One of Semgrep’s design principles is to make static analysis possible for every programming language. As we continue to add support for languages, we’re pleased to announce that Swift has now reached experimental status in Semgrep! Semgrep’s parse rate for Swift is at 94%, well above the 90% bar for experimental status, and the basic Semgrep features (... and metavariables) work correctly.
In large part, this is thanks to Alex Pinkus’ excellent work on the Swift Tree-sitter grammar. We use this to parse Swift code before converting it to our generic AST which we can then analyze. If we had been starting from scratch, it would have been much more difficult to reach this point!
Currently, there are no Swift rules in the registry but see below for an example of something that Semgrep can now scan for.
Until Swift rules are added to the registry, you must write custom rules to get findings. However, setting the following up now will position you to get findings as soon as new rules are published.
To scan your Swift code:
Using Semgrep App, add a GitHub or GitLab project and have Semgrep scan your codebase every time a PR or MR is created!
On the command line, upgrade to Semgrep v0.111.0 or higher (often using
brew upgrade semgrep or pip install --upgrade semgrep) and scan your Swift code with
If you want to contribute Swift rules or file bugs, please check out the documentation.
If you have any questions, feel free to reach out to us in the community Slack. We're happy to answer any questions you might have.
Semgrep is a fast, open-source, static analysis tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.