Skip to content


Trivy supports CocoaPods and Swift package managers.

The following scanners are supported.

Package manager SBOM Vulnerability License
Swift -
CocoaPods -

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
Swift Package.resolved Included -
CocoaPods Podfile.lock Included -

These may be enabled or disabled depending on the target. See here for the detail.


Trivy parses Package.resolved file to find dependencies. Don't forget to update (swift package update command) this file before scanning.


CocoaPods uses package names in PodFile.lock, but GitHub Advisory Database (GHSA) Trivy relies on uses Git URLs. We parse the CocoaPods Specs to match package names and links.


Since GHSA holds only Git URLs, such as, Trivy can't identify affected submodules, and detect all submodules maintained by the same URL. For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under, and Trivy detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.