Android and JVM developers face two major supply chain risks: dependency drift and vulnerability exposure. This guide walks through a four-step approach using GitHub and Gradle to address both. Step 1 enables GitHub's Dependency Graph and Automatic Dependency Submission to give GitHub a complete view of resolved dependencies including transitives. Step 2 uses Dependabot Alerts to continuously monitor those dependencies against known CVEs. Step 3 lets Dependabot Security Updates automatically open PRs to fix vulnerable direct dependencies. Step 4 uses Gradle Build Scans to investigate complex cases where Dependabot can't suggest fixes, such as transitive vulnerabilities or complex resolution scenarios involving constraints and substitutions. For organizations managing multiple repositories, Develocity's Dependencies dashboard enables org-wide vulnerability queries across CI and local builds, with historical data and cryptographically signed build provenance via Provenance Governor.
Table of contents
Table of ContentsIntroductionWhy dependency monitoring is harder than it looks #Step 1: Turn on GitHub’s Dependency Graph #Step 2: Monitor your dependencies for vulnerabilities #Step 3: Let Dependabot help with the easy fixes #Step 4: Use Build Scan data to understand why a vulnerable version was chosen #Scale this beyond a single repository with Develocity #Conclusion #DiscussSort: