JCapsLock

A Java implementation of Google's Capslock capability analysis tool. JCapsLock analyzes your project's dependencies to identify what privileged operations they can perform - file I/O, network access, code execution, native calls, and more.

This helps you understand the security implications of your dependency tree before a supply chain attack happens, not after.

Quick Start

# Analyze your project's capabilities
mvn capslock:analyze

# Check for new capabilities (fails if different from snapshot)
mvn capslock:check

Features

Bytecode analysis - Works with any Maven package, no source code required
Maven integration - Runs as part of your build, not a separate CLI
Dependency awareness - Distinguishes between direct, transitive, and optional dependencies
Capability locking - Snapshot your baseline and get alerted when dependencies gain new capabilities
Runtime agent (Experimental) - Monitor and block capabilities at runtime with policy enforcement. See agent/README.md

How It Differs from Go Capslock

Aspect	Go Capslock	JCapsLock
Analysis level	Source code	Bytecode
Build integration	Standalone CLI	Maven plugin
Call graph	VTA	CHA (configurable)
Dependency scopes	N/A	Direct, transitive, optional, test

Installation

JCapsLock is available via JitPack. Maven Central availability planned for 1.0 release (early 2026).

Add the JitPack repository and plugin to your pom.xml:

<pluginRepositories>
    <pluginRepository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </pluginRepository>
</pluginRepositories>

<build>
    <plugins>
        <plugin>
            <groupId>com.github.serj</groupId>
            <artifactId>capslock-maven-plugin</artifactId>
            <version>COMMIT_HASH</version>
        </plugin>
    </plugins>
</build>

Replace COMMIT_HASH with the latest version from the JitPack badge above.

Then run:

mvn capslock:analyze

Documentation

USAGE.md - Detailed usage guide and configuration options
maven-plugin/README.md - Maven plugin reference
docs/caveats.md - Analysis limitations and caveats
Go Capslock Caveats - Caveats for the original Go implementation

Capability Snapshot Workflow

Track capability changes across dependency updates:

# 1. Create initial snapshot (commit to git)
mvn capslock:snapshot

# 2. After dependency updates, check for new capabilities
mvn capslock:check

# 3. Review changes and update snapshot if acceptable
mvn capslock:snapshot

Status

Work in Progress - Core functionality works, but not yet production-ready. Expect false positives.

Contributing

See CONTRIBUTING.md for development setup and guidelines.

License

Apache 2.0 License - see LICENSE

Name		Name	Last commit message	Last commit date
Latest commit History 25 Commits
.github		.github
.idea		.idea
agent		agent
capslock-proto @ 509a04d		capslock-proto @ 509a04d
core		core
docs		docs
examples		examples
maven-plugin		maven-plugin
.gitignore		.gitignore
.gitmodules		.gitmodules
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
pom.xml		pom.xml
qodana.yaml		qodana.yaml
test-lockfile.sh		test-lockfile.sh
test-plugin.sh		test-plugin.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

JCapsLock

Quick Start

Features

How It Differs from Go Capslock

Installation

Documentation

Capability Snapshot Workflow

Status

Contributing

License

About

Uh oh!

Releases

Packages

Uh oh!

Languages

License

serj/JCapsLock

Folders and files

Latest commit

History

Repository files navigation

JCapsLock

Quick Start

Features

How It Differs from Go Capslock

Installation

Documentation

Capability Snapshot Workflow

Status

Contributing

License

About

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages