For Gradle-based projects in Java, Scala, or Kotlin, generating a gradle.lockfile ensures consistent dependencies that CybeDefend can accurately scan. SBT-based Scala projects can also pin versions in .sbt.lock or a centralized method.

Gradle Lockfiles

  1. Enable Gradle Locking
    You can enable dependency locking in one of two ways:

    Option A: In your gradle.properties, set:

    systemProp.gradle.useLocks=true
systemProp.gradle.dependencyVerification=strict

    Option B: Modify your build.gradle file to add:

    configurations.all {
  resolutionStrategy.activateDependencyLocking()
}

    Or for Kotlin DSL projects (build.gradle.kts):

    configurations.all {
  resolutionStrategy.activateDependencyLocking()
}

  2. Generate Lockfiles
    Run one of these commands:

    ./gradlew dependencies --write-locks

    or

    ./gradlew resolveAndLockAll

    This creates lockfiles in the gradle/dependency-locks directory.

  3. Commit
    Check in the lockfiles so that your entire team and CybeDefend sees fixed dependency versions.

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

SBT Lock for Scala

  1. Add the sbt-lock Plugin
    In your project/plugins.sbt, add:

    addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "1.5.1")

  2. Generate the Lockfile
    Run:

    sbt dependencyLockWrite

    This creates a build.sbt.lock or dependencies.sbt.lock file.

  3. Commit the Lockfile
    Add this file to your repository to maintain pinned Scala library versions.

Supported Files

LangFile Examples
Javagradle.lockfile, pom.xml, .jar, .war, .ear
Scalabuild.sbt, plugins.sbt, .sbt.lock, dependencies.scala, .scala
Kotlingradle.lockfile, .kts files (Gradle Kotlin DSL)

Some older build tools or frameworks may require additional steps. The primary goal is to produce a stable lock or pinned version set for each submodule.

For multi-module Gradle projects, run ./gradlew :module:dependencies —write-locks for each module to ensure all dependencies are properly locked.