Beta testers wanted: Get a sneak peek at GitHub’s code scanning support for Swift!

:wave: Pierre from GitHub here.

What’s happening?

On June 1 2023, just ahead of WWDC 23, GitHub is adding Swift support to a number of our Advanced Security features:

  • GitHub code scanning support for Swift enters public beta to help open-source and enterprise Swift developers secure their code with actionable security alerts right on your pull request. Code scanning is free for all open-source projects and security researchers.
  • GitHub Advisory Database and Dependency Graph add support for Swift, which means that users of Dependabot can receive alerts for their vulnerable Swift dependencies!

We need your help!

As we prepare for the public launch of our code scanning support for Swift, we are excited to announce an expansion of our private beta! Developing support for Swift has been a complex undertaking, and requires extensive testing. We are thrilled to now be able to open up the beta to a larger group of users, who can play a key role in making sure that our Swift support is as robust and reliable as possible :rocket:

We currently identify issues such as path injection, unsafe web view fetches, numerous cryptographic misuses and other types of unsafe evaluation or processing of unsanitized user-controlled data. During the private and public beta, we’ll gradually increase our coverage of distinct weaknesses.

Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which in sum run nearly 400 checks on your code, all while keeping false positive rates low and precision high.

How to join

If you have an open-source Swift project hosted on GitHub, we’d love for you to try out this feature. To sign up, follow these steps:

  1. Join the GitHub Security Lab Slack instance at https://gh.io/securitylabslack
  2. Join the #codeql-swift-beta-lobby channel
  3. Introduce yourself and your project(s) in a short message

Our team monitors this channel and will admit new requests on an ongoing basis. Once admitted, you’ll have access to a private channel for immediate discussion and feedback with the CodeQL team, as well as access to the setup instructions.

If you are a security researcher, we’ll also provide instructions to build and explore CodeQL Swift databases locally.

What kind of feedback are we looking for?

We’re dedicated to making setup and integration easy for new users. If you face any issues, please let us know - we prioritize those! Also, we’d love to hear your thoughts on our initial security queries and results. Are they helpful and clear? Anything missing?

What platforms, versions are supported?

  • Swift-only projects (Obj-C files are not analyzed), including libraries
  • Developed for and on Apple operating systems (macOS, iOS, iPadOS, etc.)
  • Our query coverage is geared towards mobile apps, but server-side Swift projects should analyze fine
  • Linux support is limited, and Windows is currently not supported
  • Swift versions 5.5 to 5.7 are supported

Code scanning uses GitHub Actions to build and analyze your code.

If you’re already building with GitHub Actions, you can as of today also choose to use macOS 13 runners, which are currently in beta. macOS 12 runners are used by default when the macos-latest label is used. Both types now also support XL runners for more demanding builds.

Our team is currently working towards supporting Swift 5.8. Swift 5.8 is not yet available by default on GitHub Actions, but will be once macOS 13 support stabilizes in Actions and will be available in CodeQL code scanning by June 1.

Dependabot Updates (PRs to fix Dependabot Alerts) are not included in this release.

30 Likes

Cool! Does this imply dependabot support too? (Swift Package Manager Support? · Issue #1245 · dependabot/dependabot-core · GitHub)

2 Likes

Absolutely brilliant! I've been hoping (and requesting) this support within GitHub.

Sorry, I should clarify, I think I misunderstood your question! :broken_heart:

The changes above include support for Dependabot security alerts - that's what will ship on June 1. The update via a PR to fix that alert (part of the work your linked to) is not part of this release.

(also FYI @hassila - sorry for the confusion)

2 Likes

@turbo

First: Thank you. This announcement is a great news! :slightly_smiling_face:

2 questions:

Thanks.

@florentmorin good questions!

The Beta is also open to GitHub Enterprise users. Existing GitHub Enterprise customers should contact their GitHub account manager to request beta access as part of their GitHub Advanced Security license.

I don't have any updates to share on Packages at the moment, but do keep the feedback coming :slight_smile:.

1 Like

This is so exciting! I'm currently working on a research paper about security in iOS apps, and I would be very interested in the ability to set this up locally. Any chance I could get access?

Please follow the instructions in the "How to join" section :slight_smile:

Good news! CodeQL code scanning support for Swift is now available to all GitHub.com users - no beta signup required!

Read our announcement here.

You can now also join the #codeql-swift-beta channel in our Slack instance without first joining the lobby to provide feedback and ask questions. See you there!

3 Likes

Sorry, I should've been more clear in my first comment. I don't have an e-mail from any of the required domains to join the Slack, so I am hoping for an invitation.

The Slack sign up is now longer required now that we are in public beta. You can follow the normal CodeQL instructions here for a local setup: https://codeql.github.com

1 Like

Aha, awesome! Thanks for replying, sorry for being a bit slow :smile: