iOS (Objective-C, Swift)

FOSSA support for Objective-C, Swift and Cocoa projects.

FOSSA supports Swift, Objective-C and Cocoa projects through CocoaPods and Carthage.

ToolQuick Import ( (fossa-cli)
CocoaPodsPodfile, Podfile.lock, *.podspecPodfile.lock
CarthageCartfile, Cartfile.private, Cartfile.resolvedCartfile.resolved
Swift Package ManagerN/APackage.resolved, Package.swift, project.pbxproj

Quick Import (

When iOS code is imported, FOSSA will inspect the codebase for dependencies resolvable by CocoaPods or Carthage.


The CocoaPods build system pulls in dependencies based on:

  1. Name
  2. SemVer Version
  3. External Repository (Git, Subversion, Mercurial, HTTP)

FOSSA derives dependencies by analyzing your Podfile/Podfile.lock files and seeing which dependencies are brought in. Other metadata is fetched directly from repository *.podspec files.

To add your own Podspec repos, see the Authentication section below.


Requires CocoaPods >= 1.0

FOSSA's Repository Scanning uses CocoaPods version ~1.0. If your Podfile is built using an earlier version, there is a chance that it may not build correctly. See Migrating to 1.0.

Known CocoaPods Limitations

  • We don't factor in the platform specified in the Podfile. For each dependency, we will fetch the code for all valid platforms.
  • Build configurations are not being taken into account at the moment.
  • If a subspec(s) of a pod is given, FOSSA will analyze the entire Pod.
  • Only git external sources are supported. Subversion, Mercurial, and HTTP sources are currently not supported.
  • Plugins in Podfiles are currently being ignored.
  • Pre and Post install hooks sometimes do not work properly.
  • Pre-release version ranges currently just resolve to the version given (i.e. >=10.1.1.beta will resolve to 10.1.1.beta, as well as ~>10.1.1.beta).
  • Multi range versions with pre-releases may not work properly (i.e. >10.1.1.beta1 <10.1.1.beta4).


FOSSA scans through your Project and analyzes any Cartfile that is found. Cartfile.private and Cartfile.resolved files are currently ignored. It grabs dependencies based on:

  1. Name
  2. SemVer Version
  3. External Repository (Git, Github)

Known Carthage Limitations

  • Nested dependencies aren't properly handled.
  • Cartfile.resolve files aren't being analyzed, so versioning may be inconsistant.
  • Local file repositories (i.e. File:///) in Cartfile's aren't analyzed.

CLI (fossa-cli)

To install the fossa-cli run the following command:

curl -H 'Cache-Control: no-cache' | bash

To successfully build Cocoapods projects, you will need a Podfile.lock file in your repository.
To successfully build Carthage projects, you will need a Cartfile.resolved file in your repository.
To successfully build Swift projects using swift package manager, you will need a Package.resolved file in your repository.

For more information on running the CLI, please read the documentation at


Configuring podspec repos

FOSSA allows you to add your own podspec repos as well. This is done via the Language Settings page under Cocoapods Settings. The url should be of the form: for public repos, and [email protected]:artsy/Specs.git for private repos.


Adding a custom Podspec


When adding a new spec repo, FOSSA will attempt to automatically add our public key to the github repo.

If your private spec repos are not working in FOSSA, please make sure that the following public key is added to your github settings:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSArCEygMYE8h625Tvol/YsPUgIauoBxR1Cd2Rkq3ZtC/+oPmjoTfVGtBFmyZZtWVZwgC6svP1cDNKrbGk+Z9nLkWrU1bY2opwvUIOw0yDokvzPtDCTpze8gfE/sPddecvELc9CEjkKb2FAl/B+LgKUY17QSYzjVdwP2SBLnxEpBkOo0DI0eF5Tb+e8RrvgVFW0HQn0nB+Pby6bPOh3hyx6yIN2EYi4SaNpce8E3qp85eMeSU2vptaXgsKeSVEn3ttDfa7lE5cBoTrRQxk2yTDQVJT7/LDGbLxbloD3865WrXr3gLJNEDyNpeKNCigl0zCEkzCQn+TDsNRKCfuQxoy86tnzwMGBA6xdZWyREX1pCZIrxtGcBgTxDdLGP/fxE1Kxhr3H2i5KpJTsX1lxTYDTyM9z1HehzFcU0BNjle5sjkJCwXRFMDuZskoiwfMQ4wwzYLXbhj90Zj40vjdTltsZIqzrlJdN3HnIfhA/yhdWaf5nR3QzTGFFryxmmjr+X1V/MB67KPQbW+HOMTe+YLTPcqHYrch/amoidzSAss0dwnaPRaiL+Vk3WXqAVF14QQwxTi5HKo2NDSb1W6CUEe/qjbRIEvW3h64+KYRieldiezVFDdCt3tyJQDKjRkwhize3JvzIeg4tC20RsrjLjx9lAs/Bc/qqlaH+1efuF6/6Q==

This is done via the Project Settings deploy key section in your github project:


Adding a deploy key to GitHub

On-prem users will need to get their public key from the host server (if one doesn't exist, the Cocoapods migration will create a key pair).