Nimble Analysis
When developing in nim, nimble is used to manage dependencies.
2 min readUpdated Jul 9, 2026
Overview
When developing in nim, nimble is used to manage dependencies.
| Strategy | Direct Deps | Transitive Deps | Edges | Classifies Dev Dependencies | Container Scanning |
|---|---|---|---|---|---|
nimble.lock and nimble dump | ✅ | ✅ | ✅ | ❌ | ❌ |
| nimble.lock | ⚠️ | ✅ | ✅ | ❌ | ✅ |
Project Discovery
Find a file named nimble.lock.
Analysis
- Parse
nimble.lockto identify dependencies and edges among them. - Perform
nimble dump --jsonto identify direct dependencies.
Limitation:
- Dependencies downloaded from mercurial are not reported.
- When
nimble dump --jsonfails, any dependencies without incoming edge is considered to be a direct dependency
Example
- Execute
nimble initto create a new project or createnim.nimblemanually:
Example nim.nimble:
Nim
# Package version = "0.1.0"author = "User"description = "A new awesome nimble package"license = "MIT"srcDir = "src"installExt = @["nim"]bin = @["nim"] # Dependencies requires "nim >= 1.6.0"requires "jester >= 0.4.1 & < 0.5.0"- Execute
nimble lockto install and pin dependencies - this will create (or modify) thenimble.lockfile. - Execute
fossa analyze -oon the project to print analyzed dependency graphing (this will not upload any analysis to any endpoint)
Note
If you are using an older version of Nim, you may need to:
- Run
choosenim 1.6.0 - Run
nimble install https://github.com/nim-lang/nimble@\#head(install the latest nimble, or any version with lock file support)
FAQ
How do I only perform analysis for the nimble?
You can explicitly specify an analysis target in .fossa.yml file. The example below will exclude all analysis targets except for the composer.
YAML
# .fossa.yml version: 3targets: only: - type: nimble