# `MobDev.SecurityScan.Layers.CSource`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/layers/c_source.ex#L1)

Static analysis of every C source file Mob actually compiles into
the app: Mob's own NIF shims (`mob/android/jni/`, `mob/ios/`), the
exqlite NIF wrapper (`deps/exqlite/c_src/sqlite3_nif.c`), and any
C the project itself ships.

Two tools, run in parallel:

  * [`semgrep`](https://semgrep.dev/) with the community `p/c`
    ruleset — catches unsafe API use, format-string bugs,
    memory-safety patterns, and a few CVE-derived rules.

  * [`flawfinder`](https://dwheeler.com/flawfinder/) — pattern-based
    audit with a long history; catches things semgrep doesn't
    (banned APIs, risky `gets`/`strcpy` use).

## What's deliberately excluded

`deps/exqlite/c_src/sqlite3.c` — SQLite's amalgamated source is
~9MB and ~250k LOC. It's battle-tested, ships in millions of
apps, and would generate thousands of low-value findings if scanned
with general C rules. SQLite-specific CVE coverage lives in the
`:bundled_runtime` layer (which fingerprints the version).

## Soft-degradation

If either scanner is missing, the layer reports `:tool_missing`
rather than failing. Install with `brew install semgrep flawfinder`
on macOS.

---

*Consult [api-reference.md](api-reference.md) for complete listing*