getdoorman 1.0.0

package/src/rules/security/swift.js

@@ -0,0 +1,835 @@
+/**
+ * Swift / iOS / macOS Security Rules (SEC-SWIFT-001 through SEC-SWIFT-040)
+ */
+
+const isSwift = (f) => f.endsWith('.swift');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build|Pods|Carthage)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-SWIFT-001: UserDefaults for sensitive data
+  {
+    id: 'SEC-SWIFT-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sensitive Data in UserDefaults',
+    description: 'UserDefaults stores data unencrypted in plist files. Sensitive data such as passwords, tokens, or keys should be stored in the Keychain.',
+    fix: { suggestion: 'Use Keychain Services (SecItemAdd) instead of UserDefaults for sensitive data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /UserDefaults\s*\..*(?:password|token|secret|apiKey|api_key|credential|auth)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-002: Hardcoded API keys
+  {
+    id: 'SEC-SWIFT-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded API Key or Secret',
+    description: 'API keys or secrets hardcoded in source code can be extracted from compiled binaries.',
+    fix: { suggestion: 'Store secrets in a secure configuration file excluded from source control, or use a secrets manager.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:let|var)\s+\w*(?:apiKey|api_key|secret|password|token|apiSecret|api_secret)\w*\s*[:=]\s*"/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-003: Insecure keychain accessibility
+  {
+    id: 'SEC-SWIFT-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Keychain Accessibility (kSecAttrAccessibleAlways)',
+    description: 'kSecAttrAccessibleAlways makes keychain items accessible even when the device is locked, weakening data protection.',
+    fix: { suggestion: 'Use kSecAttrAccessibleWhenUnlockedThisDeviceOnly or kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /kSecAttrAccessibleAlways(?:ThisDeviceOnly)?(?!After)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-004: App Transport Security disabled
+  {
+    id: 'SEC-SWIFT-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'App Transport Security Exception',
+    description: 'NSAllowsArbitraryLoads disables ATS, allowing insecure HTTP connections.',
+    fix: { suggestion: 'Remove NSAllowsArbitraryLoads or limit exceptions to specific domains with NSExceptionDomains.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /NSAllowsArbitraryLoads\s*.*true/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-005: Missing certificate pinning
+  {
+    id: 'SEC-SWIFT-005',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Certificate Pinning',
+    description: 'URLSession delegate that always trusts server certificates disables certificate validation.',
+    fix: { suggestion: 'Implement proper certificate pinning using SecTrust evaluation or use a library like TrustKit.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.serverTrust\b|completionHandler\s*\(\s*\.useCredential|urlSession.*didReceive.*challenge.*completionHandler/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-006: WebView JavaScript enabled
+  {
+    id: 'SEC-SWIFT-006',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'WebView JavaScript Enabled Without Safeguards',
+    description: 'Enabling JavaScript in WKWebView without proper content restrictions can lead to XSS or script injection.',
+    fix: { suggestion: 'Set javaScriptEnabled only when needed and implement WKContentRuleList or WKScriptMessageHandler for control.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /javaScriptEnabled\s*=\s*true|\.javaScriptEnabled\s*=\s*true/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-007: UIWebView usage
+  {
+    id: 'SEC-SWIFT-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Deprecated UIWebView Usage',
+    description: 'UIWebView is deprecated and has known security vulnerabilities. Apple rejects apps using UIWebView.',
+    fix: { suggestion: 'Migrate to WKWebView which provides better security and performance.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /UIWebView/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-008: Clipboard data leak
+  {
+    id: 'SEC-SWIFT-008',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Clipboard Data Leak via UIPasteboard',
+    description: 'Copying sensitive data to UIPasteboard makes it accessible to other apps.',
+    fix: { suggestion: 'Use UIPasteboard with localOnly and expirationDate options, or avoid copying sensitive data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /UIPasteboard\.general\.(?:string|setValue|setItems|setObjects)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-009: NSLog with sensitive data
+  {
+    id: 'SEC-SWIFT-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'NSLog with Sensitive Data',
+    description: 'NSLog output is written to the system log which can be read by other apps on the device.',
+    fix: { suggestion: 'Remove NSLog calls containing sensitive data or use os_log with appropriate privacy levels.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /NSLog\s*\(.*(?:password|token|secret|key|credential|auth|ssn|credit)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-010: print() with sensitive data
+  {
