Pierre from GitHub here.
On June 1 2023, just ahead of WWDC 23, GitHub is adding Swift support to a number of our Advanced Security features:
- GitHub code scanning support for Swift enters public beta to help open-source and enterprise Swift developers secure their code with actionable security alerts right on your pull request. Code scanning is free for all open-source projects and security researchers.
- GitHub Advisory Database and Dependency Graph add support for Swift, which means that users of Dependabot can receive alerts for their vulnerable Swift dependencies!
We need your help!
As we prepare for the public launch of our code scanning support for Swift, we are excited to announce an expansion of our private beta! Developing support for Swift has been a complex undertaking, and requires extensive testing. We are thrilled to now be able to open up the beta to a larger group of users, who can play a key role in making sure that our Swift support is as robust and reliable as possible
We currently identify issues such as path injection, unsafe web view fetches, numerous cryptographic misuses and other types of unsafe evaluation or processing of unsanitized user-controlled data. During the private and public beta, we’ll gradually increase our coverage of distinct weaknesses.
Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which in sum run nearly 400 checks on your code, all while keeping false positive rates low and precision high.
How to join
If you have an open-source Swift project hosted on GitHub, we’d love for you to try out this feature. To sign up, follow these steps:
- Join the GitHub Security Lab Slack instance at https://gh.io/securitylabslack
- Join the
- Introduce yourself and your project(s) in a short message
Our team monitors this channel and will admit new requests on an ongoing basis. Once admitted, you’ll have access to a private channel for immediate discussion and feedback with the CodeQL team, as well as access to the setup instructions.
If you are a security researcher, we’ll also provide instructions to build and explore CodeQL Swift databases locally.
What kind of feedback are we looking for?
We’re dedicated to making setup and integration easy for new users. If you face any issues, please let us know - we prioritize those! Also, we’d love to hear your thoughts on our initial security queries and results. Are they helpful and clear? Anything missing?
What platforms, versions are supported?
- Swift-only projects (Obj-C files are not analyzed), including libraries
- Developed for and on Apple operating systems (macOS, iOS, iPadOS, etc.)
- Our query coverage is geared towards mobile apps, but server-side Swift projects should analyze fine
- Linux support is limited, and Windows is currently not supported
- Swift versions 5.5 to 5.7 are supported
Code scanning uses GitHub Actions to build and analyze your code.
If you’re already building with GitHub Actions, you can as of today also choose to use macOS 13 runners, which are currently in beta. macOS 12 runners are used by default when the macos-latest label is used. Both types now also support XL runners for more demanding builds.
Our team is currently working towards supporting Swift 5.8. Swift 5.8 is not yet available by default on GitHub Actions, but will be once macOS 13 support stabilizes in Actions and will be available in CodeQL code scanning by June 1.
Dependabot Updates (PRs to fix Dependabot Alerts) are not included in this release.