SpotBugs

SpotBugs

Category: SAST
License: Free/OSS
Visit Website →
GitHub (3800★)

SpotBugs is the leading open-source static analysis tool for finding bugs in Java code.

With over 3,800 GitHub stars and 204 contributors, it serves as the community-driven continuation of the FindBugs project.

As the spiritual successor to FindBugs, it continues active development with support for modern Java versions including JDK 21.

The tool analyzes Java bytecode to detect over 400 bug patterns, and when combined with the Find Security Bugs plugin, becomes a comprehensive security scanner covering the OWASP Top 10.

What is SpotBugs?

SpotBugs uses bytecode analysis to find bugs in Java programs.

Rather than parsing source code, it examines the compiled .class files, which means it can analyze libraries and frameworks without access to their source.

This approach also catches issues that only manifest after compilation, such as problems arising from type erasure or compiler optimizations.

The tool categorizes findings into correctness bugs, bad practices, performance issues, and security vulnerabilities.

Each bug pattern includes a detailed explanation and confidence rating to help prioritize remediation.

Key Features

Bug Pattern Detection

SpotBugs ships with over 400 bug patterns covering null pointer dereferences, infinite loops, resource leaks, incorrect API usage, and thread safety issues.

Patterns are grouped into categories like correctness, performance, and bad practice.

Find Security Bugs Plugin

The Find Security Bugs plugin extends SpotBugs with 144 security vulnerability patterns.

It detects SQL injection, XSS, path traversal, weak cryptography, XXE, insecure deserialization, and other OWASP Top 10 vulnerabilities.

The plugin recognizes 826+ unique API signatures across Spring, Struts, JSF, and other popular frameworks.

Build Tool Integration

SpotBugs integrates with Maven, Gradle, Ant, and SBT.

Reports can be generated as part of your build process and viewed in HTML, XML, or SARIF formats.

The Maven and Gradle plugins support fail-on-violation to break builds when issues are found.

IDE Support

Plugins for Eclipse and IntelliJ IDEA show SpotBugs findings directly in your editor with quick-fix suggestions.

The Eclipse plugin provides real-time analysis as you code.

Installation

Add SpotBugs to your build tool or download the standalone distribution:

# Standalone installation
wget https://github.com/spotbugs/spotbugs/releases/download/4.8.6/spotbugs-4.8.6.tgz
tar -xzf spotbugs-4.8.6.tgz

# Run standalone
./spotbugs-4.8.6/bin/spotbugs -textui /path/to/your.jar

Maven Configuration

<plugin>
    <groupId>com.github.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>4.8.6.0</version>
    <configuration>
        <plugins>
            <plugin>
                <groupId>com.h3xstream.findsecbugs</groupId>
                <artifactId>findsecbugs-plugin</artifactId>
                <version>1.13.0</version>
            </plugin>
        </plugins>
    </configuration>
</plugin>

Gradle Configuration

plugins {
    id 'com.github.spotbugs' version '6.4.8'
}

dependencies {
    spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.13.0'
}

spotbugs {
    toolVersion = '4.8.6'
    effort = 'max'
    reportLevel = 'low'
}

How to Use SpotBugs

Run SpotBugs through your build tool or the CLI:

# Maven - generate report
mvn spotbugs:spotbugs

# Maven - check and fail on bugs
mvn spotbugs:check

# Gradle - generate report
./gradlew spotbugsMain

# Standalone - analyze JAR file
spotbugs -textui -high -effort:max application.jar

# Generate HTML report
spotbugs -html -output report.html application.jar

Integration

GitHub Actions

name: SpotBugs Analysis
on: [push, pull_request]

jobs:
  spotbugs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          java-version: '21'
          distribution: 'temurin'
      - name: Build and analyze
        run: mvn compile spotbugs:spotbugs
      - name: Upload SpotBugs report
        uses: actions/upload-artifact@v4
        with:
          name: spotbugs-report
          path: target/spotbugsXml.xml

GitLab CI

GitLab includes SpotBugs in its SAST analyzers:

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SAST_ANALYZER_IMAGE_TAG: "latest"

Jenkins Pipeline

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'mvn compile'
            }
        }
        stage('SpotBugs Analysis') {
            steps {
                sh 'mvn spotbugs:spotbugs'
            }
            post {
                always {
                    recordIssues tools: [spotBugs()]
                }
            }
        }
    }
}

When to Use SpotBugs

SpotBugs belongs in every Java project’s quality toolchain.

It catches bugs that unit tests miss and finds security issues before code reaches production.

The bytecode analysis approach means it works with any JVM language that compiles to class files, including Kotlin, Groovy, and Scala.

For security-focused teams, the Find Security Bugs plugin is essential.

It provides OWASP Top 10 coverage specifically tuned for Java web applications and frameworks.

The combination of SpotBugs plus Find Security Bugs gives you both correctness and security analysis in a single tool.

SpotBugs works well alongside other static analysis tools.

Pair it with Checkstyle for code style, PMD for code quality, and a dedicated SAST tool for deeper security analysis.

Many teams run SpotBugs locally in IDEs for immediate feedback and in CI for gating merges.

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Brakeman
Brakeman

Open-Source Ruby on Rails

Checkmarx
Checkmarx

Gartner Leader for Enterprise SAST

Codacy
Codacy

40+ Languages with AI Code Protection

See all SAST tools