Introducing Scala and Kotlin Support in Socket

We’re excited to announce that Socket now supports Scala and Kotlin in beta, building on our Java support and extending our coverage to more JVM-based ecosystems. This release enables teams working with modern JVM languages to leverage Socket’s powerful supply chain security and AI-powered threat detection.

With this expansion, developers using Scala or Kotlin can now benefit from the same proactive protection and deep package inspection that thousands of organizations already rely on to secure their software supply chain.

Securing Modern JVM Languages#

Scala and Kotlin are increasingly popular in enterprise and Android development:

• Scala powers large-scale distributed systems and data pipelines, thanks to its functional programming capabilities and interoperability with Java.
• Kotlin, now the preferred language for Android development, is known for its concise syntax, null safety, and modern tooling.

As with any thriving open source ecosystem, dependencies in these languages are under relentless attack. The growing number of third-party libraries on MavenCentral and other registries presents a ripe target for supply chain attacks. Attackers exploit this trust with zero-day threats, malicious packages, typosquatting, telemetry, and protestware.

Socket’s mission is to detect and prevent these threats before they can compromise your applications. Our deep package inspection goes beyond traditional CVE-based scanning, analyzing actual code behavior to block malicious code before it lands in your code base.

The Growing Threat to JVM Ecosystems#

Over the past year, we’ve seen a rise in supply chain attacks targeting Maven packages, which are widely used across Java, Scala, and Kotlin projects. With so many mission-critical applications depending on these ecosystems, attackers see them as valuable entry points into enterprise infrastructure.

Recent examples include the discovery of a Maven package designed to exfiltrate OAuth credentials and a backdoor hidden in a malicious package impersonating the XZ for Java library.

Traditional Software Composition Analysis (SCA) tools, which rely solely on known CVEs, often miss these kinds of zero-day threats. Socket takes a different approach by inspecting packages for risky behaviors and malicious indicators in real time, including unexpected network calls, obfuscated code, and unsafe file system operations. With Socket, teams working with Scala or Kotlin can stop these threats before they reach production.

How to Get Started#

Note: Scala and Kotlin projects require using the Socket CLI only if you need to generate manifests (e.g., from sbt or Gradle builds without lockfiles). If your project already has a committed gradle.lockfile, you can skip manifest generation entirely and Socket will analyze the lockfile directly.

For Scala (sbt) Projects

1. Use the socket manifest scala command from your project root. This will invoke sbt to generate pom.xml files for your dependencies.
2. Once generated, run socket scan create in the same directory to upload the manifest for analysis.
3. For advanced setups, you can specify input/output folders, sbt binary locations, or pass custom sbt options. See socket manifest scala --help for details.

Check out the documentation for Scala setup instructions.

For Kotlin (Gradle) Projects

Kotlin uses Gradle by default, so you can follow the general Gradle instructions:

• Preferred method: Use CycloneDX to generate a Software Bill of Materials (SBOM):

socket cdxgen -t gradle -o socket-gradle.cdx.json --install-deps --lifecycle build

• Alternatively, run socket manifest gradle to use your local Gradle setup.
• After generating the manifest, create a report with:

socket scan create

Gradle Lockfile Option

If your Kotlin or Scala project already uses Gradle, enabling lockfiles is the simplest approach:

dependencyLocking.lockAllConfigurations()

Then run:

./gradlew dependencies --write-locks

Commit the generated gradle.lockfile to source control, and Socket will automatically analyze it.

Enterprise-Ready Security for JVM Ecosystems#

This release continues our mission to enable developers to secure their open source dependencies while still shipping fast. By supporting Java, Scala, and Kotlin, Socket now covers the entire JVM ecosystem with:

• Proactive zero-day supply chain attack detection
• Deep package inspection for risky or malicious behaviors
• Fast, accurate scanning built for modern Java projects
• Reachability analysis to prioritize real, exploitable risks
• Comprehensive license detection and policy enforcement

Whether you’re building a complex data pipeline in Scala, an Android app in Kotlin, or an enterprise monolith in Java, Socket brings the same level of protection to all your dependencies.

Get Started Today#

Install Socket’s free GitHub App and scan your JVM-based projects in just a few clicks. If you’re using Scala or Kotlin, follow the setup instructions above, and you’ll be ready to detect supply chain threats in minutes.