BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Register now with early bird tickets.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Register now with early bird tickets.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News GitHub Announces Code Scanning and Security Advisory Support for Swift

Mobile

GitHub Announces Code Scanning and Security Advisory Support for Swift

This item in japanese

Bookmarks

Jun 10, 2023 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.

GitHub code scanning enables receiving actionable security alerts in pull requests, which are shown as a review on the PR Conversation tab. Swift support extends the set of programming languages that GitHub can scan for weaknesses, which already included C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go.

Having both Kotlin and Swift support is crucial for CodeQL, the engine that powers GitHub code scanning, due to the growing popularity and adoption of these programming languages. Kotlin and Swift are widely used in mobile app development, particularly for Android and iOS platforms.

Currently, code scanning for Swift covers path injection, unsafe web view fetches, cryptographic misuses, processing of unsanitized data, and more. GitHub says they will increase the number of weaknesses Swift code scanning is able to detect as the beta progresses. For the rest of supported languages, code scanning includes nearly 400 checks and strives to keep false positive rate low and precision high, says GitHub.

Code scanning for Swift uses macOS runners, which are more expensive than Linux and Windows runners. Due to this, GitHub recommends building only the code you want to analyze and targeting only one architecture. Currently, Swift versions from 5.4 to 5.7 can be analyzed on macOS, while Swift 5.7.3 can be also analyzed using Linux.

On the supply chain security front, GitHub also announced they will add curated Swift advisories to the Advisory Database and Swift dependencies analysis to dependency graphs. This will enable Dependabot to send alerts about vulnerable dependencies included in Swift projects.

The GitHub Advisory Database contains known security vulnerabilities and malware (still in beta). Advisories can be curated or not curated. The dependency graph includes all the dependencies of a repository, including direct and indirect dependencies, and is generated automatically for all public repositories. According to GitHub, Swift support will come later in June.

On a related note, GitHub has launched a Bug Bounty program for Kotlin and Swift security researchers to submit new CodeQL queries that can uncover new vulnerabilities in Swift and Kotlin programs.

About the Author

Sergio De Simone

Show moreShow less

Rate this Article

Adoption
Style

This content is in the Mobile topic

Related Topics:
BT