A framework-aware static analysis platform for Maven, Gradle, and SpotBugs. It blocks your CI/CD pipeline when it detects dangerous code, hardcoded secrets, or bad architectural practices.
Spring Sentinel supports Maven, Gradle, and SpotBugs integrations. Choose your preferred workflow and run Spring-aware static analysis directly in your CI/CD pipeline.
<plugin>
<groupId>io.github.pagano-antonio</groupId>
<artifactId>spring-sentinel-maven-plugin</artifactId>
<version>2.0.0</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
<configuration>
<profile>strict</profile>
<failOnError>false</failOnError>
</configuration>
</plugin>Run the audit:
Reports:
plugins {
id "io.github.pagano-antonio.spring-sentinel" version "2.0.0"
}
springSentinel {
profile = "strict"
failOnError = false
}Run the audit:
Reports:
Spring Sentinel 2.0.0 introduces a new multi-module structure. Existing 1.x users can keep using the old artifact, but when upgrading to 2.0.0 the Maven plugin artifact has changed.
Old 1.x artifact:
New 2.0 artifact:
Spring Sentinel can now run directly inside existing SpotBugs workflows. The SpotBugs extension provides Spring-specific bytecode analysis while integrating seamlessly with existing CI/CD pipelines.
| Rule ID | Description |
|---|---|
| ARCH-002 | Detects field injection using @Autowired and @Inject. |
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.9.3.0</version>
<dependencies>
<dependency>
<groupId>io.github.pagano-antonio</groupId>
<artifactId>spring-sentinel-spotbugs-plugin</artifactId>
<version>2.1.0</version>
</dependency>
</dependencies>
</plugin>Run SpotBugs:
Note: The SpotBugs integration currently supports only rules that can be reliably evaluated from compiled bytecode. Source-based and configuration-based checks remain available through the Maven and Gradle plugins.
Standard linters check syntax. We check your Spring architecture. Here is a taste of what Sentinel catches before your build fails.
Scans JPA entities for FetchType.EAGER to prevent unnecessary loading of complex object graphs, which causes memory overhead and performance degradation.
Identifies collection getters called within loops, a common cause of database performance issues.
Detects blocking I/O or network calls within @Transactional methods to prevent connection pool exhaustion.
Checks class fields and properties for sensitive variable names that do not use environment variable placeholders.
Reports the use of the wildcard in @CrossOrigin annotations, which poses a significant security risk to production APIs.
Reports the use of @Autowired on private fields, encouraging constructor injection for better testability and immutability.
Monitors the number of dependencies in a class and suggests refactoring into smaller services if the limit is exceeded.
Detects manual thread creation and suggests the use of managed @Async tasks.
Ensures that endpoint URLs follow the kebab-case convention rather than camelCase or snake_case.