Swift/Objective-C (Beta)

Learn how to implement Endor Labs in repositories with CocoaPods packages.

CocoaPods is a popular package manager for Swift and Objective-C. It simplifies the integration of Swift and Objective-C dependencies through Podfile declaration and automated installation.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan CocoaPods projects

To successfully scan your CocoaPods projects:

Install software prerequisites

The following prerequisites must be fulfilled:

  • All applications monitored by Endor Labs must be on CocoaPods versions 0.9.0 or higher.
  • A Podfile and a Podfile.lock must be present in your CocoaPods project.

Build CocoaPods projects

If the Podfile.lock is not present in your repository, run the following command to create the Podfile.lock for your Podfile.

pod install

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies. Use the flag --languages=swift along with the endorctl scan to discover Swift and Objective-C dependencies.

endorctl scan

You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs looks for the Podfile and Podfile.lock files to discover the dependencies used by an application.

  • A Podfile is a configuration file used in CocoaPods projects to specify the required libraries or packages for the project’s dependencies.
  • A Podfile.lock file is a CocoaPods specification file used to define the metadata and dependencies.

To successfully discover Swift and Objective-C dependencies, both Podfile and Podfile.lock files must be present in your project for each Podfile.

Known limitations

  • Call graphs are not supported for the CocoaPods projects.
  • If a Podfile.lock file is not present, Endor Labs will skip analyzing the project and present a warning that the package was skipped.