Integrate MobSFScan with Vulnetix. Scan Android (Java/Kotlin) and iOS (Swift/Objective-C) source code for insecure patterns using MobSF rules powered by semgrep, then upload SARIF findings.
Install & scan
$ # Recommended — ephemeral run uv run --with mobsfscan mobsfscan --version # Or install globally pip install mobsfscan $ # Scan Android/iOS source directory with SARIF output uv run --with mobsfscan mobsfscan /path/to/source --sarif --output results.sarif
Run MobSFScan in CI
Scan on every push and upload the results to Vulnetix:
- name: Install uv
uses: astral-sh/setup-uv@v4
- name: Run MobSFScan
uses: MobSF/mobsfscan@main
with:
args: '. --sarif --output results.sarif || true'
- name: Upload to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Upload to Vulnetix
run: vulnetix upload --file results.sarif
How Vulnetix compares — better together
Vulnetix does not replace MobSFScan. Keep running it. Vulnetix sits on top of MobSFScan — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
MobSFScan is strongest at its core category and also carries features in SAST, Secret Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | MobSFScan |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✓ Static code analysis engine (semgrep + libsast) over mobile source |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ MobSF rules flag hardcoded secrets/keys and insecure crypto constants in source |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✓ Core: static analysis of Android/iOS source for insecure code patterns |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What MobSFScan does well
- Lightweight standalone SAST for Android/iOS source (Java, Kotlin, Swift, Objective-C, Android XML) that runs in seconds with no Docker or server, unlike the full MobSF framework
- Powered by semgrep + libsast with the mature MobSF rule set, mapping findings to CWE, OWASP Mobile Top 10 and MSTG/MASVS
- CI-native with SARIF 2.1.0, SonarQube, JSON and HTML output plus inline suppression, ready for GitHub Actions/GitLab CI/etc
- Free and open-source, trivial to drop into a mobile developer's pre-commit or pipeline
Where Vulnetix adds to it: MobSFScan is a focused mobile-source SAST engine; Vulnetix does not replace it. Vulnetix ingests its SARIF output, dedups it across your other scanners into one prioritised queue, and layers exploit-intel (EPSS/KEV/LEV), reachability, versioned VEX, SSVC and Safe Harbour autofix that MobSFScan does not provide.
No migration, no rip-and-replace. MobSFScan keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise MobSFScan results in Vulnetix
Upload MobSFScan SARIF, JSON, HTML output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.