Tool integration

Android Lint Integration Guide

Google's built-in Android project analyzer with SARIF output

Get a Free API Key

Integrate Android Lint with Vulnetix. Run Gradle lint checks on Android projects and upload the SARIF report for centralised vulnerability management.

Java / Kotlin (Android)CLI toolSARIF

Install & scan

$ # Android Lint is included in the Android Gradle Plugin — no separate install needed.
# Verify your Android project has AGP 4.2+ in build.gradle

# Run lint (from project root)
./gradlew lint
$ # Configure SARIF output in build.gradle:
# android { lint { sarifReport = true } }

# Then run:
./gradlew lint

# SARIF output: app/build/reports/lint-results-debug.sarif

Run Android Lint in CI

Scan on every push and upload the results to Vulnetix:

- name: Set up JDK
  uses: actions/setup-java@v4
  with:
    java-version: '17'
    distribution: 'temurin'

- name: Run Android Lint
  run: ./gradlew lint

- name: Upload to Vulnetix
  run: vulnetix upload --file app/build/reports/lint-results-debug.sarif

How Vulnetix compares — better together

Vulnetix does not replace Android Lint. Keep running it. Vulnetix sits on top of Android Lint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Android Lint is strongest at its core category and also carries features in MAST, Secret Scanning — just like Vulnetix spans categories.

CapabilityVulnetixAndroid Lint
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentationGoogle's core static analyzer for Android source across many languages/resource types, including a dedicated security category. Source: developer.android.com/studio/write/lint
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history~ Hardcoded credential/config checks via core rules plus the google/android-security-lints pack; not a dedicated entropy secret scanner. Source: github.com/google/android-security-lints
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine~ Android-app-specific security/manifest checks (exported components, permissions, cleartext) make it a mobile-app static analyzer, though not a full MAST/DAST suite. Source: googlesamples.github.io/android-custom-lint-rules
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version~ Android Studio offers quick-fix suggestions for many lint issues; primarily IDE-assisted, not automated remediation PRs. Source: developer.android.com/studio/write/lint
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Android Lint does well

Where Vulnetix adds to it: Vulnetix ingests Android Lint's native SARIF output into its unified, deduplicated ASPM queue and does not run Android Lint itself; its own SAST (rules + Semgrep) complements rather than replaces Google's Android-specific security and correctness checks, and its mobile-app coverage is ingest-only. Better together: Android Lint owns deep Android-aware analysis while Vulnetix adds cross-scanner dedup, EPSS/KEV/LEV exploit-intel prioritisation, reachability, immutable versioned VEX and SSVC policy.

No migration, no rip-and-replace. Android Lint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Android Lint results in Vulnetix

Upload Android Lint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Android Lint documentation ↗

Wire Android Lint into your CI/CD pipeline →