Xcode 4.6 has a build setting labeled “Misuse of Keychain Services API”, a.k.a. CLANG_ANALYZER_SECURITY_KEYCHAIN_API. The Quick Help is unhelpful:
Check for misuse of Keychain Services API.
So, what sort of “misuses” does the Clang Static Analyzer look for when this is on?
It's intended to ensure that memory allocated by functions in the Keychain Services API is deallocated in the correct manner by the caller. For instance, SecKeychainFindGenericPassword returns password data via an output parameter. The caller is required to deallocate this data via SecKeychainItemFreeContent rather than alternative APIs like free. Failing to use the correct API can leave sensitive data (e.g., the password) in memory.
You can see the implementation of this checker in the LLVM SVN repository if you're interested in more detail.