For Swift, this includes identifying issues such as path injections, unsafe web view fetches, numerous cryptographic misuse, and other types of unsafe evaluation or processing of unsanitized user data. This ensures that developers can proactively identify and address security issues during the development process with our developer friendly alerts, enhancing the overall security posture of their applications. During our public beta, we’ll gradually increase our coverage of distinct weaknesses.
Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which means you can run nearly 400 checks on your code, all while keeping false positive rates low and precision high.
Looking ahead
On the supply chain security side, we’re also adding Swift as a supported package ecosystem, with Swift security advisories supported and curated in the GitHub Advisory Database and Swift dependencies in the dependency graph later in June. This means that Dependabot will soon alert you about vulnerable dependencies in your Swift projects and open pull requests with the suggested fix.
Swift and Kotlin Bug Bounty
With support for Swift and Kotlin in code scanning in public beta, the GitHub Security Lab has opened the Bug Bounty program for software security researchers to submit CodeQL queries to test open source projects written in Swift and Kotlin.
The GitHub Security Lab’s CodeQL Bug Bounty program aims at scaling the security research community’s work across open source projects. This program offers the opportunity for researchers to write a CodeQL query to not only find existing bugs at scale in open source, but also support developers in preventing future bugs in open source projects.
