For Gradle-based projects in Java, Scala, or Kotlin, generating a gradle.lockfile ensures consistent dependencies that CybeDefend can accurately scan. SBT-based Scala projects can also pin versions in .sbt.lock or a centralized method.

Gradle Lockfiles

  1. Enable Gradle Locking
    In your gradle.properties, set:
systemProp.gradle.useLocks=true
systemProp.gradle.dependencyVerification=strict
  1. Generate
    Run ./gradlew dependencies or ./gradlew --write-locks to create gradle.lockfile.
  2. Commit
    Check in gradle.lockfile so that your entire team and CybeDefend sees fixed dependency versions.

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

SBT Lock for Scala

  • sbt-lock plugin can generate .sbt.lock.
  • Commit that lockfile to maintain pinned Scala library versions.

Supported Files

LangFile Examples
Javagradle.lockfile, pom.xml, .jar, .war, .ear
Scalabuild.sbt, plugins.sbt, .sbt.lock, dependencies.scala, .scala
Kotlingradle.lockfile, .kts files (Gradle Kotlin DSL)

Some older build tools or frameworks may require additional steps. The primary goal is to produce a stable lock or pinned version set for each submodule.