About Swift SCA Agent-Based Scanning

Veracode Software Composition Analysis

You can find vulnerabilities in your Swift applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Swift repositories using the agent-based scanning command-line interface or the CI integrations.

Veracode SCA agent-based scanning supports scanning Swift repositories managed with CocoaPods. It does not support the Swift package manager.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging iOS and tvOS Applications.


Scanning a repository that uses Swift and the CocoaPods package manager requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

  • Meet the requirements for the Veracode SCA agent.
  • Have a podfile.lock file present in the Swift repository.
  • If podfile.lock does not exist in the project root where you perform scans, you must be able to run the pod install command from the project root.

Running a Scan

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/srcclr/example-swift-cocoapods
Note: You can also use the --url argument with the CLI agent to scan code repositories hosted in Git.

After you clone the code to your desktop, point the Veracode SCA CLI agent to the directory of the repository and scan:

srcclr scan path/to/<project_folder>

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/<project_folder> --loud

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Viewing Scan Results

After completing a scan, the bottom of the output in your terminal includes a URL for the Veracode Platform where you can view the scan results in more detail:

    Unique Library Licenses              3
    Libraries Using GPL                  0
    Libraries With No License            1
    Full Report Details                  https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557
Veracode SCA displays the scan results in the following categories:
Includes out-of-date libraries, license violations, and vulnerabilities associated with a specific version of a library within a repository.
Represents the set of unique vulnerabilities across a project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
Includes each open source library Veracode SCA has identified within a code project. From the Libraries tab, you can select Swift from the All languages dropdown to view the Swift libraries found in the project.
Displays the software license information associated with each open-source library in use.

Fixing Vulnerability Issues

After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that Veracode SCA provides through the Veracode Platform.

Fixing a Direct Vulnerability

When your configuration file references a library, Veracode SCA considers the library a direct dependency. In your workspace, on the Issues page, the Vulnerability section lists the vulnerabilities in direct dependencies. You can click the issue ID for details about the vulnerability and instructions for fixing it. Updating your version to the version that the agent-based scan recommends usually fixes vulnerabilities in a direct dependency.

Some libraries include vulnerabilities that are not yet fixed. Therefore, Veracode SCA cannot always provide reliable update versions. In these cases, Veracode recommends you either create a pull request to the unfixed library or use a different library in your code.

Validating a Fixed Vulnerability

Before committing your code changes, you can run an agent-based scan with the --allow-dirty flag to validate a fix you made to your repository. This flag ignores uncommitted changes in your code:

srcclr scan /path/to/<project_folder> --allow-dirty

When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can commit your code.