Overview › Static Analysis & Lint

Static Analysis & Lint

SwiftLint integrated via CocoaPods — verify rules are enforced on every PR.

0 findings in this category · iOS

SCORE

Summary

SwiftLint integrated via CocoaPods. NowSecure runs in CI (azure-pipeline-nowsecure.yml). No published lint baseline; rule enforcement strictness unclear.

Static-analysis tool stack

Tool	Purpose	Status
SwiftLint	Style + opinion-based rules	PRESENT (Pod)
SwiftFormat	Auto-formatting on save / pre-commit	VERIFY
NowSecure	Mobile security scan in CI	PRESENT
Periphery	Dead-code detection	RECOMMEND
SwiftLint custom rules	Project-specific bans (hex outside DS, print outside DEBUG)	RECOMMEND
Xcode Static Analyzer	Built-in — flags retain cycles, dead stores	RUN PERIODICALLY
Coverage gating	Block PRs that drop changed-file coverage	RECOMMEND

Recommended SwiftLint custom rules

# .swiftlint.yml — custom_rules section

custom_rules:
  no_print_in_release:
    name: "Forbid print() outside #if DEBUG"
    regex: "^\\s*print\\("
    severity: warning

  no_hex_color_outside_design_system:
    name: "Hardcoded hex color"
    regex: "Color\\(hex:|UIColor\\(hex:"
    excluded:
      - ".*CostcoDesignSystem.*"
    severity: warning

  no_force_try_in_production:
    name: "Forbid try!"
    regex: "try!"
    excluded:
      - ".*Tests.*"
      - ".*UITests.*"
    severity: error

  no_force_unwrap_url:
    name: "URL force-unwrap"
    regex: "URL\\(string:.*\\)!"
    severity: error

CI integration

Wire each tool into Azure Pipelines:

SwiftLint — run on every PR; fail on error-severity violations.
SwiftFormat — pre-commit hook; PR fails if files would be reformatted.
Periphery — weekly scheduled job; produces deletion-candidate list.
Xcode Static Analyzer — quarterly run; results surfaced in dashboard.
Coverage — published to Codecov; PR comment with diff.

Findings

PASS

SwiftLint + NowSecure

SwiftLint integrated; NowSecure mobile security scans run separately.

MEDIUM

No published .swiftlint.yml baseline

Without a published baseline, lint findings are background noise.

Recommendation: Generate a baseline; treat error-severity rules as build-breakers; review baseline diff per PR.

MEDIUM

Custom rules opportunity

SwiftLint supports custom regex rules.

Recommendation: Add custom rules for: hex literals outside design system, print outside DEBUG, force-unwrap in non-test code, NSLocalizedString with empty comment.

LOW

Adopt periphery for dead code

Periphery finds unused code in Swift projects.

Recommendation: Run quarterly; commit deletions in batches.

No findings logged in this category yet for iOS.

Costco iOS · Code Review Report · Generated 2026-05-07 · 88 machine-curated findings