SpotBugs

Java bytecode static analysis tool that detects bug patterns in compiled Java code. Successor to FindBugs. Analyzes .class files for 400+ bug patterns across categories: correctness (null dereference, infinite loops), performance (boxing in loop, string concatenation), security (SQL injection, path traversal, open redirect), bad practice (ignored return values, equals/hashCode contract), multithreading (synchronization mistakes, deadlock risks), and malicious code vulnerabilities. Integrates with Gradle, Maven, Ant. SpotBugs-based security scanner: Find Security Bugs plugin extends SpotBugs with 130+ security-specific checks including OWASP Top 10 patterns.

Evaluated Mar 06, 2026 (0d ago) v4.x
Homepage ↗ Repo ↗ Developer Tools java static-analysis bytecode security bugs gradle maven ci
⚙ Agent Friendliness
66
/ 100
Can an agent use this?
🔒 Security
95
/ 100
Is it safe for agents?
⚡ Reliability
86
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
82
Error Messages
80
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
100
Scope Granularity
92
Dep. Hygiene
85
Secret Handling
95

SpotBugs itself is entirely local — no external calls, no data sent anywhere. Find Security Bugs plugin detects hardcoded credentials, predictable random seeds, weak crypto, and OWASP Top 10 patterns. Actively improves agent code security posture.

⚡ Reliability

Uptime/SLA
88
Version Stability
85
Breaking Changes
82
Error Recovery
90
AF Security Reliability

Best When

You're maintaining a Java agent service codebase and want automated bug pattern detection in CI — SpotBugs catches real bugs (null deref, threading issues, security patterns) that code review misses.

Avoid When

Your codebase is primarily Kotlin (use Detekt), you need code style enforcement (use Checkstyle), or you're looking for architecture rule enforcement (use ArchUnit).

Use Cases

  • Catch null pointer dereferences in agent service code at compile time — SpotBugs NP_NULL_ON_SOME_PATH detection finds paths where agent response objects may be null before they're used
  • Detect security vulnerabilities in agent API code using Find Security Bugs plugin — SQL injection, XSS, path traversal, XXE, and command injection patterns caught before deployment
  • Find threading bugs in concurrent agent services — SpotBugs detects unsynchronized field access, double-checked locking mistakes, and lock ordering issues in multi-threaded agent code
  • Enforce agent code quality in CI pipeline — SpotBugs Gradle plugin fails builds on HIGH priority bugs; reports go to build artifacts for developer review
  • Audit agent service dependencies for known bug patterns — SpotBugs can analyze third-party JARs to identify risky patterns in agent infrastructure code

Not For

  • Architecture enforcement — use ArchUnit for layered architecture rules; SpotBugs catches bug patterns, not structural violations
  • Code style and formatting — use Checkstyle or PMD for style rules; SpotBugs is bug-focused, not style-focused
  • Kotlin source analysis — SpotBugs analyzes JVM bytecode but Kotlin generates different bytecode patterns; use Detekt for Kotlin-specific static analysis

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Static analysis tool — no auth concepts. Runs locally or in CI without external service access.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

SpotBugs is LGPL 2.1 licensed, community-maintained. Find Security Bugs plugin is LGPL. Free for all use.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Requires compiled bytecode — SpotBugs analyzes .class files, not source; must run after compile phase; in Gradle, spotbugsMain task depends on compileJava; failing to compile first produces no analysis output
  • False positive rate requires tuning — SpotBugs has known false positives for certain patterns (intentional null returns, framework-injected fields); use @SuppressFBWarnings or spotbugs-exclude.xml to suppress specific patterns with justification
  • Find Security Bugs requires explicit plugin addition — SpotBugs alone doesn't include security checks; add the findSecurityBugs plugin separately to spotbugs { pluginConfiguration } in Gradle for OWASP coverage
  • Priority threshold configuration — default configuration reports ALL priorities including LOW; set spotbugs { reportLevel = 'HIGH' } to only fail on high-confidence bugs; LOW/MEDIUM can be reported without failing CI
  • Java 17+ module system compatibility — SpotBugs may warn about --add-opens JVM arguments for Java 17+ projects; add jvmArgs in spotbugs Gradle config to suppress module access warnings
  • Incremental analysis not built-in — SpotBugs re-analyzes all bytecode each run; for large agent monorepos, limit spotbugsMain to changed modules using Gradle's up-to-date checks or run only on critical modules in PR checks

Alternatives

archunit-api error-prone-api pmd-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for SpotBugs.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5211
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered