Talk

Quarkus has redefined Java development with its “Build-time First” philosophy, but this efficiency introduces unique complexities for security scanning. Standard Maven or Gradle dependency analysis often fails to capture the full picture of a Quarkus application’s footprint.

This session explores a comprehensive strategy for vulnerability management tailored to the Quarkus application lifecycle. We will start by dissecting the Quarkus dependency model, highlighting why traditional tools often miss transitives or build-time augmentations. Attendees will learn how to:

• Perform pre-build analysis to stop vulnerabilities before a single JAR is downloaded.
• Audit the application post-build using specialized scanning techniques.
• Leverage SBOMs (Software Bill of Materials) to maintain visibility long after the application has reached production.