Spring Sentinel Logo

Stop Spring Boot Anti-Patterns
Before Production.

A framework-aware static analysis plugin for Maven and Gradle. It blocks your CI/CD pipeline when it detects dangerous code, hardcoded secrets, or bad architectural practices.

Get Started View Rules

Quick Start

Spring Sentinel 2.0.0 supports both Maven and Gradle. Choose your build tool and run the audit in your CI/CD pipeline.

Maven 

<plugin>
    <groupId>io.github.pagano-antonio</groupId>
    <artifactId>spring-sentinel-maven-plugin</artifactId>
    <version>2.0.0</version>
    <executions>
        <execution>
            <phase>verify</phase>
            <goals>
                <goal>audit</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <profile>strict</profile>
        <failOnError>false</failOnError>
    </configuration>
</plugin>

Run the audit:

mvn spring-sentinel:audit

Reports:

target/spring-sentinel-reports/

Gradle 

plugins {
    id "io.github.pagano-antonio.spring-sentinel" version "2.0.0"
}

springSentinel {
    profile = "strict"
    failOnError = false
}

Run the audit:

gradle springSentinelAudit

Reports:

build/spring-sentinel-reports/

Upgrading from 1.x?

Spring Sentinel 2.0.0 introduces a new multi-module structure. Existing 1.x users can keep using the old artifact, but when upgrading to 2.0.0 the Maven plugin artifact has changed.

Old 1.x artifact:

io.github.pagano-antonio:SpringSentinel

New 2.0 artifact:

io.github.pagano-antonio:spring-sentinel-maven-plugin

Comprehensive Ruleset

Standard linters check syntax. We check your Spring architecture. Here is a taste of what Sentinel catches before your build fails.

🐢

JPA Eager Fetching

Scans JPA entities for FetchType.EAGER to prevent unnecessary loading of complex object graphs, which causes memory overhead and performance degradation.

🔄

N+1 Query Potential

Identifies collection getters called within loops, a common cause of database performance issues.

🛑

Blocking Calls in Transactions

Detects blocking I/O or network calls within @Transactional methods to prevent connection pool exhaustion.

🔑

Hardcoded Secrets

Checks class fields and properties for sensitive variable names that do not use environment variable placeholders.

🔓

Insecure CORS Policy

Reports the use of the wildcard in @CrossOrigin annotations, which poses a significant security risk to production APIs.

💉

Field Injection Anti-Pattern

Reports the use of @Autowired on private fields, encouraging constructor injection for better testability and immutability.

📦

Component Overflow

Monitors the number of dependencies in a class and suggests refactoring into smaller services if the limit is exceeded.

⚙️

Manual Thread Creation

Detects manual thread creation and suggests the use of managed @Async tasks.

🔗

Enforce Kebab-Case URLs

Ensures that endpoint URLs follow the kebab-case convention rather than camelCase or snake_case.

View all 19+ inspection rules on GitHub