Tool integration

MobSFScan Integration Guide

Fast static SAST scanner for Android and iOS source code using MobSF rules

Get a Free API Key

Integrate MobSFScan with Vulnetix. Scan Android (Java/Kotlin) and iOS (Swift/Objective-C) source code for insecure patterns using MobSF rules powered by semgrep, then upload SARIF findings.

PythonCLI toolSARIFJSONHTML

Install & scan

$ # Recommended — ephemeral run
uv run --with mobsfscan mobsfscan --version

# Or install globally
pip install mobsfscan
$ # Scan Android/iOS source directory with SARIF output
uv run --with mobsfscan mobsfscan /path/to/source   --sarif   --output results.sarif

Run MobSFScan in CI

Scan on every push and upload the results to Vulnetix:

- name: Install uv
  uses: astral-sh/setup-uv@v4

- name: Run MobSFScan
  uses: MobSF/mobsfscan@main
  with:
    args: '. --sarif --output results.sarif || true'

- name: Upload to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

- name: Upload to Vulnetix
  run: vulnetix upload --file results.sarif

How Vulnetix compares — better together

Vulnetix does not replace MobSFScan. Keep running it. Vulnetix sits on top of MobSFScan — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

MobSFScan is strongest at its core category and also carries features in SAST, Secret Scanning — just like Vulnetix spans categories.

CapabilityVulnetixMobSFScan
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentationStatic code analysis engine (semgrep + libsast) over mobile source
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history~ MobSF rules flag hardcoded secrets/keys and insecure crypto constants in source
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engineCore: static analysis of Android/iOS source for insecure code patterns
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What MobSFScan does well

Where Vulnetix adds to it: MobSFScan is a focused mobile-source SAST engine; Vulnetix does not replace it. Vulnetix ingests its SARIF output, dedups it across your other scanners into one prioritised queue, and layers exploit-intel (EPSS/KEV/LEV), reachability, versioned VEX, SSVC and Safe Harbour autofix that MobSFScan does not provide.

No migration, no rip-and-replace. MobSFScan keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise MobSFScan results in Vulnetix

Upload MobSFScan SARIF, JSON, HTML output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

MobSFScan documentation ↗  ·  Source repository ↗

Wire MobSFScan into your CI/CD pipeline →