jGuard v0.3.0 Released

January 25, 2026 · 3 min read

CEO & Founder, Lucenia

jGuard Contributors

We're excited to announce the release of jGuard v0.3.0, featuring 5 new capabilities, trusted module support for native libraries, and significant improvements to the Gradle plugin.

What's New in v0.3.0

New Capabilities

jGuard v0.3.0 adds 5 new capabilities, bringing the total to 14:

Runtime Lifecycle Control

Protect your server uptime from rogue libraries:

security module com.example.myapp {
    // Only the main package can terminate the JVM
    entitle com.example.myapp.main to runtime.exit;

    // Only lifecycle package can register shutdown hooks
    entitle com.example.myapp.lifecycle.. to runtime.shutdown_hook;
}

runtime.exit — Guards System.exit(), Runtime.exit(), Runtime.halt()
runtime.shutdown_hook — Guards Runtime.addShutdownHook(), Runtime.removeShutdownHook()

This prevents libraries like embedded databases from accidentally (or maliciously) terminating your server application.

Process Execution Control

Prevent shell escapes and command injection:

security module com.example.myapp {
    // Only allow specific commands
    entitle com.example.myapp.tools to process.exec("/usr/bin/java");
    entitle com.example.myapp.tools to process.exec("/opt/app/bin/*");
}

Filesystem and Crypto

fs.hardlink — Control hard link creation to prevent filesystem boundary bypass
crypto.provider — Control JCE provider modifications to prevent rogue crypto providers

Trusted Module Mechanism

For native libraries like PyTorch, TensorFlow, or DJL that require unrestricted system access:

// File: policies/ai.djl.pytorch.jguard (external override only)
security module ai.djl.pytorch {
    trusted;
}

Key security features:

Override-only: trusted keyword only allowed in external policy files, not embedded
Explicit opt-in: Requires -Djguard.allow.trusted=true
Audit trail: Security warning logged when trusted modules are loaded

Contextual Keywords

All jGuard keywords are now contextual, allowing package names like io.example.security.module:

security module io.example.security.module {
    entitle io.example.security.module.auth.. to crypto.provider;
}

Gradle Plugin Improvements

Incremental builds for compileExternalPolicies task
Automatic dependencies — test tasks depend on policy compilation
Global policies now apply to unnamed modules (classpath code)

Bootstrap JAR Caching

Faster startup with content-hash based cache invalidation:

# Configurable cache directory
java -Djguard.bootstrap.cache.dir=/tmp/jguard-cache \
     -javaagent:jguard-agent.jar \
     -jar app.jar

Getting Started

Add jGuard to your Gradle project:

plugins {
    id "io.jguard.policy" version "0.3.0"
}

dependencies {
    implementation("io.jguard:jguard-core:0.3.0")
}

Create your policy in module-info.jguard:

security module com.example.myapp {
    entitle com.example.myapp.http.. to network.outbound;
    entitle com.example.myapp.io..   to fs.read(data, "**");
    entitle com.example.myapp.main   to runtime.exit;
}

Run with enforcement:

./gradlew runWithAgent

Migration from v0.2.0

v0.3.0 is backward compatible with v0.2.0 policies. The binary policy format has been updated to v3 to support the trusted flag, but the agent can still read v2 policies.

Resources

What's Next

We're already working on v0.4.0, which will focus on:

Enhanced observability with Prometheus/Micrometer metrics
IDE plugin for IntelliJ IDEA
Additional runtime capabilities (jmx.monitor, runtime.stack_trace)
Path variables for portable policies

Thank you to all our contributors!

What's New in v0.3.0​

New Capabilities​

Runtime Lifecycle Control​

Process Execution Control​

Filesystem and Crypto​

Trusted Module Mechanism​

Contextual Keywords​

Gradle Plugin Improvements​

Bootstrap JAR Caching​

Getting Started​

Migration from v0.2.0​

Resources​

What's Next​