Documentation
Everything you need to get started with Pomeranian.
Quick Start
1. Add the Maven Plugin
Add Pomeranian to your project's pom.xml
<build>
<plugins>
<plugin>
<groupId>io.pomeranian</groupId>
<artifactId>pomeranian-maven-plugin</artifactId>
<version>1.0.0</version>
<configuration>
<apiKey>${env.POMERANIAN_API_KEY}</apiKey>
</configuration>
</plugin>
</plugins>
</build>2. Run the Optimization
Execute the plugin to analyze and optimize your dependencies
# Set your API key export POMERANIAN_API_KEY=pom_live_xxxxx # Basic optimization # Basic optimization mvn pom:optimize # Note: If 'pom' prefix is not found, use full coordinate: # mvn io.pomeranian:pomeranian-maven-plugin:optimize # Full optimization with security scanning mvn pom:optimize -DsecurityScan=true -DautoFixSecurity=true # With ProGuard profile for binary minimization mvn pom:optimize -DproguardProfile=moderate -DframeworkHints=spring
3. Review Results
Check the optimization report
[INFO] 🐕 POMERANIAN DEPENDENCY OPTIMIZER [INFO] ================================ [INFO] 🔑 Validating API key... [INFO] ✓ Organization: Acme Corp (GOLD) [INFO] [INFO] 🔒 Running OWASP security scan... [INFO] Found 3 vulnerabilities: 1 CRITICAL, 2 HIGH [INFO] 🔧 Applying security remediations... [INFO] ✓ Updated 3 dependency versions [INFO] [INFO] 🔍 Analyzing dependencies... [INFO] Found 47 potentially unused dependencies [INFO] [INFO] ✅ OPTIMIZATION COMPLETE [INFO] POMs modified: 1
Configuration Options
Security Scanning
OWASP Dependency-Check integration for CVE detection
# Enable security scanning -DsecurityScan=true # Auto-fix vulnerabilities (updates dependency versions) -DautoFixSecurity=true # Provide NVD API key for faster scans (free from NIST) -DnvdApiKey=your-nvd-api-key # Example: Full security scan with auto-fix mvn pom:optimize -DsecurityScan=true -DautoFixSecurity=true
Policy Configuration
Enforce standards with .pomeranian.yaml
# .pomeranian.yaml - Policy as Code
policy:
# Fail build if these dependencies are found
banned-dependencies:
- "log4j:log4j"
- "com.google.guava:guava:19.0"
# Security thresholds
security:
max-cve-severity: "MEDIUM" # Fail on HIGH or CRITICAL
ignore-unreachable: true # Ignore CVEs in unused codeProGuard Profiles
Binary minimization with configurable optimization levels
# ProGuard optimization profiles: # conservative - No shrinking, safe optimizations only # moderate - Balanced optimization (default) # aggressive - Maximum shrinking, may require testing -DproguardProfile=moderate # or conservative, aggressive # Example: Aggressive optimization for production mvn pom:optimize -DproguardProfile=aggressive
Framework Detection
Automatic and manual framework hints for smart optimizations
# Auto-detected frameworks (from pom.xml): # Spring Boot, Quarkus, Micronaut # Kotlin, Hibernate/JPA, Jackson # Manual framework hints (comma-separated): -DframeworkHints=spring,kotlin,hibernate # Example: Spring Boot with Kotlin mvn pom:optimize -DframeworkHints=spring,kotlin
Configuration Reference
| Property | Env Var | Default | Description |
|---|---|---|---|
| apiKey | POMERANIAN_API_KEY | null | Required. Authentication key. |
| dryRun | POMERANIAN_DRY_RUN | false | Analyze without modifying files. |
| securityScan | - | true | Enable OWASP Dependency-Check. |
| autoFixSecurity | - | false | Auto-upgrade versions for CVEs. |
| proguardProfile | - | moderate | Minimization level. |
Deployment OptionsEnterprise Only
Docker ComposeLocal/VM
git clone https://github.com/pomeranian/pomeranian cd pomeranian # Start all services docker compose up -d # Check health curl http://localhost:8080/health
API Reference
POST/api/validate
Validate an API key
curl -X POST https://api.pomeranian.cc/api/validate \
-H "X-API-Key: pom_live_xxxxx"
# Response
{
"valid": true,
"organizationName": "Acme Corp",
"supportTier": "GOLD"
}POST/api/scan/init
Initialize an optimization scan
curl -X POST https://api.pomeranian.cc/api/scan/init \
-H "Content-Type: application/json" \
-d '{"apiKey":"pom_live_xxx","groupId":"com.acme","artifactId":"app"}'
# Response
{
"scanId": "uuid-here",
"uploadUrl": "https://s3.../presigned-url",
"expiresIn": 3600
}