OWASP Find Security Bugs

Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done. The historical content can be found here.

Please visit our Page Migration Guide for more information about updating pages for the new website as well as examples of github markdown.

![OWASP_Project_Header.jpg](OWASP_Project_Header.jpg "OWASP_Project_Header.jpg")

Find Security Bugs is a SpotBugs plugin for security audits of Java web applications and Android applications. It can detect 128 different vulnerability types including Command Injection, XPath Injection, SQL/HQL Injection, XXE and Cryptography weaknesses. SpotBugs is a static analysis tool that targets Java but also works with Groovy, Scala and Kotlin projects.


This software is released under LGPL.


Theses are the current priorities:

  • Release a new version every few months.
  • Improve the quality of the static analysis detectors
  • Continue working on finding new vulnerabilities ideas and implementing detectors if there is an opportunity.
  • Improving the documentation for new contributors.

The complete roadmap is kept up to date on GitHub in the milestones section.

Getting Involved

Involvement in the development and promotion of Find Security Bugs is actively encouraged!

You can contribute by :

Project Sponsors

The project's development is supported by GoSecure since 2016.

</td> </tr> </tbody>

Project Resources

Project Leader

Project Leader

Philippe Arteau

Philippe Arteau



Category:OWASP Project Category:OWASP Project Category:OWASP_Builders Category:OWASP_Builders Category:OWASP_Defenders Category:OWASP_Defenders Category:OWASP_Code Category:OWASP_Code


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.