+    id: 'SEC-SWIFT-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'print() Statement with Sensitive Data',
+    description: 'print() statements with sensitive data remain in release builds and can leak information.',
+    fix: { suggestion: 'Use #if DEBUG guards around print statements or use os_log with privacy annotations.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /print\s*\(.*(?:password|token|secret|key|credential|auth)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-011: Weak crypto CC_MD5
+  {
+    id: 'SEC-SWIFT-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Hashing Algorithm (MD5)',
+    description: 'CC_MD5 is cryptographically broken and should not be used for security purposes.',
+    fix: { suggestion: 'Use SHA-256 or higher via CC_SHA256 or CryptoKit (SHA256).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /CC_MD5\s*\(|\.md5\b|Insecure\.MD5/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-012: Weak crypto CC_SHA1
+  {
+    id: 'SEC-SWIFT-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Hashing Algorithm (SHA1)',
+    description: 'CC_SHA1 is cryptographically weak and collision attacks are practical.',
+    fix: { suggestion: 'Use SHA-256 or higher via CC_SHA256 or CryptoKit (SHA256).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /CC_SHA1\s*\(|\.sha1\b|Insecure\.SHA1/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-013: Force unwrap on network data
+  {
+    id: 'SEC-SWIFT-013',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Force Unwrap on Network Data',
+    description: 'Force unwrapping (!) network response data can crash the app if the server returns unexpected data.',
+    fix: { suggestion: 'Use optional binding (if let / guard let) or try? for safer unwrapping.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:data|response|json|result)\s*!\s*\.|(?:JSONSerialization|JSONDecoder).*!$/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-014: Insecure HTTP URL
+  {
+    id: 'SEC-SWIFT-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure HTTP URL',
+    description: 'Using http:// instead of https:// transmits data in plaintext, vulnerable to interception.',
+    fix: { suggestion: 'Use https:// for all network connections.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /URL\s*\(\s*string\s*:\s*"http:\/\//;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-015: Jailbreak detection bypass
+  {
+    id: 'SEC-SWIFT-015',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Weak Jailbreak Detection',
+    description: 'Checking only for Cydia or specific file paths is easily bypassed on jailbroken devices.',
+    fix: { suggestion: 'Use multiple jailbreak detection checks including fork(), file existence, dylib injection, and sandbox integrity.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\/Applications\/Cydia\.app|\/private\/var\/lib\/apt|canOpenURL.*cydia/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-016: Insecure biometric auth
+  {
+    id: 'SEC-SWIFT-016',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Biometric Authentication',
+    description: 'Using evaluatePolicy alone for biometric auth without Keychain integration allows bypass via runtime manipulation.',
+    fix: { suggestion: 'Combine LAContext.evaluatePolicy with Keychain access control (SecAccessControlCreateWithFlags) for defense in depth.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /evaluatePolicy\s*\(\s*\.deviceOwnerAuthentication/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-017: URL scheme injection
+  {
+    id: 'SEC-SWIFT-017',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'URL Scheme Injection',
+    description: 'Custom URL scheme handlers that do not validate input can be exploited by malicious apps.',
+    fix: { suggestion: 'Validate the source application and sanitize URL parameters in application(_:open:options:).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /func\s+application.*open\s+url.*options.*->.*Bool|openURL\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-018: Insecure file permissions
+  {
+    id: 'SEC-SWIFT-018',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure File Protection',
+    description: 'FileProtectionType.none or .completeUntilFirstUserAuthentication leaves files accessible when locked.',
+    fix: { suggestion: 'Use .completeUnlessOpen or .complete for sensitive files.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /FileProtectionType\.none|\.protectionNone|\.completeUntilFirstUserAuthentication/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-019: Background snapshot leak
+  {
+    id: 'SEC-SWIFT-019',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Background Snapshot Information Leak',
+    description: 'iOS takes a screenshot of the app when backgrounded. Sensitive data may be visible in the app switcher.',
+    fix: { suggestion: 'Implement applicationDidEnterBackground to hide sensitive content with a blur or placeholder view.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /applicationDidEnterBackground|sceneDidEnterBackground/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-020: Missing input validation
+  {
+    id: 'SEC-SWIFT-020',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation on Text Fields',
+    description: 'UITextField/UITextView content used directly without validation or sanitization.',
