A GitHub Action for verifying Gradle Wrapper JAR files has been released to address a supply chain security risk. The gradle-wrapper.jar binary is checked into nearly 2.8 million GitHub repositories, making it an attractive target for attackers who could embed malicious code inside a seemingly legitimate wrapper update PR. The action validates all gradle-wrapper.jar files against official SHA-256 checksums and also detects homoglyph filename attacks (e.g., using a Cyrillic character to mimic the filename). It is free for open-source projects and has already been adopted by major projects like RxJava, Mockito, Ktor, and Apache Groovy.
Table of contents
Table of ContentsIntroductionGradle Wrapper in Open Source #Verifying the Gradle Wrapper #Securing Your Project #Resources #DiscussSort: