# GitHub embraces Swift and provides code analysis, security alerts and dependency updates for Swift projects

GitHub released significant updates for Swift developers this summer.

Swift is now supported for the following GitHub tools:

* **CodeQL**: semantic [code analysis](https://github.blog/changelog/2023-07-05-code-scanning-with-codeql-supports-swift-5-8) to detect security vulnerabilities
    
* **Dependabot**: [security alerts](https://github.blog/changelog/2023-06-19-dependency-graph-dependabot-alerts-and-advisory-database-now-support-swift-advisories) and [dependency updates](https://github.blog/changelog/2023-08-01-swift-support-for-dependabot-updates)
    

## CodeQL and Swift

[Tim Condon](https://twitter.com/0xTim) wrote an excellent guide on how to set up CodeQL for a Swift project.

%[https://forums.swift.org/t/codeql-updates/66540] 

An interesting key takeaway is you cannot use `github/codeql-action/autobuild@v2` in your GitHub action workflow to build Swift packages. You have to replace that step with an explicit `swift build` .

## Dependabot and Swift

Setup was a breeze and straightforward thanks to a guided process for creating the necessary `dependabot.yml` configuration file.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087938536/a43fa1d5-86d2-4c66-a9da-b79b60c0b225.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087951455/f94d6c77-eb87-4b0a-baf0-2df45ac6f1e2.png align="center")

Nice to see my package dependencies in Github's Dependency graph view.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087967908/0b70f3bb-d429-4421-92d4-33058445425e.png align="center")

Dependabot will check for version updates according to the `interval` maintained in the yml file or I can trigger a manual check.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087981377/e260b1d8-deaf-456c-8c27-73ca644cd528.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087380654/4a70c323-752e-4ca6-9465-40062586c453.png align="center")

I stumbled over two issues.

First, there is a bug when using scp-style URIs. This bug should be fixed soon but you can avoid it by using https links in your `Package.swift` and `Package.resolved` files

```swift
// GOOD
dependencies: [.package(url: "https://github.com/MarcoEidinger/DummySwiftPackage.git", .upToNextMajor(from: "1.0.0"))

// BAD
dependencies: [.package(url: "git@github.com:MarcoEidinger/DummySwiftPackage.git", .upToNextMajor(from: "1.0.0"))
```

You can track the status of the bug fix in the following GitHub issue I created.

%[https://github.com/dependabot/dependabot-core/issues/7709] 

Second, the Depandabot logic to update dependencies is different from the behavior using Swift Package Manager (SPM).

`swift package update` will honor the version requirement `.upToNextMajor(from: "1.0.0")` by only updating `Package.resolved` for patch and minor releases.

Dependabot may create a PR to update `Package.swift` and `Package.resolved` for you to change the version requirement.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1691087339086/e6a7e370-6d7d-4eae-968b-30b44c51f705.png align="center")

I like the Depandabot logic offering to bump up the major version but it was unexpected.

[David Rodríguez](https://twitter.com/DeividAsdf) told me that GitHub will support [versioning-strategies](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy) soon so that developers can choose their preferred update strategy.

## Conclusion

Such tool support is fantastic for Swift developers, especially for server-side development as the GitHub Advisory Database warns about [several vulnerabilities in Swift](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift) when using Vapor, swift-nio-http2 or grpc-swift.

I am also excited to see built-in support for dependency update management.

Probably this was inspired by community projects for GitHub actions like [swift-package-dependencies-check](https://github.com/MarcoEidinger/swift-package-dependencies-check) or [action-xcodeproj-spm-update](https://github.com/getsidetrack/action-xcodeproj-spm-update).

```yaml
name: Package Update

on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * 1' # Monday at 06:00 UTC

jobs:
  dependencies:
    uses: MarcoEidinger/swift-package-dependencies-check/.github/workflows/reusableWorkflow.yml@v2
    with:
      commit-message: 'Package update'
```

Above you see an example on how [SwiftPackageIndex-Server](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server) updates their packages and I am curious if Dave or Sven plan to migrate to Dependabot.