+    fix: { suggestion: 'Validate and sanitize text field input before using it in queries, URLs, or display.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.text\s*!\s*.*(?:URL|query|sql|exec|eval|request)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-021: Insecure random number generation
+  {
+    id: 'SEC-SWIFT-021',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure Random Number Generation',
+    description: 'arc4random() or rand()/srand() may not provide cryptographically secure randomness.',
+    fix: { suggestion: 'Use SecRandomCopyBytes or SystemRandomNumberGenerator for security-sensitive contexts.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\b(?:arc4random\b|srand\s*\(|rand\s*\(\s*\))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-022: Hardcoded encryption key
+  {
+    id: 'SEC-SWIFT-022',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Encryption Key',
+    description: 'Encryption keys hardcoded in source code can be extracted from the binary.',
+    fix: { suggestion: 'Generate keys at runtime and store in Keychain, or use key derivation functions.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:let|var)\s+\w*(?:encryptionKey|aesKey|privateKey|symmetricKey)\w*\s*[:=]\s*"/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-023: Disabled SSL pinning in Alamofire
+  {
+    id: 'SEC-SWIFT-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Disabled SSL Pinning in Alamofire',
+    description: 'DisabledTrustEvaluator or ServerTrustPolicy.disableEvaluation disables certificate validation.',
+    fix: { suggestion: 'Use PinnedCertificatesTrustEvaluator or PublicKeysTrustEvaluator for proper pinning.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /DisabledTrustEvaluator|DisabledEvaluator|\.disableEvaluation/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-024: CoreData unencrypted store
+  {
+    id: 'SEC-SWIFT-024',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unencrypted CoreData Persistent Store',
+    description: 'CoreData SQLite stores are unencrypted by default, exposing data at rest.',
+    fix: { suggestion: 'Use NSPersistentStoreFileProtectionKey or an encrypted store like EncryptedCoreData.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /NSSQLiteStoreType|addPersistentStore.*NSSQLiteStoreType/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-025: Realm unencrypted
+  {
+    id: 'SEC-SWIFT-025',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unencrypted Realm Database',
+    description: 'Realm databases are unencrypted by default, exposing sensitive data at rest.',
+    fix: { suggestion: 'Set Realm.Configuration encryptionKey with a key stored in the Keychain.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /Realm\s*\(\s*\)|Realm\.Configuration\s*\(\s*\)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-026: Insecure deserialization
+  {
+    id: 'SEC-SWIFT-026',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Deserialization (NSKeyedUnarchiver)',
+    description: 'NSKeyedUnarchiver.unarchiveObject is deprecated and can lead to arbitrary code execution.',
+    fix: { suggestion: 'Use unarchivedObject(ofClass:from:) with NSSecureCoding and requiresSecureCoding = true.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /unarchiveObject\s*\(with|NSKeyedUnarchiver\s*\(\s*forReadingWith/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-027: SQL injection in SQLite
+  {
+    id: 'SEC-SWIFT-027',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection in SQLite',
+    description: 'String interpolation in SQLite queries allows SQL injection.',
+    fix: { suggestion: 'Use parameterized queries with sqlite3_bind_text or a safe wrapper like GRDB/SQLite.swift.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /sqlite3_exec\s*\(.*\\?\(|sqlite3_prepare.*".*\\?\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-028: Insecure cookie storage
+  {
+    id: 'SEC-SWIFT-028',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Insecure Cookie Storage',
+    description: 'HTTPCookieStorage.shared stores cookies that may be accessible to other apps.',
+    fix: { suggestion: 'Use ephemeral URLSession configuration or set cookie security attributes (Secure, HttpOnly).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /HTTPCookieStorage\.shared|\.httpShouldHandleCookies\s*=\s*true/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-029: Cleartext traffic
+  {
+    id: 'SEC-SWIFT-029',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Cleartext Network Traffic',
+    description: 'NSExceptionAllowsInsecureHTTPLoads permits cleartext HTTP traffic to specific domains.',
+    fix: { suggestion: 'Use HTTPS for all connections. If HTTP is required, document the reason and limit the exception scope.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /NSExceptionAllowsInsecureHTTPLoads|NSTemporaryExceptionAllowsInsecureHTTPLoads/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-030: Logging sensitive data with os_log
+  {
+    id: 'SEC-SWIFT-030',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Sensitive Data in os_log Without Privacy',
+    description: 'os_log with %{public} format specifier makes sensitive data visible in Console.app.',
