| `BOM_UPLOAD` | **mandatory** | Required to publish SBOM files to the Dependency Track server |
| `PROJECT_CREATION_UPLOAD` | **optional** | This is required if you want to automatically create the project while uploading the SBOM files when the project does not exist (**but the parent project must exist**) |
| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` | **optional** | Required if you want to display found vulnerabilities or compute a risk score after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects |
| `VIEW_PORTFOLIO` and `PORTFOLIO_MANAGEMENT` | **optional** | Required if you want to automatically create one or several project ancestors prior to uploading the SBOM files.<br/>Granting those permissions is not recommended in the general case as they virtually give administration rights to the API Key owner |
| `VULNERABILITY_ANALYSIS` | **optional** | Required if you want to upload (a) VEX file(s) |
> :bulb: this default configuration handles the Dependency Track constraint that each project name has to be globally
> unique in the server.
#### Uploading VEX information
Vulnerability Exploitability eXchange (VEX) is used to provide additional information about vulnerabilities found in your project.
For example, they can be used to indicate that a vulnerability does not affect the project or that it has been mitigated.
This information can be stored in a file, called a VEX file.
This file should to be stored in your GIT repository along with your code.
Using a VEX file is optional, but it is highly recommended to provide additional context about the vulnerabilities found in the SBOM files.
Especially if you are using Dependency Track to keep track of vulnerabilities in multiple versions of the same project.
As otherwise you will have to manually update the VEX information in Dependency Track for each project version.
To enable VEX upload, set the `upload-vex` input / `$DEPTRACK_UPLOAD_VEX` variable to `true` (see [configuration chapter](#configuration)).
Since a single repository can have multiple SBOM files, the template will look for VEX files using the `{file_prefix}` of the SBOM file and append `.vex.json` to it to find the corresponding VEX file.
For example, if the SBOM file is named `docker-sbom.cyclonedx.json`, the template will look for a VEX file named `docker-sbom.vex.json`. The VEX file needs to be stored in the same directory as the SBOM file.
VEX files need to be in the [CycloneDX format](https://cyclonedx.org).
You can either create the VEX file manually or export it from Dependency Track through the UI.
> [!tip] merging SBOMs
> In case SBOM files are merged, you need to specify the sbom file location using the `merged-vex-file` input / `$DEPTRACK_MERGED_VEX_FILE` variable.
> The template will then upload the VEX file to the same project as the merged SBOM file.
#### Other use cases
The default template behavior can be changed by overridding the `project-path` input / `$DEPTRACK_PROJECT_PATH` variable.
@@ -169,7 +190,7 @@ Examples:
The Dependency Track template uses the following configuration.
| Input / Variable | Description | Default value |
