Gradle setup instructions (for Java, Kotlin, and Scala)

gradle.lockfile

Committing a gradle.lockfile to your source control is the easiest way to use Socket with Gradle. If you haven't already, enable lockfiles in gradle via:

dependencyLocking.lockAllConfigurations()

Then run:

./gradlew dependencies --write-locks

and commit the generated gradle.lockfile to source control. No extra setup is required!

CycloneDX

If you are unable to enable gradle.lockfiles, then you can use the open source CycloneDX Gradle plugin to generate and commit an SBOM which Socket will scan.

You can run socket cdxgen --help for details.

To setup a single CycloneDX file that can be checked in you can run:

socket cdxgen -t gradle -o socket-gradle.cdx.json --install-deps --lifecycle build

Alternatively the CLI has made it easier to generate manifest files using your local Gradle setup.

You can use socket manifest gradle --help to get more information on how to run Gradle more directly. This will work for Gradle, Kotlin, and Scala projects that use Gradle (not sbt, see Scala setup instructions for working with Scala's sbt files).

After generating the manifest files you can use socket scan create to create a report.