+    fix: { suggestion: 'Use %{private} for sensitive data or omit the public specifier.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /os_log.*%\{public\}.*(?:password|token|secret|key|credential)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-031: Disabled code signing
+  {
+    id: 'SEC-SWIFT-031',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Code Signing Disabled or Ad-Hoc',
+    description: 'Missing or ad-hoc code signing weakens binary integrity verification.',
+    fix: { suggestion: 'Enable proper code signing with a valid Apple Developer certificate.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /CODE_SIGNING_ALLOWED\s*=\s*NO|CODE_SIGN_IDENTITY\s*=\s*""/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-032: WebView loadHTMLString with user data
+  {
+    id: 'SEC-SWIFT-032',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'WebView XSS via loadHTMLString',
+    description: 'Loading unsanitized HTML content into a WebView can lead to cross-site scripting.',
+    fix: { suggestion: 'Sanitize HTML content before loading, or use loadFileURL with a safe directory.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /loadHTMLString\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-033: Insecure IPC via pasteboard
+  {
+    id: 'SEC-SWIFT-033',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Insecure Inter-Process Communication via Pasteboard',
+    description: 'Using UIPasteboard for IPC exposes data to all apps on the device.',
+    fix: { suggestion: 'Use App Groups with shared UserDefaults or Keychain sharing for secure IPC.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /UIPasteboard\s*\(\s*name\s*:/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-034: ECB mode encryption
+  {
+    id: 'SEC-SWIFT-034',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'ECB Mode Encryption',
+    description: 'ECB mode preserves data patterns and should not be used for encrypting data.',
+    fix: { suggestion: 'Use GCM (recommended) or CBC mode with a random IV.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.ECBMode|kCCOptionECBMode|\.ecb\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-035: Keychain without access group
+  {
+    id: 'SEC-SWIFT-035',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Keychain Without Access Group Restriction',
+    description: 'Keychain items without explicit access group may be shared unintentionally across apps.',
+    fix: { suggestion: 'Set kSecAttrAccessGroup to restrict Keychain item access to specific apps.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /SecItemAdd\s*\((?!.*kSecAttrAccessGroup)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-036: Dynamic library loading
+  {
+    id: 'SEC-SWIFT-036',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dynamic Library Loading',
+    description: 'dlopen can load malicious libraries at runtime, bypassing code signing.',
+    fix: { suggestion: 'Avoid dynamic library loading. If necessary, verify the loaded library integrity.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /dlopen\s*\(|NSBundle.*load\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-037: Swizzling usage
+  {
+    id: 'SEC-SWIFT-037',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Method Swizzling Detected',
+    description: 'Method swizzling can be used to intercept sensitive method calls at runtime.',
+    fix: { suggestion: 'Avoid swizzling security-critical methods. Use protocol-based approaches instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /method_exchangeImplementations|class_replaceMethod|method_setImplementation/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-038: Debug assertions in release
+  {
+    id: 'SEC-SWIFT-038',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Assertion May Be Stripped in Release',
+    description: 'assert() is removed in release builds. Security checks using assert will not execute.',
+    fix: { suggestion: 'Use precondition() or preconditionFailure() for security-critical checks that must remain in release builds.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\bassert\s*\(.*(?:auth|permission|access|security|valid)/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-039: Keyboard cache for sensitive fields
+  {
+    id: 'SEC-SWIFT-039',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Keyboard Cache for Sensitive Input',
+    description: 'iOS caches keyboard input for autocorrect. Sensitive fields should disable autocorrection.',
+    fix: { suggestion: 'Set autocorrectionType = .no and isSecureTextEntry = true for sensitive text fields.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.isSecureTextEntry\s*=\s*false|secureTextEntry.*false/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SWIFT-040: Hardcoded certificate
+  {
+    id: 'SEC-SWIFT-040',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Hardcoded Certificate or Public Key',
+    description: 'Hardcoded certificates make rotation difficult and may include private key material.',
+    fix: { suggestion: 'Load certificates from the app bundle or fetch public keys dynamically with fallback pinning.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /-----BEGIN\s+(?:CERTIFICATE|RSA\s+PRIVATE\s+KEY|PUBLIC\s+KEY)-----/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isSwift(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;