Swift queries for CodeQL analysis

Explore the queries that CodeQL uses to analyze code written in Swift when you select the default or the security-extended query suite.

Who can use this feature?

CodeQL is available for the following repository types:

Public repositories on GitHub.com, see GitHub CodeQL Terms and Conditions
Organization-owned repositories on GitHub Team or GitHub Enterprise Cloud with GitHub Code Security enabled

CodeQL includes many queries for analyzing Swift code. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see CodeQL query suites.

Built-in queries for Swift analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Query name	Related CWEs	Default	Extended	Copilot Autofix
Bad HTML filtering regexp	116, 020, 185, 186
Cleartext logging of sensitive information	312, 359, 532
Cleartext storage of sensitive information in a local database	312
Cleartext storage of sensitive information in an application preference store	312
Cleartext transmission of sensitive information	319
Database query built from user-controlled sources	089
Encryption using ECB	327
Incomplete regular expression for hostnames	020
Inefficient regular expression	1333, 730, 400
Insecure TLS configuration	757
Insufficient hash iterations	916
Missing regular expression anchor	020
Predicate built from user-controlled sources	943
Regular expression injection	730, 400
Resolving XML external entity in user-controlled data	611, 776, 827
Static initialization vector for encryption	329, 1204
String length conflation	135
System command built from user-controlled sources	078, 088
Uncontrolled data used in path expression	022, 023, 036, 073, 099
Uncontrolled format string	134
Unsafe WebView fetch	079, 095, 749
Use of a broken or weak cryptographic hashing algorithm on sensitive data	327, 328
Use of an inappropriate cryptographic hashing algorithm on passwords	327, 328, 916
Use of constant salts	760
JavaScript Injection	094, 095, 749