ScanningSAST by Language

Swift SAST

What xgrep detects in Swift — injection, weak crypto, hardcoded keys, insecure TLS, and input-validation issues — for iOS and Cocoa apps.

Swift SAST

xgrep parses .swift into tree-sitter ASTs and ships roughly 30 rules, 10 of them taint-based, aimed at iOS / Cocoa applications.

xgrep scan --include '*.swift' .

What xgrep detects

Injectionsql-injection, command-injection, code-injection, predicate-injection (NSPredicate format-string injection), format-string.

Cross-site scripting & XMLxss, xxe.

SSRFssrf-request.

Deserializationunsafe-deserialization.

Path traversalpath-traversal.

Crypto & key managementweak-cipher, weak-hash, weak-key, weak-password-hash, constant-salt, hardcoded-key, hardcoded-password, missing-encryption.

TLSinsecure-tls, disabled-cert-validation.

Authjwt-none-algorithm.

Input validation & DoSinput-validation, incomplete-sanitization, string-length, regex-dos, polynomial-redos.

Taint analysis

10 rules use taint mode: untrusted input must reach a sink (a query, a shell/NSPredicate call, a crypto routine) before the rule fires. xgrep also models Cocoa out-parameter / mutating-receiver taint so values written through inout parameters are tracked.

See also Secrets scanning and the CLI reference.

Ruby

What xgrep detects in Ruby — injection, XSS, mass assignment, deserialization, weak crypto, and supply-chain backdoors — including Rails and ERB.

File filtering

Which files xgrep scans by default and how to control it — git-tracked files, ignore patterns, globs, and size limits.

On this page

Swift SASTWhat xgrep detectsTaint analysis