Tool integration

Facebook Infer Integration Guide

Static analysis for Java and C-family languages from Meta

Get a Free API Key

Integrate Facebook Infer with Vulnetix. Detect null pointer exceptions, memory leaks, and concurrency issues.

Java, C, C++, Objective-CCLI toolSARIF

Install & scan

$ # macOS
brew install infer

# Linux - download from GitHub releases
curl -L https://github.com/facebook/infer/releases/latest/download/infer-linux-x86_64.tar.xz | tar xJ
$ infer run --sarif -- javac MyFile.java

Run Facebook Infer in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Infer
  run: |
    curl -L https://github.com/facebook/infer/releases/latest/download/infer-linux-x86_64.tar.xz | tar xJ
    export PATH=$PATH:$(pwd)/infer-linux-x86_64/bin
- name: Run Infer
  run: infer run --sarif -- mvn compile
- name: Upload to Vulnetix
  run: vulnetix upload --file infer-out/report.sarif

How Vulnetix compares — better together

Vulnetix does not replace Facebook Infer. Keep running it. Vulnetix sits on top of Facebook Infer — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixFacebook Infer
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentationCore: Java, C, C++, Objective-C static analysis; null-deref, leaks, races, deadlocks via separation logic
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Facebook Infer does well

Where Vulnetix adds to it: Infer is a specialist code-correctness/memory-safety engine; Vulnetix ingests its SARIF findings and layers cross-scanner dedup, EPSS/KEV exploit-intel prioritisation, versioned VEX and autofix on top — it does not replace Infer's interprocedural analysis but folds it into one prioritised queue alongside SCA, secrets, IaC and container findings.

No migration, no rip-and-replace. Facebook Infer keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Facebook Infer results in Vulnetix

Upload Facebook Infer SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Facebook Infer documentation ↗  ·  Source repository ↗

Wire Facebook Infer into your CI/CD pipeline →