Gradle Scan - Security Assessment

Hi everyone, I work in a company where privacy is a major need and the Android Team (me) is trying to make a case to get an approval from our security team. It’d be super nice if someone could help me with some questions I have. References are very welcome as I’m not sure were to look for this type of information - note that I need some type of certified data by Gradle.

Here it is:

  1. When using Gradle scan, what type of information from our infrastructure is sent to the Gradle Servers? Like machine that run it… etc.
  2. Except by build details, is any other information from the project sent?
  3. Does any information sent to Gradle Servers can identify us? For example, a GitHub Origin from our .git files could go by mistake?
  4. Is any console log sent?
  5. Can the generated string be “closed” to only one email?
  6. It is unclear what means “delete”: is it hard deleted or just not made accessible to the public anymore?

Thanks in advance.

Hi Marcello

Gradle Enterprise is installed on-premise. No build data leaves your network. You can see what is captured by Gradle Enterprise here: https://docs.gradle.com/enterprise/gradle-plugin/#captured_information

You can get a nice overview of Gradle Enterprise in this technical video by our CEO:

Or go to https://tv.gradle.com and find all our video resources.

If you want to experience Gradle Enterprise hands-on, explore the instance of the Spring team:
https://ge.spring.io/scans

Kind regards, Etienne

1 Like