BestHub
Sign in
Backend Development 15 min read

Why Spring Sentinel Is a Must‑Have Performance Analyzer for Spring Boot

Spring Sentinel is a high‑performance Maven plugin for Spring Boot that performs static code analysis to spot N+1 queries, unsafe transaction calls, architectural anti‑patterns, and security risks, offering configurable rule profiles, CI/CD‑ready reports, and flexible suppression mechanisms.

Spring Full-Stack Practical Cases
Spring Full-Stack Practical Cases
Spring Full-Stack Practical Cases
Why Spring Sentinel Is a Must‑Have Performance Analyzer for Spring Boot

Overview

Spring Sentinel is a high‑performance Maven plugin for Spring Boot that performs static code analysis to detect performance bottlenecks, security vulnerabilities, and architectural defects.

Core audit categories

JPA audit : detects N+1 queries, eager‑fetch misuse, and Cartesian‑product risks.

Transaction safety : flags blocking I/O or remote calls inside @Transactional methods and proxy self‑invocation issues.

System analysis : validates the balance between Tomcat thread pools and HikariCP connection pools.

Architecture integrity : finds manual thread creation, prototype‑bean injection into singleton beans, and other anti‑patterns.

Smart report : generates an HTML dashboard and a structured JSON file for CI/CD pipelines.

Plugin configuration

Add the plugin to pom.xml:

<plugin>
  <groupId>io.github.pagano-antonio</groupId>
  <artifactId>SpringSentinel</artifactId>
  <version>1.1.13</version>
  <executions>
    <execution>
      <phase>verify</phase>
      <goals>
        <goal>audit</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <profile>strict</profile>
    <maxDependencies>7</maxDependencies>
    <secretPattern>.*(password|secret|apikey|token).*</secretPattern>
  </configuration>
</plugin>

Two ways to trigger the audit:

Fast local audit : mvn spring-sentinel:audit – runs the analysis instantly without building the whole project.

Full build audit : mvn clean verify – the plugin is bound to the verify phase, so the analysis runs automatically before the build finishes.

If violations are found, the build fails by default and two reports are produced under target/spring-sentinel-reports: report.html: visual dashboard for quick issue identification. report.json: machine‑readable data for custom dashboards or automated pipelines.

Build blocker and fail‑safe mode

Severe problems (e.g., hard‑coded passwords, exposed monitoring endpoints) abort the Maven build. To generate reports without breaking the build, set:

<configuration>
  <failOnError>false</failOnError>
</configuration>

Rule profiles

Three preset profiles increase in strictness:

security‑only : checks only critical security issues such as hard‑coded secrets and overly permissive CORS.

standard (recommended): adds performance and architectural checks like N+1 queries and improper Lombok usage.

strict (default): includes all standard rules plus strict interface naming, versioning, and dependency‑size enforcement.

Switch profiles in pom.xml:

<configuration>
  <profile>standard</profile>
</configuration>

Quick tuning via POM

Adjust thresholds without external files, e.g.:

<configuration>
  <maxDependencies>10</maxDependencies>
  <secretPattern>.*(password|secret|apikey|token|aws_key).*</secretPattern>
</configuration>

Custom governance and path filtering

Provide a custom XML rule file and reference it in the plugin configuration:

<configuration>
  <profile>my-company-profile</profile>
  <customRules>${project.basedir}/custom-sentinel-rules.xml</customRules>
</configuration>

Example custom-sentinel-rules.xml (excerpt):

<?xml version="1.0" encoding="UTF-8"?>
<spring-sentinel>
  <profiles>
    <profile id="my-company-profile" extends="standard">
      <name>Profilo Aziendale Custom</name>
      <exclude rule="ARCH-002" />
      <include rule="REST-004" />
      <override rule="ARCH-003" param="excludePaths" value=".*(/legacy/|/old/).*" />
      <override rule="REST-001" param="includePaths" value=".*/controller/.*" />
      <override rule="ARCH-003" param="maxDependencies" value="12" />
    </profile>
  </profiles>
</spring-sentinel>

Precise ignoring (rule exceptions)

Use standard Java @SuppressWarnings with the sentinel: prefix to silence individual rules or whole categories:

@RestController
@SuppressWarnings("sentinel:PERF-003")
public class LegacyController { ... }

@SuppressWarnings("sentinel:all") // disables all Sentinel checks for the annotated element

Rule catalog

Performance & Database

PERF-001: Detects eager FetchType.EAGER in JPA entities.

PERF-002: Flags potential N+1 query patterns.

PERF-003: Identifies blocking I/O inside @Transactional methods.

PERF-004: Ensures cache entries have an expiration time.

Security

SEC-001: Scans for hard‑coded passwords, API keys, tokens.

SEC-002: Warns against wildcard CORS configurations.

SEC-003: Detects exposure of repository endpoints when Spring Data REST is present without security.

Thread Architecture & Safety

ARCH-001: Checks mutable fields in singleton beans.

ARCH-002: Prohibits field injection with @Autowired, recommends constructor injection.

ARCH-003: Flags classes with too many dependencies.

ARCH-004: Detects manual new instantiation of Spring‑managed components.

ARCH-005: Highlights combined @Lazy and @Autowired usage.

RES-001: Recommends using @Async instead of raw thread creation.

Interface Governance

REST-001: Enforces hyphen‑separated URL naming.

REST-002: Requires version prefixes in API paths.

REST-003: Suggests plural resource names.

REST-004: Encourages returning a unified response entity.

Build & Project Maintenance

MAINT-001: Alerts when the project still uses Spring Boot 2.x.

MAINT-002: Verifies the presence of the Spring Boot packaging plugin.

MAINT-003: Checks that repository interfaces are properly annotated for exception translation.

Demo scenario

The article creates three intentional problems:

// 1. Non‑lazy loading
@OneToMany(mappedBy = "order", cascade = CascadeType.ALL, fetch = FetchType.EAGER, orphanRemoval = true)
private List<OrderItem> orderItems = new ArrayList<>();

// 2. Concurrency issue
@Service
public class OrderService {
  private Order order;
  private final OrderRepository orderRepository;
  public OrderService(OrderRepository orderRepository) { this.orderRepository = orderRepository; }
  public void query(Long id) { this.order = this.orderRepository.findById(id).orElse(null); }
}

// 3. Missing @Repository annotation
public interface OrderRepository extends JpaRepository<Order, Long> { }

Running mvn spring-sentinel:audit generates the HTML and JSON reports shown below.

Reports list the detected violations, their locations, and suggested remediation steps, demonstrating how Spring Sentinel can be integrated into a CI/CD workflow to enforce code quality and security.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

javaperformanceci/cdmavenSpring Bootsecuritystatic-code-analysis
Spring Full-Stack Practical Cases
Written by

Spring Full-Stack Practical Cases

Full-stack Java development with Vue 2/3 front-end suite; hands-on examples and source code analysis for Spring, Spring Boot 2/3, and Spring Cloud.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment