Git repositories with Maven and Gradle

Configure language settings for Snyk for Java

Configure language settings for your open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.

  1. Open Snyk Web UI and go to Settings > Languages section.

  2. Under Languages, go to Java and select Edit settings.

  3. Configure the settings for Maven.

  4. Update Settings to save changes.

Git services available for Maven and Gradle Projects

Maven ProjectsGradle ProjectsGradle.lockfile

Snyk creates a Project per pom.xml file when it scans Maven applications. The Project includes all direct and indirect dependencies associated with that file. ℹ️ The Project includes only the production dependencies in thecompile ,provided,andruntime scopes.

After you select a Project for import, Snyk builds the dependency tree based on the build.gradle file and (optional) gradle.lockfile. ℹ️ Only production dependencies in the api, compile, classpath, implementation, runtime and runtimeOnly configurations are included. If a lockfile is present, Snyk uses the lockfile to more accurately resolve the final version of dependencies used in the Project.

Gradle lockfiles do not contain transitive hierarchy information, so in some cases Snyk may place a package at the wrong position in the dependency graph. However no packages should be missing.

Gradle lockfiles are an opt-in feature that, among other benefits, enables reproducible builds. For more information, see the Gradle docs on dependency locking. ⚠️ Kotlin: build.gradle.kts files are not currently supported in Git.

  • Using Maven, or Gradle with a gradle.lockfile:

    The Git code repository integration is a great way to use Snyk and get visibility or you may decide to use CLI/IDE or CI/CD integrations to test/gate/monitor, or do both!

  • Using Gradle without a Gradle.lockfile:

    The full dependency tree may not be apparent or artifacts may be pulled in from external resources, so the CLI/IDE workflow (for local scans), and CI/CD is the recommended approach for analysis, otherwise you may not have a complete view of issues and dependencies.

Git settings for Java

From the Snyk UI, you can specify mirrors or repositories from which you’d like to resolve packages in Artifactory for Maven. For more information, see Artifactory Registry for Maven.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.