Skip to content
Latchkey

Dependency-Track policy violation fails the CI upload gate

Your CI uploaded an SBOM (often generated by cdxgen) to Dependency-Track, and after analysis a policy condition (for example a banned license) was violated, so the CI gate that checks project status failed the build.

What this error means

The upload succeeds but the follow-up gate reports policy violations for the project, listing the component and the license (or vulnerability) that breached a policy, and exits non-zero.

Terminal
Policy violations found for project my-app:
  component: some-lib 1.4.0
  violation: LICENSE - "GPL-3.0" is prohibited by policy
  state: FAIL

Common causes

A component license breaches a Dependency-Track policy

A policy condition of type License (or License Group) matches a component in the uploaded SBOM, producing a FAIL-level violation that your gate treats as a failure.

The gate reads project status too early

If the gate checks policy status before Dependency-Track finishes processing the BOM, it may act on incomplete or stale results.

How to fix it

Resolve or suppress the violation

  1. Open the project in Dependency-Track and review the policy violation.
  2. Remediate the component, or suppress the violation with a documented reason.
  3. Re-run the pipeline so the gate sees a clean policy state.
Terminal
# generate SBOM then upload to Dependency-Track
cdxgen -o bom.json .
curl -X POST "$DT_URL/api/v1/bom" \
  -H "X-Api-Key: $DT_API_KEY" \
  -F "project=$DT_PROJECT" -F "bom=@bom.json"

Wait for processing before gating

Poll the BOM token/processing endpoint until analysis completes, then check policy status so the gate acts on final results.

Terminal
# poll until processing is false before checking violations
curl -H "X-Api-Key: $DT_API_KEY" \
  "$DT_URL/api/v1/bom/token/$TOKEN"

How to prevent it

  • Keep Dependency-Track license policies aligned with legal requirements.
  • Poll for processing completion before evaluating policy in CI.
  • Track suppressions with reasons so exceptions stay auditable.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →