Making Maven Builds Security-Aware: AppSec Checks Without CI/CD Drift
java
dev.to
The problem was never that Maven projects could not run security tools. They could. A pipeline can run tests, Dependency-Check, CycloneDX, and SonarQube with a few commands. A pom.xml can hold plugin blocks. A team can copy a working configuration from one service to another and call it a standard. For a while, that works. Then the small differences start showing up. One service has JaCoCo but does not pass the XML report to SonarQube. Another produces Dependency-Check output only as HTML.