SpotBugs supports SARIF that supports integration with other SAST tools

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • Sonar - Write Clean Java Code. Always.
  • ONLYOFFICE ONLYOFFICE Docs — document collaboration in your environment
  • InfluxDB - Access the most powerful time series database as a service
  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

    First, it's better to use SpotBugs 4.4.1 and above, that includes a fix to make SARIF report compatible with Github code scanning API requirements.

  • spotbugs-gradle-plugin

    Refer to spotbugs/spotbugs-gradle-plugin as a living example with GitHub Code scanning integration.

  • Sonar

    Write Clean Java Code. Always.. Sonar helps you commit clean code every time. With over 600 unique rules to find Java bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts