Gradle plugin

The Contrast Gradle plugin is used to integrate the Contrast.jar with your build. It's capable of authenticating to Contrast, downloading the latest Java agent and verifying your build.


Gradle is a build tool that utilizes build.gradle files to configure your applications. It's used to build, package, and test various types of applications.

Clone a sample web application

The easiest way to set up a project is to clone our sample Gradle-based web application. This application has been migrated from Maven to Gradle and relies on MongoDB.

  1. Install and set up the database path.

    git clone
    brew install mongodb
    sudo mkdir -p /data/db
    brew services start mongodb
  2. An application is ready to run. Open the Contrast-Sample-Gradle-Application/build.gradle file. Scroll to find the contrastConfiguration extension. You can find all of the values in your personal keys except appName and serverName.

    contrastConfiguration {
        username = "username"
        apiKey = "apiKey"
        serviceKey = "serviceKey"
        apiUrl = "apiUrl"
        orgUuid = "orgUuid"
        appName = "editLATER"
        serverName = "editLATER"
  3. Install the Contrast JAR file by calling the contrastInstall task. This installs the Contrast JAR in the project's build directory.

    cd path/to/Contrast-Sample-Gradle-Application
    gradle build -x test contrastInstall
  4. Run the application with the Java agent. The server starts.

    cd path/to/Contrast-Sample-Gradle-Application/build
    java -Dcontrast.server=mytestserver -jar libs/Contrast-Sample-Gradle-Application-0.0.1-SNAPSHOT.jar
  5. Check that the application is running at localhost:8080 and that the application shows up in Contrast.

  6. In Contrast, verify that the application with the appname specified in the command above shows up.

  7. In the Contrast-Sample-Gradle-Application project's build.gradle, edit the contrastConfiguration to specify the appName and serverName specified as options with the Java agent in the previous step.

    contrastConfiguration {
        username = "alreadySetup"
        apiKey = "alreadySetup"
        serviceKey = "alreadySetup"
        apiUrl = "alreadySetup"
        orgUuid = "alreadySetup"
        appName = "mytestapp"
        serverName = "mytestserver"
  8. Run the verification task at any time to check for vulnerabilities.

    gradle build contrastVerify -x test

Configure the plugin

Use these paramaters for the Gradle plugin to connect to Contrast and filter vulnerabilities. You can find many of them in your personal keys.



Contrast username

Username/email for your user in Contrast

Contrast service key

Service Key

Contrast API key


Contrast API URL

API URL to Contrast

Contrast organization UUID

Organization UUID

Application name

Name of application you set with -Djava.standalone_app_name

This is used to filter for your application.

Minimum severity level

Minimum severity level to filter for (Note, Low, Medium, High, Critical)

This property is inclusive.

Server name

Name of server you set with -Dcontrast.server

Use if you are a hosted customer.

JAR path

Local path to the jar file if you don't want to download the agent again


Even if your build succeeds, the plugin will fail the overall build if a vulnerability is found at or above the severity level set in the configuration.

Here is a sample configuration for the Contrast Gradle plugin.

buildscript {
  repositories {
    maven {
      url ""
  dependencies {
    classpath ""

apply plugin: "com.contrastsecurity.contrastplugin"
contrastConfiguration {
    username = "test_user"
    apiKey = "testApiKey"
    serviceKey = "testServiceKey"
    apiUrl = ""
    orgUuid = "QWER-ASDF-ZXCV-ERTY"
    appName = "Test Application"
    serverName = "jenkins.slave1"
    minSeverity = "Medium"

Use the plugin

The plugin code can be viewed in our GitHub repository. Here you can review the two tasks added by the plugin, contrastInstall and contrastVerify, and how they work.

The latest version of the plugin can be found on the Gradle plugin webpage.




Installs a Contrast Java agent to your local project. The plugin edits the org.gradle.jvmargs property in the file to launch the JVM with the Contrast agent. An application version, by which the vulnerabilities are filtered in the contrastVerify task, is generated during this task. The plugin generates the application version in the following order:

  • If your build is running in TravisCI, Contrast uses appName-$TRAVIS_BUILD_NUMBER.

  • If your build is running in CircleCI, Contrast uses appName-$CIRCLE_BUILD_NUM.

  • If your build is running in neither TravisCI nor CircleCI, Contrast generates one in the format appName-yyyyMMddHHmm.


Checks for new vulnerabilities in your web application.