We’ve launched the beta of code scanning support for Swift. This launch, paired with our launch of Kotlin support in November, means that CodeQL covers both IOS and Android development languages, bringing a heightened level of security to the mobile application development process.
Mobile applications have become a fundamental part of everyday life, from how we work, communicate, and entertain ourselves. We rely on mobile applications for their convenience, ease of use, and ability to provide access to a wide range of services and information on the go. At GitHub, we want to ensure we’re bringing code to you, wherever you are. That’s why we’ve made a number of investments in GitHub Mobile so that developers can build from anywhere, giving them ways to manage their projects, help secure their code, and connect with communities all on the go.
According to a report by Statista, the number of mobile app downloads worldwide was 255 billion in 2022. It’s never been more essential to ensure that your mobile applications are secure and that your users’ data remains private.
Today, we’re highlighting two exciting releases, aimed at providing developers new ways to secure their mobile applications built on GitHub. The first is the launch of our beta for code scanning support for Swift, which will allow users to scan Swift repositories for potential vulnerabilities. The second is upcoming support for Swift security advisories, allowing Dependabot to alert you about vulnerable Swift dependencies in the dependency graph.
In November, we announced the beta of Kotlin support for code scanning. Since then, developers have fixed over 6,000 Kotlin alerts! Having both Kotlin and Swift support is crucial for CodeQL, the engine that powers GitHub code scanning, due to the growing popularity and adoption of these programming languages. Kotlin and Swift are widely used in mobile app development, particularly for Android and iOS platforms. By offering support for Kotlin and Swift, code scanning can effectively analyze and detect security vulnerabilities and potential threats specific to these languages.
For Swift, this includes identifying issues such as path injections, unsafe web view fetches, numerous cryptographic misuse, and other types of unsafe evaluation or processing of unsanitized user data. This ensures that developers can proactively identify and address security issues during the development process with our developer friendly alerts, enhancing the overall security posture of their applications. During our public beta, we’ll gradually increase our coverage of distinct weaknesses.
Swift joins our existing supported languages (C/C++, Java/Kotlin, JS/TS, Python, Ruby, C#, and Go), which means you can run nearly 400 checks on your code, all while keeping false positive rates low and precision high.
On the supply chain security side, we’re also adding Swift as a supported package ecosystem, with Swift security advisories supported and curated in the GitHub Advisory Database and Swift dependencies in the dependency graph later in June. This means that Dependabot will soon alert you about vulnerable dependencies in your Swift projects and open pull requests with the suggested fix.
With support for Swift and Kotlin in code scanning in public beta, the GitHub Security Lab has opened the Bug Bounty program for software security researchers to submit CodeQL queries to test open source projects written in Swift and Kotlin.
The GitHub Security Lab’s CodeQL Bug Bounty program aims at scaling the security research community’s work across open source projects. This program offers the opportunity for researchers to write a CodeQL query to not only find existing bugs at scale in open source, but also support developers in preventing future bugs in open source projects.
To support the beta testing of these mobile languages, the GitHub Security Lab will provide a specific bonus for CodeQL query submissions for Swift and Kotlin from now through December 1, 2023. The first 10 submissions that score High or Critical will get an additional reward up to $2,000. Learn more about this specific bonus in the FAQ on the bounty page.
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.