SCM integrations with Maven and Gradle
SCM integrations available for Maven and Gradle Projects
Maven projects
Snyk creates a Project per pom.xml
file when it scans Maven applications. The Project includes all direct and indirect dependencies associated with that file.
The Project includes only the production dependencies in the compile
, provided
, and runtime
scopes.
Gradle projects
After you select a Project for import, Snyk builds the dependency tree based on the build.gradle
file and (optional) gradle.lockfile
.
Improved scanning for Gradle Projects (including Groovy and Kotlin DSLs) is now in Early Access as explained on this page.
Only production dependencies in the api
, compile
, classpath
, implementation
, runtime
and runtimeOnly
configurations are included.
If possible, enable Gradle lockfiles in your application. When present, Snyk can more accurately resolve the final version of dependencies used in the Project.
For Gradle projects without lockfiles, Snyk recommends using the Snyk CLI for the most accurate results.
Improved Gradle SCM scanning
Release status
Improved Gradle SCM scanning is in Early Access. You can enable the feature by using Snyk Preview.
You can now obtain more accurate results for your Gradle Projects imported through Git integrations by using Improved Gradle SCM scanning.
Supported Gradle features
The following lists some of the main supported Gradle features:
Local and global variables, maps, and string interpolation
Gradle lockfiles
Gradle properties and system properties -
gradle.properties
Multi-project builds, project names, project references
Maven BOMs as
platform
dependencies
Some Gradle features are not supported, and this may influence the scan results. These Gradle features include:
If you see unexpected results from this Early Access feature, contact Snyk support.
How to enable improved Gradle SCM scanning
Improved Gradle scanning supports importing a maximum limit of 5,000 build.gradle(.kts)
files per Git repository. Attempts to import repos with more than 5,000 Gradle build files will fail.
To enable this feature, follow these steps for your Snyk Organisation:
Configure package repository integrations (if you use Artifactory or Nexus, see below).
Enable Workspaces for SCM integrations.
Enable Improved Gradle scanning in Snyk Preview.
After Improved Gradle SCM scanning is enabled:
Previously imported Git repositories will have existing Gradle Groovy DSL Projects automatically updated on the next manual or recurring test.
Re-import the repository to start seeing results for Gradle Kotlin DSL Projects.
Configure language settings for Snyk for Java
Configure language settings for your open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.
Open Snyk Web UI and go to Settings > Languages section.
Under Languages, go to Java and select Edit settings.
Configure the settings for Maven.
Update Settings to save changes.
Package repository integrations
If your application build uses private package repositories, you must configure the relevant Snyk integration to get the most accurate results.
To use package repository integrations with the Improved Gradle scanning Early Access feature, use the configuration instructions and settings for Maven.
These will be detected and used in improved Gradle scans.
In the Java language settings, you can integrate Snyk with your private package repositories (for example, Artifactory or Nexus).
This enables Snyk to build a complete dependency tree when scanning Maven or Gradle (Early Access) projects that reference private packages.
For more information, see Artifactory Registry for Maven in the Package repository integrations.
Last updated