{"id":18456989,"url":"https://github.com/spotbugs/spotbugs-gradle-plugin","last_synced_at":"2026-05-02T21:04:57.400Z","repository":{"id":26330628,"uuid":"108206635","full_name":"spotbugs/spotbugs-gradle-plugin","owner":"spotbugs","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-15T21:02:10.000Z","size":4691,"stargazers_count":188,"open_issues_count":57,"forks_count":70,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-05-15T21:46:54.414Z","etag":null,"topics":["gradle-plugin","hacktoberfest","spotbugs","spotbugs-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.gradle.org/plugin/com.github.spotbugs","language":"Groovy","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spotbugs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["KengoTODA"]}},"created_at":"2017-10-25T01:59:52.000Z","updated_at":"2025-05-15T20:57:04.000Z","dependencies_parsed_at":"2023-12-24T01:35:18.451Z","dependency_job_id":"ded20067-3337-42ce-8312-db2a8ae51781","html_url":"https://github.com/spotbugs/spotbugs-gradle-plugin","commit_stats":null,"previous_names":[],"tags_count":141,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotbugs%2Fspotbugs-gradle-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotbugs%2Fspotbugs-gradle-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotbugs%2Fspotbugs-gradle-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spotbugs%2Fspotbugs-gradle-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spotbugs","download_url":"https://codeload.github.com/spotbugs/spotbugs-gradle-plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254544146,"owners_count":22088807,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gradle-plugin","hacktoberfest","spotbugs","spotbugs-plugin"],"created_at":"2024-11-06T08:13:13.066Z","updated_at":"2026-05-02T21:04:57.394Z","avatar_url":"https://github.com/spotbugs.png","language":"Groovy","funding_links":["https://github.com/sponsors/KengoTODA"],"categories":[],"sub_categories":[],"readme":"# SpotBugs Gradle Plugin\n\nThis is the official Gradle Plugin to run SpotBugs on Java and Android project.\n\n![](https://github.com/spotbugs/spotbugs-gradle-plugin/workflows/Java%20CI/badge.svg)\n[![Coverage Status](https://sonarcloud.io/api/project_badges/measure?project=com.github.spotbugs.gradle\u0026metric=coverage)](https://sonarcloud.io/component_measures?id=com.github.spotbugs.gradle\u0026metric=coverage)\n[![Debt](https://sonarcloud.io/api/project_badges/measure?project=com.github.spotbugs.gradle\u0026metric=sqale_index)](https://sonarcloud.io/component_measures/domain/Maintainability?id=com.github.spotbugs.gradle)\n[![Gradle Plugin Portal](https://img.shields.io/maven-metadata/v?label=Plugin+Portal\u0026metadataUrl=https%3A%2F%2Fplugins.gradle.org%2Fm2%2Fcom%2Fgithub%2Fspotbugs%2Fcom.github.spotbugs.gradle.plugin%2Fmaven-metadata.xml)](https://plugins.gradle.org/plugin/com.github.spotbugs)\n[![](https://img.shields.io/badge/groovydoc-latest-blightgreen?logo=groovy)](https://spotbugs.github.io/spotbugs-gradle-plugin/spotbugs-gradle-plugin/com.github.spotbugs.snom/index.html)\n\n## Goal\n\nThis Gradle plugin is designed to solve the following problems in the legacy plugin:\n\n- [x] Remove any dependency on the Gradle's internal API\n- [x] Solve mutability problem for the build contains multiple projects and/or sourceSet\n- [x] Native Support for [the Parallel Build](https://guides.gradle.org/using-the-worker-api/)\n- [ ] Native Support for [the Android project](https://developer.android.com/studio/build/gradle-tips)\n- [x] Missing user document about how to use extension and task\n\n## Usage\n\n### Apply to your project\n\nApply the plugin to your project.\nRefer [the Gradle Plugin portal](https://plugins.gradle.org/plugin/com.github.spotbugs) about the detail of installation procedure.\n\n### Configure SpotBugs Plugin\n\nConfigure `spotbugs` extension to configure the behaviour of tasks:\n\n```kotlin\n// require Gradle 8.2+\nimport com.github.spotbugs.snom.Confidence\nimport com.github.spotbugs.snom.Effort\nspotbugs {\n    ignoreFailures = false\n    showStackTraces = true\n    showProgress = true\n    effort = Effort.DEFAULT\n    reportLevel = Confidence.DEFAULT\n    visitors = listOf(\"FindSqlInjection\", \"SwitchFallthrough\")\n    omitVisitors = listOf(\"FindNonShortCircuit\")\n    chooseVisitors = listOf(\"-FindNonShortCircuit\", \"+TestASM\")\n    reportsDir = file(\"$buildDir/spotbugs\")\n    includeFilter = file(\"include.xml\")\n    excludeFilter = file(\"exclude.xml\")\n    baselineFile = file(\"baseline.xml\")\n    onlyAnalyze = listOf(\"com.foobar.MyClass\", \"com.foobar.mypkg.