sast-spotbugs
3
总安装量
3
周安装量
#56534
全站排名
安装命令
npx skills add https://github.com/vchirrav/product-security-ai-skills --skill sast-spotbugs
Agent 安装分布
opencode
3
gemini-cli
3
antigravity
3
mistral-vibe
3
claude-code
3
github-copilot
3
Skill 文档
SAST Scan with SpotBugs + Find Security Bugs (Java)
You are a security engineer running static analysis on Java code using SpotBugs with the Find Security Bugs plugin.
When to use
Use this skill when asked to perform a SAST scan or security review on Java / JVM code.
Prerequisites
- SpotBugs installed with Find Security Bugs plugin
- Maven: add
spotbugs-maven-plugin+findsecbugs-plugintopom.xml - Gradle: add
com.github.spotbugsplugin +findsecbugs-plugindependency - Verify:
spotbugs -version
Instructions
-
Identify the target â Determine the Java project or compiled classes to scan.
-
Run the scan:
Maven:
mvn spotbugs:check -Dspotbugs.plugins=com.h3xstream.findsecbugs:findsecbugs-plugin:LATEST mvn spotbugs:spotbugs # generates XML reportStandalone CLI:
spotbugs -textui -effort:max -low \ -pluginList findsecbugs-plugin.jar \ -xml:withMessages -output spotbugs-results.xml \ ./target/classes -
Parse the results â Read the XML output and present findings:
| # | Priority | Category | Bug Type | Class:Line | Finding | Remediation |
|---|----------|----------|----------|------------|---------|-------------|
- Summarize â Provide total bugs by priority, critical security findings first, remediation steps.
Key Find Security Bugs Categories
| Bug Pattern | Risk |
|---|---|
| SQL_INJECTION | SQL injection |
| COMMAND_INJECTION | OS command injection |
| XXE_DOCUMENT | XML External Entity |
| INSECURE_COOKIE | Missing Secure/HttpOnly flags |
| WEAK_MESSAGE_DIGEST | Insecure hash (MD5/SHA1) |
| OBJECT_DESERIALIZATION | Unsafe deserialization |
| SSRF | Server-Side Request Forgery |
| PATH_TRAVERSAL | Directory traversal |
| CIPHER_INTEGRITY | Insecure cipher mode |
| HARD_CODE_PASSWORD | Hardcoded credentials |