CocoaPods detection relies on a Podfile.lock file being present. This file is generated by CocoaPods when dependencies are installed.
CocoaPods detection is performed by parsing every Podfile.lock found under the scan directory. The detector:
- Parses the YAML-formatted
Podfile.lockfile to extract pod dependencies - Identifies root dependencies from the
DEPENDENCIESsection - Constructs a dependency graph by traversing pod relationships
- Supports both standard CocoaPods packages and Git-based dependencies
- Normalizes Git repository URIs (e.g., converting
git@references tohttps://) - Maps pods to their spec repositories (TRUNK or custom repositories)
- Handles subspecs (e.g.,
AFNetworking/Reachability) by mapping them to their parent podspec
CocoaPods detection will not work if lock files are not being used or not yet generated. Ensure that pod install or pod update has been run to generate the Podfile.lock file(s) before running the scan.
The detector constructs a full dependency graph based on the relationships present in the Podfile.lock file, including transitive dependencies. However, dependency relationships are limited to what CocoaPods records in the lock file at the time of pod installation.