_RELEASE (default the --version value). On acceptance it prints 202 and a scan id; track progress in the TRUSCA UI (GET /v1/scans/{id}).
TRUSCA ingest fills components, vulnerabilities, declared licenses, the dependency graph, and the build gate. It cannot fill scancode-detected licenses (
--deep-license), the cosign signature (--sign), or source preservation, since there is no source tree. Generate those locally with--generate-onlyif you need them.