SCM integrations with Maven and Gradle

SCM integrations available for Maven and Gradle Projects

Maven projects

Snyk creates a Project per pom.xml file when it scans Maven applications. The Project includes all direct and indirect dependencies associated with that file.

The Project includes only the production dependencies in the compile, provided, and runtime scopes.

Gradle projects

After you select a Project for import, Snyk builds the dependency tree based on the build.gradle file and (optional) gradle.lockfile.

Improved scanning for Gradle Projects (including Groovy and Kotlin DSLs) is now in Early Access as explained on this page.

Only production dependencies in the api, compile, classpath, implementation, runtime and runtimeOnly configurations are included.

If possible, enable Gradle lockfiles in your application. When present, Snyk can more accurately resolve the final version of dependencies used in the Project.

For Gradle projects without lockfiles, Snyk recommends using the Snyk CLI for the most accurate results.

Improved Gradle SCM scanning

Release status

Improved Gradle SCM scanning is in Early Access. You can enable the feature by using Snyk Preview.

You can now obtain more accurate results for your Gradle Projects imported through Git integrations by using Improved Gradle SCM scanning.

Supported Gradle features

The following lists some of the main supported Gradle features:

Some Gradle features are not supported, and this may influence the scan results. These Gradle features include:

  • Custom configuration in buildSrc directories

  • Dependencies introduced via plugins.

If you see unexpected results from this Early Access feature, contact Snyk support.

How to enable improved Gradle SCM scanning

Improved Gradle scanning supports importing a maximum limit of 5,000 build.gradle(.kts) files per Git repository. Attempts to import repos with more than 5,000 Gradle build files will fail.

To enable this feature, follow these steps for your Snyk Organisation:

  1. Configure package repository integrations (if you use Artifactory or Nexus, see below).

  2. Enable Improved Gradle scanning in Snyk Preview.

After Improved Gradle SCM scanning is enabled:

  • Previously imported Git repositories will have existing Gradle Groovy DSL Projects automatically updated on the next manual or recurring test.

  • Re-import the repository to start seeing results for Gradle Kotlin DSL Projects.

Configure language settings for Snyk for Java

Configure language settings for your open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.

  1. Open Snyk Web UI and go to Settings > Languages section.

  2. Under Languages, go to Java and select Edit settings.

  3. Configure the settings for Maven.

  4. Update Settings to save changes.

Package repository integrations

If your application build uses private package repositories, you must configure the relevant Snyk integration to get the most accurate results.

To use package repository integrations with the Improved Gradle scanning Early Access feature, use the configuration instructions and settings for Maven.

These will be detected and used in improved Gradle scans.

In the Java language settings, you can integrate Snyk with your private package repositories (for example, Artifactory or Nexus).

This enables Snyk to build a complete dependency tree when scanning Maven or Gradle (Early Access) projects that reference private packages.

For more information, see Artifactory Registry for Maven in the Package repository integrations.

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.