Verifying Gradle Wrappers with GitHub Actions
We are proud to announce the release of the new Gradle Wrapper Validation GitHub Action.
Gradle Wrapper in Open Source
Searching across GitHub you can find many pull requests (PRs) with helpful titles like ‘Update to Gradle xxx’. Many of these PRs are contributed by individuals outside of the organization maintaining the project.
Maintainers are grateful for these kinds of contributions as it takes an item off of their backlog.
But there are security implications of accepting changes to the Gradle Wrapper binary from external contributors that may not be apparent.
An attacker could take advantage of the trust the open source community has by
hiding malicious code inside the Gradle Wrapper.
gradle-wrapper.jar could download, install and execute arbitrary code while otherwise behaving like
a completely normal
Such an attack could be easily missed as the diff to the
gradle-wrapper.jar looks like this.
Verifying the Gradle Wrapper
We have created a
simple GitHub Action
that can be applied to any GitHub repository.
This action will verify that any and all
gradle-wrapper.jar files in the repository match an
official SHA-256 checksum.
If any file does not match, the action will fail.
Additionally, the action will detect any homoglyph variants of a file named
The goal is to prevent difficult to spot homoglyph attacks,
like renaming the
gradle-wrapper.jar file to
gradlе-wrapper.jar (which uses a Cyrillic
е instead of
Securing Your Project
GitHub actions are free to use for open-source and are automatically enabled by default on almost all repositories. You can find out more about how to add this action to your GitHub repository here.
This action has already been contributed to some of the most popular Gradle based projects on GitHub including but not limited to:
And many more!
If this GitHub action fails because a
gradle-wrapper.jar doesn’t match one of our published SHA-256 checksums,
we highly recommend that you reach out to us at email@example.com.
If you’re curious and want to explore what the differences are between the
gradle-wrapper.jar in your possession
and one of our valid releases, you can compare them using this online utility: DiffScope.
To learn more about verifying the Gradle Wrapper JAR locally (ie. without using GitHub Actions), see our documentation on the topic.