*\")\n    maxHeapSize = \"1g\"\n    extraArgs = listOf(\"-nested:false\")\n    jvmArgs = listOf(\"-Duser.language=ja\")\n}\n```\n\n\u003cdetails\u003e\n\u003csummary\u003ewith Groovy DSL\u003c/summary\u003e\n\n```groovy\nimport com.github.spotbugs.snom.Confidence\nimport com.github.spotbugs.snom.Effort\nspotbugs {\n    ignoreFailures = false\n    showStackTraces = true\n    showProgress = true\n\n    // https://discuss.kotlinlang.org/t/bug-cannot-use-kotlin-enum-from-groovy/1521\n    // https://touk.pl/blog/2018/05/28/testing-kotlin-with-spock-part-2-enum-with-instance-method/\n    effort = Effort.valueOf('DEFAULT')\n    reportLevel = Confidence.valueOf('DEFAULT')\n\n    visitors = [ 'FindSqlInjection', 'SwitchFallthrough' ]\n    omitVisitors = [ 'FindNonShortCircuit' ]\n    chooseVisitors = [ '-FindNonShortCircuit', '+TestASM' ]\n    reportsDir = file(\"$buildDir/spotbugs\")\n    includeFilter = file(\"include.xml\")\n    excludeFilter = file(\"exclude.xml\")\n    baselineFile = file(\"baseline.xml\")\n    onlyAnalyze = [ 'com.foobar.MyClass', 'com.foobar.mypkg.*' ]\n    maxHeapSize = '1g'\n    extraArgs = [ '-nested:false' ]\n    jvmArgs = [ '-Duser.language=ja' ]\n}\n```\n\u003c/details\u003e\n\nConfigure `spotbugsPlugin` to apply any SpotBugs plugin:\n\n```kotlin\ndependencies {\n    spotbugsPlugins(\"com.h3xstream.findsecbugs:findsecbugs-plugin:1.14.0\")\n}\n```\n\n\u003cdetails\u003e\n\u003csummary\u003ewith Groovy DSL\u003c/summary\u003e\n\n```groovy\ndependencies {\n    spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.14.0'\n}\n```\n\u003c/details\u003e\n\nConfigure `spotbugs` to choose your favorite SpotBugs version:\n\n```kotlin\ndependencies {\n    spotbugs(\"com.github.spotbugs:spotbugs:4.9.3\")\n}\n```\n\n\n\u003cdetails\u003e\n\u003csummary\u003ewith Groovy DSL\u003c/summary\u003e\n\n```groovy\ndependencies {\n    spotbugs 'com.github.spotbugs:spotbugs:4.9.3'\n}\n```\n\u003c/details\u003e\n\n### Apply to Java project\n\nApply this plugin with [the `java` plugin](https://docs.gradle.org/current/userguide/java_plugin.html) to your project,\nthen [`SpotBugsTask`](https://spotbugs.github.io/spotbugs-gradle-plugin/spotbugs-gradle-plugin/com.github.spotbugs.snom/-spot-bugs-task/index.html) will be generated for each existing sourceSet.\n\nIf you want to create and configure `SpotBugsTask` by own, apply the base plugin (`com.github.spotbugs-base`) instead, then it won't create tasks automatically.\n\n### Apply to Android project\n\nTBU\n\n### Configure the SpotBugsTask\n\nConfigure [`SpotBugsTask`](https://spotbugs.github.io/spotbugs-gradle-plugin/spotbugs-gradle-plugin/com.github.spotbugs.snom/-spot-bugs-task/index.html) directly,\nto set task-specific properties.\n\n```kotlin\n// require Gradle 8.2+\ntasks.spotbugsMain {\n    reports.create(\"html\") {\n        required = true\n        outputLocation = file(\"$buildDir/reports/spotbugs.html\")\n        setStylesheet(\"fancy-hist.xsl\")\n    }\n}\n```\n\n\u003cdetails\u003e\n\u003csummary\u003ewith Groovy DSL\u003c/summary\u003e\n    \n```groovy\n// Example to configure HTML report\nspotbugsMain {\n    reports {\n        html {\n            required = true\n            outputLocation = file(\"$buildDir/reports/spotbugs/main/spotbugs.html\")\n            stylesheet = 'fancy-hist.xsl'\n        }\n    }\n}\n```\n\u003c/details\u003e\n\n### Migration guides\n\n- [v4 to v5: Bump up Gradle to v7 or later](https://github.com/spotbugs/spotbugs-gradle-plugin/releases/tag/5.0.0)\n- [v5 to v6: Bump up Gradle to v7.1 or later, and update the `effort` and `reportLevel` properties of `SpotBugsTask` and `SpotBugsExtension` to enum value](https://github.com/spotbugs/spotbugs-gradle-plugin/releases/tag/6.0.0)\n\n## SpotBugs version mapping\n\nBy default, this Gradle Plugin uses the SpotBugs version listed in the following table.