# `mix mob.security_scan`
[🔗](https://github.com/genericjam/mob_dev/blob/main/lib/mix/tasks/mob.security_scan.ex#L1)

Audits the project for known vulnerabilities and unsafe code across
every surface a Mob app actually ships:

  * Hex dependency CVEs (`mix_audit`, `osv-scanner` over `mix.lock`)
  * Android Gradle dependency CVEs (`osv-scanner`)
  * iOS Swift Package dependency CVEs (`osv-scanner`)
  * Bundled-runtime CVEs — OpenSSL/SQLite/OTP/Elixir baked into
    Mob's pre-built OTP tarballs (manifest + fingerprint verification +
    OpenSSL/SQLite/Erlef advisory feeds)
  * C source static analysis (semgrep, flawfinder)
  * Kotlin static analysis (detekt)
  * Swift static analysis (`xcodebuild analyze`)

Layers run sequentially. A missing external scanner is a soft warning,
not a failure — the layer reports `tool missing` and the rest of the
scan continues.

## Usage

    mix mob.security_scan                       # full scan, pretty terminal output
    mix mob.security_scan --json                # machine-readable JSON to stdout
    mix mob.security_scan --skip hex,gradle     # skip named layers
    mix mob.security_scan --strict              # exit 1 if any high+ finding
    mix mob.security_scan --write-report PATH   # also write a markdown report

## External tools

Recommended one-time install on macOS:

    brew install osv-scanner semgrep flawfinder detekt

Each layer prints which tool produced its findings so the report
is fully sourced.

## Why "security_scan" not "audit"

`mix mob.audit_otp` already exists and does something else — it
reports which OTP libs your bundled app doesn't use so they can be
stripped to shrink the binary. That's a *binary-size* audit. This
task is the *security* counterpart, deliberately named differently.

---

*Consult [api-reference.md](api-reference.md) for complete listing*