node -v:npm -v:snyk -v:Want to be able to import github repository containing build.gradle.kts files so that it does security checks as part of PR checks
get import error:
build.gradle.kts filesI know that it's supported via the CLI tool, but it feels like a half-baked solution compared to using build.gradle files
If applicable, please append the --debug flag on your command and include the output here **ensuring to remove any sensitive/personal details or tokens.
Not clear to me why it would care what script format you're using, wouldn't it make more sense to check for ./gradlew instead, and just have gradle spit out a dependency graph for you?
Hi @martintreurnicht! We do have this on our radar and would love to support it on SCM too, it is not as trivial at it may seem as CLI and Github are so wildly different.
On the CLI we have a configured environment, we have access to the build tool and can lean on it heavily. But on Github we are left to analyse the files as text. build.gradle and build.gradle.kts are very similar yet very different in syntax, so this would require reworking our entire current solution for build.sbt to also support build.gradle.kts
I will check internally when this is feature is planned :)
@lili2311 I see, thanks for the feedback. This would be huge for us, it would be great to get a better idea of what the timeline for this is.
On an unrelated note, scanning the build script for dependencies seems like a risky business though, some gradle projects can get quite complex, for instance we have a bunch of dependencies that are being applied dynamically from our buildSrc using plugins. How does it resolve those? It seems that the only sensible way to do it would be for gradle to generate the graph, otherwise you'd basically have to reimplement gradle's dependency graph logic, which seems super unreliable because it changes all the time
Hey, we use this a lot in our workplace where synk enterprise is used. Would be amazing to have this support.
Hi @lili2311 , I was wondering, if this is something we can see soon? gradle-kotlin-dsl is becoming more and more popular at my work, and we are really missing synk github pull request checks.
Most helpful comment
Hey, we use this a lot in our workplace where synk enterprise is used. Would be amazing to have this support.