Stop Copy-Pasting Security YAML: A Gradle Build Layer for Java AppSec
java
dev.to
The hard part of Java AppSec is usually not finding another scanner. Most teams already have the scanners. They have SonarQube for code analysis. They have OWASP Dependency-Check for dependency risk. They have CycloneDX for SBOM generation. They have JaCoCo or Kover for coverage. They have GitLab CI, GitHub Actions, Jenkins, or something similar to run all of it. And still, the workflow drifts. One repository writes Dependency-Check reports to one path. Another produces only HTML. One pipeli