Integrate Facebook Infer with Vulnetix. Detect null pointer exceptions, memory leaks, and concurrency issues.
Install & scan
$ # macOS brew install infer # Linux - download from GitHub releases curl -L https://github.com/facebook/infer/releases/latest/download/infer-linux-x86_64.tar.xz | tar xJ $ infer run --sarif -- javac MyFile.java
Run Facebook Infer in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Infer
run: |
curl -L https://github.com/facebook/infer/releases/latest/download/infer-linux-x86_64.tar.xz | tar xJ
export PATH=$PATH:$(pwd)/infer-linux-x86_64/bin
- name: Run Infer
run: infer run --sarif -- mvn compile
- name: Upload to Vulnetix
run: vulnetix upload --file infer-out/report.sarif
How Vulnetix compares — better together
Vulnetix does not replace Facebook Infer. Keep running it. Vulnetix sits on top of Facebook Infer — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
| Capability | Vulnetix | Facebook Infer |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✓ Core: Java, C, C++, Objective-C static analysis; null-deref, leaks, races, deadlocks via separation logic |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Facebook Infer does well
- Deep interprocedural analysis via separation logic (Pulse) that tracks memory allocations across function and file boundaries — far deeper than pattern matchers
- Best-in-class concurrency bug detection (RacerD for data races, deadlock/lock-consistency analysis) on real Java/Android and C++ codebases
- Finds null dereferences, resource/memory leaks with low noise, proven at Meta scale on millions of lines
- Build-integration model intercepts javac/mvn/gradle/make so it analyses exactly what you ship, with incremental diff analysis for CI
Where Vulnetix adds to it: Infer is a specialist code-correctness/memory-safety engine; Vulnetix ingests its SARIF findings and layers cross-scanner dedup, EPSS/KEV exploit-intel prioritisation, versioned VEX and autofix on top — it does not replace Infer's interprocedural analysis but folds it into one prioritised queue alongside SCA, secrets, IaC and container findings.
No migration, no rip-and-replace. Facebook Infer keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Facebook Infer results in Vulnetix
Upload Facebook Infer SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.