CocoaPods, SwiftPM, and Bazel are widely adopted tools for managing Swift and Objective-C projects. CocoaPods simplifies integration through Podfile declarations and automated installation, while SwiftPM manages dependencies through the Package.swift manifest. Endor Labs supports all three systems to help secure your applications.
Using Endor Labs, application security engineers and developers can:
- Scan their software for potential security issues and violations of organizational policy.
- Prioritize vulnerabilities in the context of their applications.
- Understand the relationships between software components in their applications.
Software prerequisites
The following prerequisites must be fulfilled:
- All applications monitored by Endor Labs must be on CocoaPods versions 0.9.0 or higher, or Swift Package Manager versions 5.0.0 or higher.
- A
Podfileand aPodfile.lockmust be present in your CocoaPods project. - A
Package.swiftmust be present in your SwiftPM project. - Install Bazel version
5.x.x,6.x.x, or7.x.xif your project uses Bazel. Bzlmod is supported with Bazel aspects. See Bazel for more information. - Your repository must include one or more files with
.swift,.h, or.mextension. - The Swift toolchain must be installed on the system running the scan for SwiftPM projects. To verify the installation, run the
swift --versioncommand. - Your repository must include the appropriate build manifest file:
PodfileandPodfile.lockfor CocoaPods projects.Package.swiftfor SwiftPM projects.WORKSPACEorMODULE.bazelfor Bazel projects.
Build CocoaPods projects
If the Podfile.lock is not present in your repository, run the following command to create the Podfile.lock for your Podfile.
pod install
Scan Bazel projects
To scan Swift projects that use Bazel, see Bazel for build instructions, supported rules, and scan commands. Bzlmod is supported with Bazel aspects using rules_swift >= 2.0.0. See Bazel Aspects for more information.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.
endorctl scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
Sign in to the Endor Labs user interface, select Projects from the left sidebar, and find your project to review its results.
Understand the scan process for CocoaPods projects
Endor Labs looks for the Podfile and Podfile.lock files to discover the dependencies used by an application.
- A
Podfileis a configuration file used in CocoaPods projects to specify the required libraries or packages for the project’s dependencies. - A
Podfile.lockfile is a CocoaPods specification file used to define the metadata and dependencies.
To successfully discover Swift and Objective-C dependencies, both Podfile and Podfile.lock files must be present in your project for each Podfile.
Understand the scan process for SwiftPM projects
Endor Labs scans SwiftPM projects by locating the Package.swift manifest file, which defines the Swift package’s dependencies, targets, and metadata. Version-specific manifest files using the format Package@swift-<version>.swift, for example Package@swift-5.7.swift, are also supported.
Configure private SwiftPM package repositories
Endor Labs supports fetching and scanning dependencies from private Swift package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See Swift package manager integrations for more information on configuring private registries.
Known limitations
- Call graphs aren’t supported for Swift and Objective-C projects, including CocoaPods, SwiftPM, and Bazel.
- If a
Podfile.lockfile isn’t present, Endor Labs skips analyzing the project and presents a warning that the package was skipped.