Static analysis of Kotlin/Java source under android/app/src/main/
using detekt.
Detekt is the de-facto Kotlin static analyzer. We invoke its CLI
with --report json:<out> and parse the SARIF-like output.
Coverage notes:
- The default detekt ruleset emphasizes code quality more than
security per se — but several built-in rules do cover concrete
vulnerability classes (
HardCodedDispatcher, unsafe-call patterns, regex DoS). - For deeper security coverage, projects can configure a
detekt-security.ymland pass it viaMOB_DETEKT_CONFIG=path(read bydefault_runner/1).
Soft-degrades to :tool_missing when detekt isn't installed.
Install on macOS with brew install detekt.