On the supply chain security front, GitHub also announced they will add curated Swift advisories to the Advisory Database and Swift dependencies analysis to dependency graphs. Currently, Swift versions from 5.4 to 5.7 can be analyzed on macOS, while Swift 5.7.3 can be also analyzed using Linux.
Due to this, GitHub recommends building only the code you want to analyze and targeting only one architecture. For the rest of supported languages, code scanning includes nearly 400 checks and strives to keep false positive rate low and precision high, says GitHub.Ĭode scanning for Swift uses macOS runners, which are more expensive than Linux and Windows runners. GitHub says they will increase the number of weaknesses Swift code scanning is able to detect as the beta progresses. Kotlin and Swift are widely used in mobile app development, particularly for Android and iOS platforms.Ĭurrently, code scanning for Swift covers path injection, unsafe web view fetches, cryptographic misuses, processing of unsanitized data, and more. Having both Kotlin and Swift support is crucial for CodeQL, the engine that powers GitHub code scanning, due to the growing popularity and adoption of these programming languages. Swift support extends the set of programming languages that GitHub can scan for weaknesses, which already included C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go. GitHub code scanning enables receiving actionable security alerts in pull requests, which are shown as a review on the PR Conversation tab.
GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.
0 kommentar(er)
