Type: Documentation Improvement
What needs to be documented or improved?
Build security documentation should include Gradle Wrapper verification steps to prevent supply-chain attacks
Current State
README.md (line 77-82) provides basic build commands but doesn't mention verifying wrapper SHA or GPG signatures
Suggested Improvement
Add section:
Code
Security - Gradle Wrapper Verification
Before building, verify the Gradle wrapper's integrity:
# SHA-256 of gradlew should match tracked version
sha256sum gradlew
# Compare against committed hash in .github
Type: Documentation Improvement
What needs to be documented or improved?
Build security documentation should include Gradle Wrapper verification steps to prevent supply-chain attacks
Current State
README.md (line 77-82) provides basic build commands but doesn't mention verifying wrapper SHA or GPG signatures
Suggested Improvement
Add section:
Code
Security - Gradle Wrapper Verification
Before building, verify the Gradle wrapper's integrity: