Introducing Java Support in Socket

We’re thrilled to announce that Socket now officially supports the Java programming language in General Availability (GA). This is a huge step for us, bringing powerful security features to two of the most widely-used languages in enterprise development.

With this release, Java teams can now leverage Socket’s comprehensive security tools to protect their software supply chain from the rising threat of attacks. Whether you’re building large-scale Java enterprise applications, maintaining a legacy Java monolith, or shipping an Android app, Socket has your back.

Why Java Matters#

Java is a core language for enterprises worldwide, with millions of applications running in critical environments, including Fortune 100 companies. However, like all open-source ecosystems, Java packages are vulnerable to supply chain attacks. We see attacks ranging from zero-day software supply chain attacks, backdoors, malicious packages, typosquat attacks, protestware, unwanted behavior, obfuscated code, telemetry, and many other emerging threats.

Over the past year, supply chain attacks targeting Java repositories have been on the rise. Attackers recognize the lucrative opportunity to infiltrate organizations through Java dependencies. That’s why we’ve worked tirelessly to ensure that Socket provides best-in-class protection for teams building with Java.

At Socket, we believe in proactively preventing supply chain attacks before they cause damage. With the addition of Java support, we’re extending this level of protection to even more organizations and teams.

With our new Java support, Socket extends its supply chain security protection to an even broader set of enterprise developers and teams. Whether you’re using Maven or Gradle, we’ve designed our solution to fit seamlessly into your development process.

Support for Maven and Gradle#

Socket offers robust support for the most popular ways to manage Java dependencies, including:

• Maven: Full support for pom.xml files and Super POMs, ensuring comprehensive coverage for MavenCentral dependencies.
• Gradle: Gradle is fully supported. Use the open source CycloneDX Gradle plugin to generate an SBOM which Socket will scan.

This means you can immediately begin protecting your projects that rely on Maven or Gradle with Socket’s deep package inspection, real-time monitoring, and proactive protection.

Proven scanning performance at scale#

We're proud to share that Socket has been running in production at the largest single sign-on (SSO) and cloud-based identity and access management platform for several months now.

Socket successfully scanned their massive Java monorepo on the very first try – without any custom integration work required. According to their team, legacy SCA providers like Snyk are still unable to handle their massive monorepo after over a year of working to resolve issues with their engineering team.

This is a testament to the superior scanning architecture we’ve developed at Socket. We preemptively scan every open-source package, so by the time a customer triggers a scan, Socket has already analyzed nearly every package in their dependency tree, and anything that we haven't scanned yet (which is rare) can be completed in just a few short seconds. This means scan times are super fast, even as we certify millions of lines of open-source code on every developer commit!

Now enterprise-ready, still developer loved#

A year ago, we launched Socket as a developer-friendly GitHub App to protect JavaScript applications from software supply chain attacks. Since then, thousands of organizations—including OpenAI, Anthropic, Figma, ScaleAI, Vercel, Brave, Drata, Replit, and Metamask—have adopted Socket to safeguard their codebases.

Yet even as we grew to support the workflows needed by the enterprise, we've keep Socket extremely easy to use. One of the most-loved features of Socket is its quick, easy installation. Our most popular installation method – Socket for GitHub – can be installed in just two clicks. Most of our customers tell us that it's the simplest security platform they've ever used.

Thousands of developers use the free socket.dev package search tool – you can use the search bar at the top of every page on our site! – to quickly evaluate the security and health of any Maven package. When you start your package search on socket.dev, you’ll get proactive information if you’re about to use a malicious or risky package.

Software supply chain security is about more than just vulnerabilities#

Most vulnerability scanning tools merely check if any of your packages have reported vulnerabilities in public CVE databases—a method that’s often noisy and riddled with false positives. Not to mention, this approach is incapable of detecting and preventing a zero-day software supply chain attack.

Socket takes an entirely new approach. We use deep package inspection to peel back the layers of a dependency and characterize its actual behavior. This allows us to detect and block likely supply chain attacks before they strike, mitigating the worst consequences.

Socket isn’t just about preventing future security risks; we also offer Organization-Wide Visibility, giving you visibility into the open-source security issues present in your repositories today. This enables you to remediate existing issues and ensure that all your open-source dependencies are as secure as possible.

With Socket, you don’t have to worry about alert fatigue or sifting through piles of meaningless notifications. By default, Socket only alerts you to the most critical security issues—supply chain attacks, known malware, typosquats, and other severe threats.

This means you can focus on what matters most—building great software—while Socket takes care of the security side of things. This is why dozens of Fortune 500 companies have migrated from legacy Software Composition Analysis (SCA) providers to next-generation SCA with Socket.

The Socket Roadmap – More support for everything!#

At Socket, we’re committed to making open-source software safe for everyone. That’s why we’re constantly expanding our capabilities and adding support for new ecosystems. With today’s release of Java support, we’re taking another significant step toward that goal.

Install Socket today!#

If you’re ready to try Socket with Java support, you can install our GitHub App and start protecting your applications today. In just two clicks, Socket will start scanning your Maven repos with pom.xml manifest files. For Gradle support, we recommend chatting with someone on our team to get started quickly. If you’d like to see a demo or have any questions, don’t hesitate to schedule a demo with a technical expert on our team.

Notes

* Java is a registered trademark of Oracle and/or its affiliates.