Dependency-Track policy violation fails the CI upload gate
Your CI uploaded an SBOM (often generated by cdxgen) to Dependency-Track, and after analysis a policy condition (for example a banned license) was violated, so the CI gate that checks project status failed the build.
What this error means
The upload succeeds but the follow-up gate reports policy violations for the project, listing the component and the license (or vulnerability) that breached a policy, and exits non-zero.
Policy violations found for project my-app:
component: some-lib 1.4.0
violation: LICENSE - "GPL-3.0" is prohibited by policy
state: FAILCommon causes
A component license breaches a Dependency-Track policy
A policy condition of type License (or License Group) matches a component in the uploaded SBOM, producing a FAIL-level violation that your gate treats as a failure.
The gate reads project status too early
If the gate checks policy status before Dependency-Track finishes processing the BOM, it may act on incomplete or stale results.
How to fix it
Resolve or suppress the violation
- Open the project in Dependency-Track and review the policy violation.
- Remediate the component, or suppress the violation with a documented reason.
- Re-run the pipeline so the gate sees a clean policy state.
# generate SBOM then upload to Dependency-Track
cdxgen -o bom.json .
curl -X POST "$DT_URL/api/v1/bom" \
-H "X-Api-Key: $DT_API_KEY" \
-F "project=$DT_PROJECT" -F "bom=@bom.json"Wait for processing before gating
Poll the BOM token/processing endpoint until analysis completes, then check policy status so the gate acts on final results.
# poll until processing is false before checking violations
curl -H "X-Api-Key: $DT_API_KEY" \
"$DT_URL/api/v1/bom/token/$TOKEN"How to prevent it
- Keep Dependency-Track license policies aligned with legal requirements.
- Poll for processing completion before evaluating policy in CI.
- Track suppressions with reasons so exceptions stay auditable.