> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.endorlabs.com/feedback

```json
{
  "path": "/scan/sca/swift-objective-c/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Swift/Objective-C

> Learn how to implement Endor Labs in repositories with CocoaPods and Swift Package Manager (SwiftPM) packages.

CocoaPods, SwiftPM, and Bazel are widely adopted tools for managing Swift and Objective-C projects. CocoaPods simplifies integration through `Podfile` declarations and automated installation, while SwiftPM manages dependencies through the `Package.swift` manifest. Endor Labs supports all three systems to help secure your applications.

Using Endor Labs, application security engineers and developers can:

* Scan their software for potential security issues and violations of organizational policy.
* Prioritize vulnerabilities in the context of their applications.
* Understand the relationships between software components in their applications.

## Software prerequisites

Before you begin, verify the following prerequisites:

* All applications monitored by Endor Labs must be on CocoaPods versions 0.9.0 or higher, or Swift Package Manager versions 5.0.0 or higher.
* A `Podfile` and a `Podfile.lock` must be present in your CocoaPods project.
* A `Package.swift` must be present in your SwiftPM project.
* Install Bazel version `5.x.x`, `6.x.x`, `7.x.x`, `8.x.x`, or `9.x.x` if your project uses Bazel. Endor Labs supports Bzlmod with Bazel aspects. See [Bazel](/scan/bazel) for more information.
* Your repository must include one or more files with `.swift`, `.h`, or `.m` extension.
* Install the Swift toolchain on the system running the scan for SwiftPM projects. To verify the installation, run the `swift --version` command.
* Your repository must include the appropriate build manifest file:
  * `Podfile` and `Podfile.lock` for CocoaPods projects.
  * `Package.swift` for SwiftPM projects.
  * `WORKSPACE` or `MODULE.bazel` for Bazel projects.

## Build CocoaPods projects

If the `Podfile.lock` is not present in your repository, run the following command to create the `Podfile.lock` for your Podfile.

```bash theme={null}
pod install
```

## Scan Bazel projects

To scan Swift projects that use Bazel, see [Bazel](/scan/bazel) for build instructions, supported rules, and scan commands. Endor Labs supports Bzlmod with Bazel aspects using `rules_swift` >= 2.0.0. See [Bazel Aspects](/scan/bazel/bazel-aspects) for more information.

## Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

```bash theme={null}
endorctl scan
```

You can perform the scan from within the root directory of the Git project repository, and save the local results to a *results.json* file. The results and related analysis information are available on the Endor Labs user interface.

```bash theme={null}
endorctl scan -o json | tee /path/to/results.json
```

Sign in to the [Endor Labs user interface](https://app.endorlabs.com), select **Projects** from the left sidebar, and find your project to review its results.

## Understand the scan process for CocoaPods projects

Endor Labs looks for the `Podfile` and `Podfile.lock` files to discover the dependencies used by an application.

* A `Podfile` is a configuration file used in CocoaPods projects to specify the required libraries or packages for the project's dependencies.
* A `Podfile.lock` file is a CocoaPods specification file used to define the metadata and dependencies.

To successfully discover Swift and Objective-C dependencies, both `Podfile` and `Podfile.lock` files must be present in your project for each Podfile.

## Understand the scan process for SwiftPM projects

Endor Labs scans SwiftPM projects by locating the `Package.swift` manifest file, which defines the Swift package's dependencies, targets, and metadata. Version-specific manifest files using the format `Package@swift-<version>.swift`, for example `Package@swift-5.7.swift`, are also supported.

### Configure private SwiftPM package repositories

Endor Labs supports fetching and scanning dependencies from private Swift package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See [Swift package manager integrations](/integrations/package-managers/swift-private-package-manager) for more information on configuring private registries.

## Known limitations

* Call graphs aren't supported for Swift and Objective-C projects, including CocoaPods, SwiftPM, and Bazel.
* If a `Podfile.lock` file isn't present, Endor Labs skips analyzing the project and presents a warning that it skipped the package.