Static Code Analysis with Maven and Github Actions [Course]


What is static code analysis? What is it good for? What tools are available, and what's the best way to set them up?

In this course, we clean up a legacy Java application by first automating the build with GitHub Actions and setting up and configuring various static code analysis tools.

We have all bugs, code smells, and security vulnerabilities aggregated into SonarCloud. We also connect SonarCloud to our IDE (IntelliJ or Eclipse) so that we can see the issues right where they arise.

We investigate the offending code locations and fix the defects.

We also discuss strategies for gradually optimizing large legacy applications with thousands of code smells.

SCA tools used:

  • PMD
  • FindBugs / SpotBugs
  • Checkstyle
  • SonarCloud / SonarLint
  • sshgit
  • Trivy

The SCA tools and Maven are all open source. GitHub Actions can be used for free in open source projects.


  • Practical experience with Java
  • Workstation with 16 (or higher)
  • Java IDE: I use IntelliJ and recommend this to my students as well. But you can also use Eclipse.
  • Each participant will need a GitHub account to fork the course code and set up the GitHub actions workflow.

You can find more information about my course offerings on the overview page.

Send your inquiry to [email protected].

Course Info

Trainer: Sven Woltmann

Duration: 1 day

You can find price details on the Java trainings overview page.