tabby
Tabby is a Java static code analysis tool that converts JAR/WAR/CLASS files into code property graphs stored in Neo4j, enabling automated discovery of gadget chains, deserialization vulnerabilities, and common web flaws. It is actively maintained, written in Java 17, and has been featured at security conferences including BlackHat Arsenal 2024.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | tabby-sec/tabby |
| Owner | tabby-sec |
| Primary language | Java |
| License | MIT — OSI-approved |
| Stars | 1.7k |
| Forks | 181 |
| Open issues | 10 |
| Latest release | v2.0.1 (2025-08-08) |
| Last updated | 2026-01-17 |
| Source | https://github.com/tabby-sec/tabby |
What tabby is
Tabby leverages the Soot framework for semantic extraction and Neo4j for graph storage, using custom Cypher query logic to perform taint analysis and identify vulnerable call chains. It supports multiple serialization mechanisms (Java native, Hessian, XStream) and can analyze various Java artifact formats including JSP files. The tool's code property graph representation enables both pre-built detection rules and custom vulnerability discovery.
Get the tabby source
Clone the repository and explore it locally.
git clone https://github.com/tabby-sec/tabby.gitcd tabby# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires operational Neo4j graph database instance; ensure database sizing and persistence are planned for your codebase volume.
- Java 17+ runtime environment is mandatory; confirm compatibility with your deployment infrastructure.
- Custom Cypher queries are often needed for organization-specific vulnerability patterns; team must develop or source these rules.
- Processing time and memory requirements for large JAR/WAR files and complex dependency graphs are not quantified in available data; plan for performance testing.
- IDE integration available via IntelliJ plugin; evaluate whether this is necessary for your development workflow.
When to avoid it — and what to weigh
- Non-Java Codebases — Tabby is Java-specific. Projects written in Python, Node.js, Go, C/C++, or other languages require alternative tools.
- Turnkey, Zero-Configuration Scanning — Requires setup of Neo4j database, Java environment, and understanding of Cypher query syntax. Not suitable if you need immediate plug-and-play vulnerability scanning without infrastructure setup.
- Runtime Vulnerability Detection Only — Tabby is a static analysis tool and cannot detect runtime-dependent vulnerabilities or issues that require dynamic execution context. It is not a RASP or dynamic runtime monitoring solution.
- Real-Time CI/CD Pipeline Integration Without Customization — Integration into rapid CI/CD workflows requires custom scripting and rule definition. Out-of-the-box support for common CI/CD platforms (GitHub Actions, GitLab CI, Jenkins plugins) is not clearly stated in available documentation.
License & commercial use
Licensed under MIT (MIT License), a permissive OSI-approved open-source license. Permits use, modification, and distribution with minimal restrictions (only require copyright and license notice).
MIT license permits commercial use, modification, and redistribution. However, no warranty is provided, and you assume all liability. Tabby is community-maintained; no commercial support, SLA, or vendor backing is documented. For production commercial deployments, evaluate your own risk tolerance and consider whether professional support or indemnification is needed.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Tabby itself is a security analysis tool, not a runtime security mechanism. Considerations: (1) Graph database exposure—ensure Neo4j instances are isolated and authenticated; (2) no independent security audit data published; (3) no encrypted storage or transmission guarantees documented; (4) analysis results will contain sensitive code semantics—plan appropriate access controls; (5) Soot and Neo4j dependencies may have their own CVEs requiring monitoring.
Alternatives to consider
Semgrep
Language-agnostic static analysis with pre-built rules and simpler deployment. Supports Java but not Java-specific deserialization analysis. Easier CI/CD integration and commercial support available.
SpotBugs / FindBugs
Lightweight Java bytecode static analysis, integrated with IDEs and build systems. Detects common bugs and some security issues, but lacks advanced taint tracking and gadget chain discovery. Lower operational overhead.
Checkmarx SAST / SonarQube
Commercial or open-source (SonarQube) enterprise static analysis platforms with Java support, pre-built rules, and CI/CD integration. Higher ease of use but higher cost for commercial variants; less specialized for deserialization.
Build on tabby with DEV.co software developers
Tabby offers powerful static analysis for Java deserialization and gadget chain discovery, backed by active research and peer-reviewed publications. However, it requires Neo4j infrastructure, Java expertise, and Cypher rule authoring. If your team audits large Java codebases and needs automated chain discovery, schedule a technical evaluation. For turnkey enterprise SAST, consider commercial alternatives.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
tabby FAQ
Do I need Neo4j running locally or can it be remote?
What is the analysis time for a typical enterprise Java application?
Can Tabby detect vulnerabilities beyond deserialization?
Is there commercial support or a vendor-backed version?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If tabby is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Tabby for Your Java Security Program
Tabby offers powerful static analysis for Java deserialization and gadget chain discovery, backed by active research and peer-reviewed publications. However, it requires Neo4j infrastructure, Java expertise, and Cypher rule authoring. If your team audits large Java codebases and needs automated chain discovery, schedule a technical evaluation. For turnkey enterprise SAST, consider commercial alternatives.