Static analysis of Swift source under ios/ using
swiftlint.
Why swiftlint, not xcodebuild analyze?
The Clang Static Analyzer (run via xcodebuild analyze) is the gold
standard for Objective-C and Swift correctness checks but requires
a buildable Xcode project — i.e. a working signing identity, the
right SDK, and a .xcodeproj or .xcworkspace. That's a heavy
prerequisite for a security scan to "just work" out of the box.
swiftlint operates directly on .swift files without compilation,
produces JSON output, and ships several security-relevant rules
(force_cast, force_try, force_unwrapping, implicitly_unwrapped_optional)
that flag crash-by-design patterns. It's the pragmatic Swift
counterpart to detekt.
What this doesn't cover
Mob's iOS bridge is mostly Objective-C (.m / .c files), not
Swift. swiftlint ignores those. ObjC code is covered by the
:c_source layer instead, which runs semgrep+flawfinder over .m
files alongside .c/.h. The split is unfortunate but follows
tool boundaries.
Soft-degrades to :tool_missing when swiftlint isn't installed.
Install on macOS with brew install swiftlint.