Skip to content
This documentation applies to Codacy Self-hosted v11.0.0

For the latest updates and improvements, see the latest Cloud documentation instead.

Running SpotBugs#

To run SpotBugs as a client-side tool:

  1. Enable SpotBugs and configure the corresponding code patterns on your repository Code patterns page.

  2. Enable Run analysis on your build server on your repository Settings, tab General, Repository analysis.

    This setting enables Codacy to wait for the results of the local analysis before resuming the analysis of your commits.

    Run analysis on your build server

  3. Set up an API token to authenticate on Codacy:

    • If you're setting up one repository, obtain a project API token and set the following environment variable to specify your project API token:

      export CODACY_PROJECT_TOKEN=<your project API token>
    • If you're setting up multiple repositories, obtain an account API Token and set the following environment variable to specify the account API token:

      export CODACY_API_TOKEN=<your account API token>


    Never write API tokens to your configuration files and keep your API tokens well protected, as they grant owner permissions to your projects on Codacy.

    We recommend that you set API tokens as environment variables. Check the documentation of your CI/CD platform on how to do this.

  4. If you're using Codacy Self-hosted set the following environment variable to specify your Codacy instance URL:

    export CODACY_API_BASE_URL=<your Codacy instance URL>
  5. Compile your Java or Scala repository on your build server, as you would normally do.

  6. Download and run the Codacy Analysis CLI on the root of the repository, specifying the tool SpotBugs.

    codacy-analysis-cli analyze --tool spotbugs \
                                --allow-network \
                                --upload \

    If you're using an account API token, you must also provide the flags --provider, --username, and --project. You can obtain the values for these flags from the URL of your repository dashboard on Codacy:

    codacy-analysis-cli analyze --provider <gh, ghe, gl, gle, bb, or bbe> \
                                --username <name of your Codacy organization> \
                                --project <name of your repository> \
                                --tool spotbugs \
                                --allow-network \
                                --upload \

The Codacy Analysis CLI runs SpotBugs on the compiled classes of your repository and uploads the results to Codacy so you can use them in your workflow.

Detecting sources and compiled classes#

The Codacy Analysis CLI tries to find the compiled classes and map results to the source files automatically. If you use Maven, Gradle, or sbt the Codacy Analysis CLI also detects the default layouts automatically.

If there is an issue with detection, you can configure these paths manually by adding a .codacy.yml Codacy configuration file to the root of the repository:

      - classesDirectories: [ "core/target/classes" ]
        sourceDirectories:  [ "core/src/main" ]
      - classesDirectories: [ "api/target/classes" ]
        sourceDirectories:  [ "api/src/main" ]

Increasing the timeout to run SpotBugs#

When running SpotBugs on the compiled classes of larger projects, the default execution timeout of 15 minutes may not be enough for SpotBugs to complete the analysis.

To increase the timeout that SpotBugs has to execute, use the option --tool-timeout when running the Codacy Analysis CLI. For example, use --tool-timeout 1hour to set the timeout to one hour.

Advanced configuration#

See the available Codacy Analysis CLI configuration flags to configure running SpotBugs in more advanced scenarios.

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

If you have a question or need help please contact

Last modified October 19, 2022