Integrate Android Lint with Vulnetix. Run Gradle lint checks on Android projects and upload the SARIF report for centralised vulnerability management.
Install & scan
$ # Android Lint is included in the Android Gradle Plugin — no separate install needed.
# Verify your Android project has AGP 4.2+ in build.gradle
# Run lint (from project root)
./gradlew lint
$ # Configure SARIF output in build.gradle:
# android { lint { sarifReport = true } }
# Then run:
./gradlew lint
# SARIF output: app/build/reports/lint-results-debug.sarif
Run Android Lint in CI
Scan on every push and upload the results to Vulnetix:
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Run Android Lint
run: ./gradlew lint
- name: Upload to Vulnetix
run: vulnetix upload --file app/build/reports/lint-results-debug.sarif
How Vulnetix compares — better together
Vulnetix does not replace Android Lint. Keep running it. Vulnetix sits on top of Android Lint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Android Lint is strongest at its core category and also carries features in MAST, Secret Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | Android Lint |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✓ Google's core static analyzer for Android source across many languages/resource types, including a dedicated security category. Source: developer.android.com/studio/write/lint |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ Hardcoded credential/config checks via core rules plus the google/android-security-lints pack; not a dedicated entropy secret scanner. Source: github.com/google/android-security-lints |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ~ Android-app-specific security/manifest checks (exported components, permissions, cleartext) make it a mobile-app static analyzer, though not a full MAST/DAST suite. Source: googlesamples.github.io/android-custom-lint-rules |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ~ Android Studio offers quick-fix suggestions for many lint issues; primarily IDE-assisted, not automated remediation PRs. Source: developer.android.com/studio/write/lint |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Android Lint does well
- 350+ built-in checks spanning correctness, security, performance, usability, accessibility and internationalization across Java, Kotlin, XML layouts, Gradle scripts and resources
- Genuine Android security checks (e.g. ExportedService without permission, cleartext traffic, insecure manifest settings) plus the extensible google/android-security-lints credential/config check pack
- Native SARIF report output since Android Gradle Plugin 4.2, in addition to HTML and XML, for direct code-scanning ingestion
- Deep Android-aware analysis built into AGP with a documented custom-check API and IDE quick-fixes in Android Studio
Where Vulnetix adds to it: Vulnetix ingests Android Lint's native SARIF output into its unified, deduplicated ASPM queue and does not run Android Lint itself; its own SAST (rules + Semgrep) complements rather than replaces Google's Android-specific security and correctness checks, and its mobile-app coverage is ingest-only. Better together: Android Lint owns deep Android-aware analysis while Vulnetix adds cross-scanner dedup, EPSS/KEV/LEV exploit-intel prioritisation, reachability, immutable versioned VEX and SSVC policy.
No migration, no rip-and-replace. Android Lint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Android Lint results in Vulnetix
Upload Android Lint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.