# `MobDev.SecurityScan.Layers.KotlinSource`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/layers/kotlin_source.ex#L1)

Static analysis of Kotlin/Java source under `android/app/src/main/`
using [detekt](https://detekt.dev/).

Detekt is the de-facto Kotlin static analyzer. We invoke its CLI
with `--report json:<out>` and parse the SARIF-like output.

Coverage notes:

  * The default detekt ruleset emphasizes code quality more than
    security per se — but several built-in rules do cover concrete
    vulnerability classes (`HardCodedDispatcher`, unsafe-call
    patterns, regex DoS).
  * For deeper security coverage, projects can configure a
    `detekt-security.yml` and pass it via `MOB_DETEKT_CONFIG=path`
    (read by `default_runner/1`).

Soft-degrades to `:tool_missing` when detekt isn't installed.
Install on macOS with `brew install detekt`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*