# `MobDev.SecurityScan.Layers.SwiftSource`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/layers/swift_source.ex#L1)

Static analysis of Swift source under `ios/` using
[swiftlint](https://github.com/realm/SwiftLint).

## Why swiftlint, not `xcodebuild analyze`?

The Clang Static Analyzer (run via `xcodebuild analyze`) is the gold
standard for Objective-C and Swift correctness checks but requires
a buildable Xcode project — i.e. a working signing identity, the
right SDK, and a `.xcodeproj` or `.xcworkspace`. That's a heavy
prerequisite for a security scan to "just work" out of the box.

swiftlint operates directly on `.swift` files without compilation,
produces JSON output, and ships several security-relevant rules
(`force_cast`, `force_try`, `force_unwrapping`, `implicitly_unwrapped_optional`)
that flag crash-by-design patterns. It's the pragmatic Swift
counterpart to detekt.

## What this doesn't cover

Mob's iOS bridge is mostly Objective-C (`.m` / `.c` files), not
Swift. swiftlint ignores those. ObjC code is covered by the
`:c_source` layer instead, which runs semgrep+flawfinder over `.m`
files alongside `.c`/`.h`. The split is unfortunate but follows
tool boundaries.

Soft-degrades to `:tool_missing` when swiftlint isn't installed.
Install on macOS with `brew install swiftlint`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*