I just tried quickly a beta service in IBM Bluemix that was announced earlier this year. The Static Analyzer service helps finding potential vulnerabilities in your Java code like cross site scripting issues and missing encodings and displays the results in a report with descriptions and mitigation strategies.
There are different ways to run the tool. I chose the Eclipse plugin.
The reports can be accessed via a dashboard.
Here is a sample of a reported issue.
For a quick demo check out this video.