Community-maintained security scanning rules for Swift, mapped to OWASP Mobile Top 10 (2024) and CWE identifiers.
- 10 Semgrep-compatible YAML rules covering the most common Swift security anti-patterns
- OWASP coverage matrix showing which Mobile Top 10 categories are addressed
- CWE mappings for every rule, enabling compliance reporting
semgrep --config rules/ /path/to/your/swift/projectfoxguard --rules rules/ /path/to/your/swift/projectThese rules are built into quality-gate-swift's SafetyAuditor using SwiftSyntax for higher precision. No configuration needed — they run automatically with --check safety.
| Rule ID | CWE | OWASP 2024 | Severity | Description |
|---|---|---|---|---|
security.hardcoded-secret |
CWE-798 | M1 | WARNING | Secret-named variable with string literal value |
security.command-injection |
CWE-78 | M4 | ERROR | Process/NSTask with dynamic arguments |
security.weak-crypto |
CWE-327 | M10 | WARNING | MD5/SHA1 usage (CC_* or Insecure.*) |
security.insecure-transport |
CWE-319 | M5 | WARNING | http:// URLs (excluding localhost) |
security.eval-js |
CWE-95 | M4 | ERROR | evaluateJavaScript with dynamic input |
security.sql-injection |
CWE-89 | M4 | ERROR | String interpolation in SQL function call |
security.insecure-keychain |
CWE-311 | M9 | WARNING | Deprecated keychain accessibility constants |
security.tls-disabled |
CWE-295 | M5 | ERROR | Certificate validation disabled/weakened |
security.path-traversal |
CWE-22 | M4 | WARNING | FileManager with dynamic unsanitized path |
security.ssrf |
CWE-918 | M5 | WARNING | URL constructed from dynamic input |
| Category | Covered | Rules |
|---|---|---|
| M1 Improper Credential Usage | Partial | hardcoded-secret |
| M2 Supply Chain Security | Out of scope | — (dependency auditing) |
| M3 Insecure Auth/AuthZ | Partial | tls-disabled |
| M4 Insufficient I/O Validation | Strong | command-injection, sql-injection, eval-js, path-traversal |
| M5 Insecure Communication | Strong | insecure-transport, ssrf, tls-disabled |
| M6 Inadequate Privacy | Partial | insecure-keychain |
| M7 Binary Protections | Out of scope | — (build/deploy concern) |
| M8 Security Misconfiguration | Partial | tls-disabled |
| M9 Insecure Data Storage | Partial | insecure-keychain |
| M10 Insufficient Cryptography | Strong | weak-crypto |
Swift has very few community security scanning rules compared to JavaScript, Python, or Java. Semgrep's public registry has effectively zero Swift rules. Foxguard added Swift support in April 2026 with 10 tree-sitter rules. This project aims to fill that gap with well-documented, OWASP-mapped rules that any SAST tool can consume.
These are syntactic pattern-matching rules. They catch the obvious cases but cannot:
- Track data flow across function boundaries (taint analysis)
- Resolve types or protocol conformances
- Detect runtime-only vulnerabilities (auth bypass, session handling)
- Analyze
Info.plistconfiguration (ATS exceptions, permissions)
For higher precision (fewer false positives), use quality-gate-swift which implements these same rules using SwiftSyntax with full AST context.
Contributions welcome. To add a new rule:
- Create a YAML file in
rules/following the existing pattern - Include CWE and OWASP mappings in the metadata
- Add positive and negative test cases
- Update the coverage matrix in this README
Rules are reviewed against current Apple SDK APIs and OWASP Mobile Top 10 annually. Each rule carries a last-reviewed date in its metadata.
MIT