Skip to content
Home SAST Tools SpotBugs
SpotBugs

SpotBugs

Category: SAST
License: Free/OSS (LGPL-2.1)
GitHub (3800★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
3 min read
Key Takeaways
  • Free, open-source (LGPL-2.1) Java bytecode analyzer with 3,800+ GitHub stars that detects 400+ bug patterns including null pointers, resource leaks, and thread safety issues.
  • Find Security Bugs plugin adds 144 security vulnerability types with 826+ API signatures across Spring, Struts, and JSF — covering OWASP Top 10 for Java web apps.
  • Analyzes compiled .class files rather than source code, working with any JVM language (Java, Kotlin, Groovy, Scala) and able to scan libraries without source access.
  • Used by GitLab's built-in SAST analyzer for JVM languages; integrates with Maven, Gradle, Eclipse, IntelliJ, and outputs SARIF for GitHub Code Scanning.

SpotBugs is a free, open-source SAST tool that finds bugs in Java programs by analyzing compiled bytecode. With over 3,800 GitHub stars and 200+ contributors, it’s the community-driven successor to FindBugs.

SpotBugs detects over 400 bug patterns, and the Find Security Bugs plugin adds 144 security vulnerability types covering the OWASP Top 10. Since it analyzes bytecode rather than source code, it works with any JVM language: Java, Kotlin, Groovy, and Scala.

400+ Bug Patterns
Detects null pointer dereferences, infinite loops, resource leaks, incorrect API usage, thread safety issues, and more. Each finding includes a confidence rating and detailed explanation.
Find Security Bugs
Plugin adds 144 security vulnerability patterns with 826+ API signatures across Spring, Struts, JSF, and other frameworks. Covers OWASP Top 10 including SQL injection, XSS, and XXE.
Bytecode Analysis
Analyzes compiled .class files rather than source code. Works with any JVM language and can analyze libraries without source access. Catches issues that only appear after compilation.

SpotBugs GUI showing detected bugs with source code viewer and details panel

What is SpotBugs?

SpotBugs examines compiled Java bytecode to find instances of “bug patterns” — code that is likely to be incorrect. According to research published by the University of Maryland (where the original FindBugs was developed), bytecode analysis catches a distinct class of defects that source-level tools miss. Working with .class files means SpotBugs can analyze third-party libraries and catches issues related to type erasure and compiler optimizations.

The tool categorizes findings into correctness bugs, bad practices, performance issues, and security vulnerabilities. The current version is 4.9.8, released October 2025. JDK 21 support was added in version 4.8.0.

SpotBugs is used by GitLab’s built-in SAST analyzer for Java, Kotlin, Groovy, and Scala projects. GitLab pairs SpotBugs with the Find Security Bugs plugin for security analysis.

Key features

Find Security Bugs plugin

The Find Security Bugs plugin is what turns SpotBugs into a security scanner. It adds 144 vulnerability types and recognizes 826+ unique API signatures across popular Java frameworks.

CategoryExamples
InjectionSQL injection, command injection, LDAP injection, XPath injection
Data exposureXSS, path traversal, information leakage
XMLXXE, XML injection
CryptoWeak cryptography, insecure random, ECB mode
DeserializationInsecure deserialization patterns
Framework-specificSpring, Struts, JSF, Android-specific patterns

The latest version is 1.14.0 (June 2025). Maven coordinates: com.h3xstream.findsecbugs:findsecbugs-plugin.

Build tool integration

SpotBugs integrates with Maven, Gradle, Ant, and SBT:

  • Maven plugin: com.github.spotbugs:spotbugs-maven-plugin (latest: 4.9.8.2)
  • Gradle plugin: com.github.spotbugs (latest: 6.4.8)

Both plugins support fail-on-violation to break builds when issues are found. Reports can be generated in HTML, XML, or SARIF formats.

IDE support

  • Eclipse: SpotBugs Eclipse plugin available on Eclipse Marketplace
  • IntelliJ IDEA: spotbugs-idea plugin maintained by JetBrains themselves

Both plugins show findings directly in the editor with explanations and navigation to the bug location.

Bytecode, not source
SpotBugs requires compiled code to analyze. You need to run your build (compile step) before SpotBugs can scan. This is different from source-level tools like PMD or Semgrep that work directly on source files.

Getting started

1
Add to your build — For Maven, add spotbugs-maven-plugin to your POM. For Gradle, apply the com.github.spotbugs plugin. Include findsecbugs-plugin as a dependency for security scanning.
2
Run the scan — Execute mvn spotbugs:check or ./gradlew spotbugsMain. SpotBugs analyzes compiled bytecode and reports findings. Use -effort:max for the deepest analysis.
3
Review findings — Each finding includes a bug pattern code, confidence level, and explanation. HTML reports provide navigable overviews; SARIF output integrates with GitHub Code Scanning.
4
Configure filters — Use XML filter files to include or exclude specific bug patterns, classes, or methods. This lets you suppress known false positives and focus on the patterns that matter to your team.

When to use SpotBugs

SpotBugs belongs in every Java project’s quality toolchain. It catches bugs that unit tests miss and, with Find Security Bugs, provides OWASP Top 10 coverage tuned for Java web applications.

For source-level analysis and code style enforcement, pair SpotBugs with PMD or Checkstyle. For deeper security analysis across more languages, consider Semgrep or CodeQL.

Best for
Java teams that want free, proven bug detection through bytecode analysis, especially when paired with Find Security Bugs for OWASP Top 10 coverage.

Frequently Asked Questions

What is SpotBugs?
SpotBugs is a free, open-source static analysis tool that finds bugs in Java programs by analyzing compiled bytecode (.class files). It is the spiritual successor to FindBugs and detects over 400 bug patterns including null pointer dereferences, infinite loops, resource leaks, and thread safety issues. SpotBugs has over 3,800 GitHub stars and 200+ contributors.
What is Find Security Bugs?
Find Security Bugs is a SpotBugs plugin that adds 144 security vulnerability patterns and recognizes 826+ unique API signatures across Spring, Struts, JSF, and other frameworks. It detects SQL injection, XSS, path traversal, weak cryptography, XXE, insecure deserialization, and other OWASP Top 10 vulnerabilities. It also works with Kotlin, Groovy, and Scala projects. Licensed under LGPL-3.0.
Does SpotBugs analyze source code?
No. SpotBugs analyzes compiled Java bytecode (.class files), not source code. This means it can analyze libraries and frameworks without access to their source and catches issues that only manifest after compilation. Any JVM language that compiles to bytecode (Java, Kotlin, Groovy, Scala) can be analyzed.
What Java versions does SpotBugs support?
SpotBugs requires JDK 11 or later to run. JDK 21 bytecode analysis support was added in version 4.8.0. The current version is 4.9.8 (released October 2025).
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub