Making Maven Builds Security-Aware: AppSec Checks Without CI/CD Drift

The author identifies "security build drift" as a problem where security configurations become inconsistent across Maven projects, resembling automation but lacking uniformity. They created "secure-maven-extension" to integrate security workflows into the Maven lifecycle, rather than relying on disparate pipeline scripts. This core extension, loaded via `.mvn/extensions.xml`, injects security conventions during the afterProjectsRead stage, enabling consistent configurations for tools like JaCoCo, SonarQube, Dependency-Check, and CycloneDX. The extension supports various configuration sources, prioritizing consistency over forcing a single style, and ensures that the same security behavior applies locally and in CI/CD. It automates tasks like coverage configuration and SonarQube metadata setup, which prevents the build from being security-aware and the pipeline from only calling scanners around it. For multi-module projects, the extension handles SBOM generation and dependency analysis, aligning those with the application's shape. This approach simplifies CI/CD pipelines, making them primarily execution layers, while the Maven build itself enforces security practices. Pre-commit hooks and tools like Gitleaks are used to catch leaks before commit. This layered model prioritizes security during the build process, enhancing the reliability and consistency of application security practices.