The problem was never that Maven projects could not run security tools. They could. A pipeline can run tests, Dependency-Check, CycloneDX, and SonarQube with a few commands. A pom.xml can hold plugin blocks. A team can copy a working configuration from one service to another and call it a standard. For a while, that works. Then the small differences start showing up. One service has JaCoCo but does not pass the XML report to SonarQube. Another produces Dependency-Check output only as HTML. One multi-module project generates an SBOM from the root aggregator and misses the shape of the real runtime application. Another pipeline forgets merge request metadata, so SonarQube analysis is technically successful but practically incomplete. That is security build drift. It looks like automation. It behaves like inconsistency. I built secure-maven-extension to solve that problem for Maven projects. Not by replacing the scanners. By making the Maven lifecycle carry the security workflow.…