JavaPerf analyzes your Java & Spring codebase for N+1 queries, Hibernate anti-patterns, OWASP security vulnerabilities and more — in seconds. Now with live runtime monitoring.
// 🔴 N+1 Query — detected by JavaPerf for (Long id : userIds) { orderRepo.findByUserId(id); } // 🔴 SQL Injection — detected by JavaPerf em.createQuery("SELECT u FROM User WHERE name = '" + name + "'"); // 🔴 Hardcoded secret — detected by JavaPerf String apiKey = "sk_live_4f8a9b2c...";
Covering performance, security, and best practices for Java & Spring — from static code to live runtime.
N+1 queries, unbounded findAll(), dirty checking in loops, EAGER collections, missing indexes, connection pool anti-patterns.
SQL injection, hardcoded secrets, weak cryptography, broken access control, SSRF, insecure deserialization, vulnerable components and more.
String concatenation in loops, large object allocations, persistence context bloat, unnecessary GC pressure.
Thread creation in loops, @Async + @Transactional issues, connection pool starvation, Future.get() inside transactions.
@Transactional on private methods, missing readOnly=true, HTTP calls inside transactions, Spring Security misconfigurations.
Attach a JVM agent to your running app. Detect slow methods, confirm N+1 queries at runtime, monitor heap and thread usage live.
Automatically detects your stack from pom.xml or build.gradle. Adapts rules for Spring Boot, Wildfly, Quarkus, Jakarta EE.
Choose the method that fits your workflow.
Zip your project or paste a public GitHub URL. Results in seconds.
zip -r project.zip ./src
Your code never leaves your machine. Only results are sent.
npm i -g @javaperf/cli
javaperf analyze .
JVM agent attached to your running app. Detects slow methods and confirms N+1 in real time.
javaperf monitor \
--app "java -jar app.jar"
Static analysis tells you what could be slow. Dynamic monitoring tells you what is slow — with real invocation counts, real heap usage.
JavaPerf covers all 10 OWASP categories with security rules specifically designed for Java, Spring Boot, and enterprise frameworks.
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable Components
Authentication Failures
Software Integrity
Logging Failures
SSRF
String concatenation in queries, Runtime.exec(), JNDI injection (Log4Shell)
Hardcoded passwords/tokens, MD5/SHA1/DES, AES/ECB mode, weak random
CSRF disabled, CORS wildcard, permitAll(), missing @PreAuthorize
Deprecated Spring Security, Jackson type confusion CVE, XXE parsers
RestTemplate/WebClient with user URL, new URL(variable), openConnection()
Passwords in logs, printStackTrace(), exception details in responses
Connect JavaPerf to the tools your team already uses.
$ npm install -g @javaperf/cli
$ javaperf auth jp_live_xxx
$ javaperf analyze .
✓ 247 files · 3 critical · 8 warnings · Score: 72/100
$ javaperf monitor --app "java -jar app.jar" --api-key jp_live_xxx
📡 Session started — live dashboard ready
Buy credits once, use them whenever you need. No subscription, no surprise charges.
Perfect for trying JavaPerf.
For developers who want to go further.
For individual developers who care about quality.
For teams and regular users.
For power users and high-volume teams.
Credits never expire. Secure payment via PayPal.
Full OWASP Top 10 coverage. Static + Dynamic analysis. Start free — 10 credits included.