DEV.co
Open-Source Security · tabby-sec

tabby

Tabby is a Java static code analysis tool that converts JAR/WAR/CLASS files into code property graphs stored in Neo4j, enabling automated discovery of gadget chains, deserialization vulnerabilities, and common web flaws. It is actively maintained, written in Java 17, and has been featured at security conferences including BlackHat Arsenal 2024.

Source: GitHub — github.com/tabby-sec/tabby
1.7k
GitHub stars
181
Forks
Java
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorytabby-sec/tabby
Ownertabby-sec
Primary languageJava
LicenseMIT — OSI-approved
Stars1.7k
Forks181
Open issues10
Latest releasev2.0.1 (2025-08-08)
Last updated2026-01-17
Sourcehttps://github.com/tabby-sec/tabby

What tabby is

Tabby leverages the Soot framework for semantic extraction and Neo4j for graph storage, using custom Cypher query logic to perform taint analysis and identify vulnerable call chains. It supports multiple serialization mechanisms (Java native, Hessian, XStream) and can analyze various Java artifact formats including JSP files. The tool's code property graph representation enables both pre-built detection rules and custom vulnerability discovery.

Quickstart

Get the tabby source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/tabby-sec/tabby.gitcd tabby# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Deserialization Gadget Chain Discovery

Automated detection of Java deserialization exploitation chains across large codebases. Tabby's graph-based approach supports multiple serialization libraries and has been used to discover multiple published CVEs (CVE-2021-21346, CVE-2021-39147, CVE-2022-39198, CVE-2023-23638).

Security Code Audits at Scale

Reduce manual code review effort by generating semantic graphs that enable rapid identification of dangerous function calls, taint flows, and vulnerable patterns. Designed explicitly to improve code auditing efficiency for Java applications.

Java Web Application Vulnerability Scanning

Support for WAR/JAR/FATJAR artifact analysis to detect common web vulnerabilities in enterprise Java applications. Enables dynamic custom detection rules through Cypher queries against the generated property graph.

Implementation considerations

  • Requires operational Neo4j graph database instance; ensure database sizing and persistence are planned for your codebase volume.
  • Java 17+ runtime environment is mandatory; confirm compatibility with your deployment infrastructure.
  • Custom Cypher queries are often needed for organization-specific vulnerability patterns; team must develop or source these rules.
  • Processing time and memory requirements for large JAR/WAR files and complex dependency graphs are not quantified in available data; plan for performance testing.
  • IDE integration available via IntelliJ plugin; evaluate whether this is necessary for your development workflow.

When to avoid it — and what to weigh

  • Non-Java Codebases — Tabby is Java-specific. Projects written in Python, Node.js, Go, C/C++, or other languages require alternative tools.
  • Turnkey, Zero-Configuration Scanning — Requires setup of Neo4j database, Java environment, and understanding of Cypher query syntax. Not suitable if you need immediate plug-and-play vulnerability scanning without infrastructure setup.
  • Runtime Vulnerability Detection Only — Tabby is a static analysis tool and cannot detect runtime-dependent vulnerabilities or issues that require dynamic execution context. It is not a RASP or dynamic runtime monitoring solution.
  • Real-Time CI/CD Pipeline Integration Without Customization — Integration into rapid CI/CD workflows requires custom scripting and rule definition. Out-of-the-box support for common CI/CD platforms (GitHub Actions, GitLab CI, Jenkins plugins) is not clearly stated in available documentation.

License & commercial use

Licensed under MIT (MIT License), a permissive OSI-approved open-source license. Permits use, modification, and distribution with minimal restrictions (only require copyright and license notice).

MIT license permits commercial use, modification, and redistribution. However, no warranty is provided, and you assume all liability. Tabby is community-maintained; no commercial support, SLA, or vendor backing is documented. For production commercial deployments, evaluate your own risk tolerance and consider whether professional support or indemnification is needed.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tabby itself is a security analysis tool, not a runtime security mechanism. Considerations: (1) Graph database exposure—ensure Neo4j instances are isolated and authenticated; (2) no independent security audit data published; (3) no encrypted storage or transmission guarantees documented; (4) analysis results will contain sensitive code semantics—plan appropriate access controls; (5) Soot and Neo4j dependencies may have their own CVEs requiring monitoring.

Alternatives to consider

Semgrep

Language-agnostic static analysis with pre-built rules and simpler deployment. Supports Java but not Java-specific deserialization analysis. Easier CI/CD integration and commercial support available.

SpotBugs / FindBugs

Lightweight Java bytecode static analysis, integrated with IDEs and build systems. Detects common bugs and some security issues, but lacks advanced taint tracking and gadget chain discovery. Lower operational overhead.

Checkmarx SAST / SonarQube

Commercial or open-source (SonarQube) enterprise static analysis platforms with Java support, pre-built rules, and CI/CD integration. Higher ease of use but higher cost for commercial variants; less specialized for deserialization.

Software development agency

Build on tabby with DEV.co software developers

Tabby offers powerful static analysis for Java deserialization and gadget chain discovery, backed by active research and peer-reviewed publications. However, it requires Neo4j infrastructure, Java expertise, and Cypher rule authoring. If your team audits large Java codebases and needs automated chain discovery, schedule a technical evaluation. For turnkey enterprise SAST, consider commercial alternatives.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

tabby FAQ

Do I need Neo4j running locally or can it be remote?
The README states a 'usable Neo4j graph database' is required but does not explicitly document local vs. remote connectivity. Implementation will likely support remote instances, but network configuration and database isolation must be verified in setup.
What is the analysis time for a typical enterprise Java application?
Not documented in available data. Processing time depends on codebase size, dependency complexity, and Neo4j hardware. Performance testing with your target applications is required.
Can Tabby detect vulnerabilities beyond deserialization?
Yes, the README lists web vulnerabilities and arbitrary dangerous function calls. However, pre-built detection rule coverage is not quantified. Custom Cypher rules can be written for bespoke vulnerability patterns.
Is there commercial support or a vendor-backed version?
No commercial entity, SLA, or vendor support is documented. The project is community-driven by the original author (wh1t3p1g). Community discussions and GitHub issues are the primary support channels.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If tabby is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Tabby for Your Java Security Program

Tabby offers powerful static analysis for Java deserialization and gadget chain discovery, backed by active research and peer-reviewed publications. However, it requires Neo4j infrastructure, Java expertise, and Cypher rule authoring. If your team audits large Java codebases and needs automated chain discovery, schedule a technical evaluation. For turnkey enterprise SAST, consider commercial alternatives.