Skip to main content

Swift support

tip

Semgrep’s Swift coverage leverages framework-specific analysis capabilities that are not present in Semgrep CE. As a result, many framework specific Pro rules will fail to return findings if run on Semgrep CE. To ensure full security coverage, run: semgrep login && semgrep ci.

Semgrep Code analyses

  • Interprocedural analysis (cross-function)
  • All analyses performed by Semgrep CE

Coverage

Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses rules, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets.

By default, Semgrep Code provides you with the p/comment and p/default rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages.

Some examples of rules include:

To view these rules, sign in to Semgrep AppSec Platform.

Swift support in Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.

Supported package managers

Semgrep supports the following Swift package manager:

  • SwiftPM

Analyses and features

The following analyses and features are available for Swift:

Reachability analysis

Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.

License detection

Semgrep Supply Chain's license compliance feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license.

SBOM generation

Semgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.