Apple Platform packaging
This topic explains how to package native Apple platform artifacts for Veracode analysis. Supported platforms include iOS, iPadOS, watchOS, tvOS, and visionOS, developed with Objective-C and Swift.
Veracode analyzes all submitted components, including standalone frameworks and extensions. After you complete a prescan, you can select these components as separate modules.
Veracode only scans iPhone, iPad, Apple Watch, Apple TV, or Vision Pro artifacts compiled with debug symbols. With debug symbols included, Veracode can pinpoint the exact source file and line number of any flaw.
Required files
Include all binary executables and required libraries of the artifact to enable Veracode scanning.
Supported Apple Platforms and compilers
| Language | Platform | Version | IDE |
|---|---|---|---|
| Objective-C, C/C++, Swift 6.x | Apple Platforms | iOS 12–18, 26 iPadOS 13-18, 26 watchOS 4–10 tvOS 12–18, 26 visionOS 1-2 | Xcode 14.x–16.x, 26.x |
Initial support for iOS 26.
Packaging options
Automated packaging
Auto-packaging simplifies the packaging process for Apple platform projects.
Manual packaging
Your artifacts must meet specific packaging and compilation requirements before you can submit them for Veracode Static Analysis and Veracode Software Composition Analysis.
For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Veracode also supports the following mobile frameworks:
- .NET MAUI
- Appcelerator Titanium
- Apache Cordova/Adobe PhoneGap
- Dart and Flutter
- Ionic
- React Native
- Xamarin
If you are using other Apple‑specific frameworks, follow their respective packaging guides instead of these native steps.
Veracode does not support other cross-platform development frameworks.
Packaging your Apple platform apps
The quickest way to package your Apple platform artifacts is to use xcodebuild in the terminal.
Before you begin:
Ensure you have:
-
Installed Xcode Command Line Tools.
-
Installed or updated gen-ir.
To complete this task:
- Clean the project and archive it separately.
Ensure you clean separately from archiving. Due to a bug in Xcode, you must run the clean command separately from the archive command:
xcodebuild clean && xcodebuild archive
- Change to your project directory and run the archive command.
You might need to adjust the xcodebuild command to match your project settings. Use the tool below to generate a starting command. Depending on your build configuration, you might need to edit the command further.
xcodebuild clean && \
xcodebuild archive \
-workspace MyApp.xcworkspace \
-scheme MyApp \
-destination generic/platform=iOS \
-configuration Debug \
-archivePath MyApp.xcarchive \
DEBUG_INFORMATION_FORMAT=dwarf-with-dsym \
ENABLE_BITCODE=NO \
> MyApp.log.txt
-
Run
gen-irwith your build log and the archive path. Make sureMyApp.log.txtpoints to the exported build log andMyApp.xcarchive/is the newly createdxcarchive.gen-ir MyApp.log.txt MyApp.xcarchive/ -
Zip the
xcarchive.zip -r MyApp.zip MyApp.xcarchive -
Verify the ZIP contents.
zipinfo MyApp.zip -
Ensure the
xcarchivefolder is at the root of the ZIP.❯ zipinfo MyApp.zip
Archive: MyApp.zip
Zip file size: 1519917 bytes, number of entries: 78
drwxr-xr-x 3.0 unx 0 bx stor 23-Dec-13 16:37 MyApp.xcarchive/
drwxr-xr-x 3.0 unx 0 bx stor 23-Dec-13 16:36 MyApp.xcarchive/Products/
drwxr-xr-x 3.0 unx 0 bx stor 23-Dec-13 16:36 MyApp.xcarchive/Products/Applications/
drwxr-xr-x 3.0 unx 0 bx stor 23-Dec-13 16:36 MyApp.xcarchive/Products/Applications/MyApp.app/
... -
Upload your Apple platform artifact to the Veracode Platform for static analysis. For detailed steps to submit an artifact for analysis, see Scan code in the Veracode Platform.
-
(Optional) To upload archives for Software Composition Analysis (SCA), add the
Podfile.lockfile to the root of a separate archive folder. This ZIP archive must be different from the one that contains the.xcarchivefolder.zip MyApp-Podfile.zip Podfile.lock -
Upload
MyApp-Podfile.zipto the same scan as theMyApp.zipfile you uploaded earlier.