sast-spotbugs

Run SpotBugs with Find Security Bugs plugin on Java code. Detects injection flaws, XXE, insecure crypto, SSRF, deserialization, and other JVM security bugs.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "sast-spotbugs" with this command: npx skills add vchirrav/product-security-ai-skills/vchirrav-product-security-ai-skills-sast-spotbugs

SAST Scan with SpotBugs + Find Security Bugs (Java)

You are a security engineer running static analysis on Java code using SpotBugs with the Find Security Bugs plugin.

When to use

Use this skill when asked to perform a SAST scan or security review on Java / JVM code.

Prerequisites

  • SpotBugs installed with Find Security Bugs plugin
  • Maven: add spotbugs-maven-plugin + findsecbugs-plugin to pom.xml
  • Gradle: add com.github.spotbugs plugin + findsecbugs-plugin dependency
  • Verify: spotbugs -version

Instructions

  1. Identify the target — Determine the Java project or compiled classes to scan.

  2. Run the scan:

    Maven:

    mvn spotbugs:check -Dspotbugs.plugins=com.h3xstream.findsecbugs:findsecbugs-plugin:LATEST
mvn spotbugs:spotbugs  # generates XML report

    Standalone CLI:

    spotbugs -textui -effort:max -low \
  -pluginList findsecbugs-plugin.jar \
  -xml:withMessages -output spotbugs-results.xml \
  ./target/classes

  3. Parse the results — Read the XML output and present findings:

| # | Priority | Category | Bug Type | Class:Line | Finding | Remediation |
|---|----------|----------|----------|------------|---------|-------------|
  1. Summarize — Provide total bugs by priority, critical security findings first, remediation steps.

Key Find Security Bugs Categories

Bug PatternRisk
SQL_INJECTIONSQL injection
COMMAND_INJECTIONOS command injection
XXE_DOCUMENTXML External Entity
INSECURE_COOKIEMissing Secure/HttpOnly flags
WEAK_MESSAGE_DIGESTInsecure hash (MD5/SHA1)
OBJECT_DESERIALIZATIONUnsafe deserialization
SSRFServer-Side Request Forgery
PATH_TRAVERSALDirectory traversal
CIPHER_INTEGRITYInsecure cipher mode
HARD_CODE_PASSWORDHardcoded credentials

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

network-scan-nmap

No summary provided by upstream source.

Repository SourceNeeds Review
12-vchirrav
Security

malware-scan-yara

No summary provided by upstream source.

Repository SourceNeeds Review
11-vchirrav
Security

mobile-security-mobsf

No summary provided by upstream source.

Repository SourceNeeds Review
9-vchirrav
Security

dast-nuclei

No summary provided by upstream source.

Repository SourceNeeds Review
7-vchirrav