ProGuard
Static code analysis tools
DevSecOps software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if ProGuard and its alternatives fit your requirements.
Completely free
Free Trial unavailable
Free version
Small
Medium
Large
- Arts, entertainment, and recreation
- Information technology and software
- Agriculture, fishing, and forestry
What is ProGuard
ProGuard is a Java and Android build-time tool that shrinks, optimizes, and obfuscates bytecode to reduce application size and make reverse engineering more difficult. It is commonly used by Android developers and Java teams as part of CI/CD pipelines to prepare release builds. ProGuard focuses on code shrinking and obfuscation rather than broad, rule-based security scanning across multiple languages. It is often used alongside other quality and security tools in a DevSecOps workflow.
Build-time code shrinking
ProGuard reduces application size by removing unused classes, methods, and fields and by performing bytecode-level optimizations. This can improve download size and startup characteristics for mobile apps where footprint matters. The tool integrates into typical Java/Android build processes, making it practical for automated release pipelines. Its outputs (e.g., mapping files) support debugging of obfuscated builds when configured correctly.
Bytecode obfuscation support
ProGuard obfuscates identifiers to make decompilation results harder to interpret, which can raise the effort required for casual reverse engineering. It supports configuration rules to keep specific classes and members from being renamed or removed, which is important for reflection-heavy frameworks. This makes it suitable for release hardening steps in Android and Java distributions. Obfuscation is deterministic when configured, which helps with reproducible builds.
Mature Java/Android ecosystem fit
ProGuard is widely recognized in the Android and Java ecosystem and is supported by common build tooling patterns. Teams can incorporate it into CI workflows as a predictable, non-interactive step. Its rule-based configuration model aligns with how many Java build tools manage packaging and minimization. This maturity reduces operational risk compared with adopting less-established build-time transformers.
Not a full SAST tool
ProGuard does not primarily perform vulnerability detection, dataflow analysis, or secure coding rule checks typical of static code analysis platforms. It will not replace tools that report security issues, code smells, or compliance-oriented findings across repositories. As a result, organizations pursuing DevSecOps governance usually need additional scanners and reporting layers. Its value is strongest in build artifact transformation rather than security analytics.
Java/Android-centric scope
ProGuard targets Java bytecode and Android use cases and does not provide broad multi-language coverage. Teams with polyglot stacks must use other tools for non-JVM components to achieve consistent policy enforcement. This can increase toolchain complexity in enterprise environments. It is best suited where JVM/Android is a primary delivery platform.
Configuration can be fragile
Rule configuration often requires iterative tuning, especially for apps that use reflection, dynamic class loading, or annotation processing. Misconfiguration can lead to runtime errors, missing classes, or broken serialization and dependency injection behavior. Maintaining keep rules across dependency updates can add ongoing overhead. Troubleshooting typically relies on mapping files and build logs, which may be unfamiliar to some teams.
Plan & Pricing
Pricing model: Completely free (open-source, GNU General Public License v2). Plans: No paid plans; ProGuard is distributed under GPL v2 and is free to use for processing applications (commercial or not). Notes: ProGuard source code, manual, and downloads are maintained by Guardsquare (official pages & GitHub). Guardsquare offers separate commercial products (e.g., DexGuard, iXGuard) which have request-based pricing on Guardsquare's pricing page.
