Swift/Objective-C

Learn how to implement Endor Labs in repositories with CocoaPods and Swift Package Manager (SwiftPM) packages.

CocoaPods and SwiftPM are widely adopted package managers for Swift and Objective-C. CocoaPods simplifies integration via Podfile declarations and automated installation, while SwiftPM manages dependencies through the Package.swift manifest. Endor Labs supports both systems to help secure your applications.

Using Endor Labs, application security engineers and developers can:

  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

The following prerequisites must be fulfilled:

  • All applications monitored by Endor Labs must be on CocoaPods versions 0.9.0 or higher, or Swift Package Manager versions 5.0.0 or higher.
  • A Podfile and a Podfile.lock must be present in your CocoaPods project.
  • A Package.swift must be present in your SwiftPM project.
  • Make sure your repository includes one or more files with .swift, .h, or .m extension.
  • The Swift toolchain must be installed on the system running the scan for SwiftPM projects. To verify the installation, run the swift --version command.

If the Podfile.lock is not present in your repository, run the following command to create the Podfile.lock for your Podfile.

pod install

Perform a scan to get visibility into your software composition and resolve dependencies.

Use the flag --languages=swift along with the endorctl scan to discover Swift and Objective-C dependencies.

endorctl scan --languages=swift

To scan SwiftPM projects:

  1. Enable the SwiftPM feature flag:

    export ENDOR_SCAN_ENABLE_SWIFTPM=true
    
  2. Run the endorctl scan with the --languages=swifturl flag to discover SwiftPM dependencies.

    endorctl scan --languages=swifturl
    

You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign in to the Endor Labs, click the Projects on the left sidebar, and find your project to review its results.

Endor Labs looks for the Podfile and Podfile.lock files to discover the dependencies used by an application.

  • A Podfile is a configuration file used in CocoaPods projects to specify the required libraries or packages for the project’s dependencies.
  • A Podfile.lock file is a CocoaPods specification file used to define the metadata and dependencies.

To successfully discover Swift and Objective-C dependencies, both Podfile and Podfile.lock files must be present in your project for each Podfile.

Endor Labs scans SwiftPM projects by locating the Package.swift manifest file, which defines the Swift package’s dependencies, targets, and metadata. Version-specific manifest files using the format Package@swift-<version>.swift, for example Package@swift-5.7.swift, are also supported.

Endor Labs supports fetching and scanning dependencies from private Swift package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See Swift package manager integrations for more information on configuring private registries.

  • Call graphs are not supported for CocoaPods and SwiftPM projects.
  • If a Podfile.lock file is not present, Endor Labs will skip analyzing the project and present a warning that the package was skipped.