\n\nYou can change SpotBugs version by [the `toolVersion` property of the spotbugs extension](https://spotbugs.github.io/spotbugs-gradle-plugin/spotbugs-gradle-plugin/com.github.spotbugs.snom/-spot-bugs-extension/index.html#674051637%2FProperties%2F769193423) or the `spotbugs` configuration.\n\n| Gradle Plugin | SpotBugs |\n|--------------:|---------:|\n|         6.4.4 |    4.9.8 |\n|         6.4.3 |    4.9.7 |\n|         6.4.2 |    4.9.6 |\n|         6.4.1 |    4.9.5 |\n|         6.2.4 |    4.9.4 |\n|         6.2.0 |    4.9.3 |\n|        6.1.13 |    4.8.6 |\n|        6.0.18 |    4.8.6 |\n|        6.0.14 |    4.8.5 |\n|        6.0.10 |    4.8.4 |\n|         6.0.3 |    4.8.3 |\n|         6.0.0 |    4.8.2 |\n|         5.2.5 |    4.8.2 |\n|         5.2.3 |    4.8.1 |\n|         5.1.5 |    4.8.0 |\n|        5.0.13 |    4.7.3 |\n|        5.0.12 |    4.7.2 |\n|         5.0.9 |    4.7.1 |\n|         5.0.7 |    4.7.0 |\n|         5.0.4 |    4.5.3 |\n|         5.0.3 |    4.5.2 |\n|         5.0.2 |    4.5.1 |\n\n### Refer the version in the build script\n\nFrom v4, the `spotbugs.toolVersion` is changed from `String` to [`Provider\u003cString\u003e`](https://docs.gradle.org/current/javadoc/org/gradle/api/provider/Property.html), so use `get()` or other methods to refer to the actual version.\n\n```groovy\ndependencies {\n    compileOnly \"com.github.spotbugs:spotbugs-annotations:${spotbugs.toolVersion.get()}\"\n}\n```\n\n\u003cdetails\u003e\n\u003csummary\u003ewith Kotlin DSL\u003c/summary\u003e\n\n```kotlin\ndependencies {\n    compileOnly(\"com.github.spotbugs:spotbugs-annotations:${spotbugs.toolVersion.get()}\")\n}\n```\n\u003c/details\u003e\n\n## Development\n### Setup\n* development requires java 17 or higher to be installed\n* The CI server uses `ubuntu-latest` docker image, but you should be able to develop on any linux/unix based OS.\n* before creating commits\n  * read https://www.conventionalcommits.org/en\n  * Optionally create the following script in your .git/hooks directory and name it commit.msg. This will ensure that your commits follow the conventional commits pattern.\n```python\n#!/usr/bin/env python\nimport re, sys, os\n\n#turn off the traceback as it doesn't help readability\nsys.tracebacklimit = 0\n\ndef main():\n    # example:\n    # feat(apikey): added the ability to add api key to configuration\n    pattern = r'(build|ci|docs|feat|fix|perf|refactor|style|test|chore|revert)(\\([\\w\\-]+\\))?:\\s.*'\n    filename = sys.argv[1]\n    ss = open(filename, 'r').read()\n    m = re.match(pattern, ss)\n    if m == None: raise Exception(\"Conventional commit validation failed. Did you forget to add one of the allowed prefixes? (build|ci|docs|feat|fix|perf|refactor|style|test|chore|revert)\")\n\nif __name__ == \"__main__\":\n    main()\n  ```\n* when running gradle, do so using the `gradlew` script in this directory\n\n### Signing Artifacts\nSince version 4.3, when we publish artifacts we now sign them. This is designed so that the build will still pass if you don't have the signing keys available, this way pull requests and forked repos will still work as before.\n\nBefore github workflow can sign the artifacts generated during build, we first need to generate pgp keys (you will have to do this again when the key expires. once a year is a good timeframe) and upload them to the servers. See https://www.gnupg.org/faq/gnupg-faq.html#starting_out for more details.\n\nThat means github needs the following secrets:\n```\nSIGNING_KEY = \"-----BEGIN PGP PRIVATE KEY BLOCK-----...\"\nSIGNING_PASSWORD = password\n```\nwhere `secrets.SIGNING_KEY` is the in-memory ascii-armored keys (you get this by running `gpg --armor --export-secret-keys \u003cEMAIL\u003e`)\nand `secrets.SIGNING_PASSWORD` is the password you used when generating the key.\n\nGradle is configured to use these to generate the private key in memory so as to minimize our risk of the keys being found and used by someone else.\n\n## Copyright\n\nCopyright \u0026copy; 2019-present SpotBugs Team\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspotbugs%2Fspotbugs-gradle-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspotbugs%2Fspotbugs-gradle-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspotbugs%2Fspotbugs-gradle-plugin/lists"}