Have you heard of the Salesforce CLI Scanner plug-in yet? It’s an intuitive open-source tool that can scan your code to identify common coding issues and possible vulnerabilities. Salesforce application developers and ISVs can also use the plug-in to prepare for a formal security review process. Using the plug-in doesn’t take the place of a formal security review, but it can identify a variety of security, quality, and performance issues early in development. You can install the plug-in on a local developer machine or integrate it into a CI/CD process to regularly monitor code health.

This post covers some of the key features and capabilities of Scanner v2.0, which was released in July 2020.

Salesforce CLI Scanner: the aggregated static analyzer

Static analysis is a great way to catch common antipatterns and coding issues that negatively impact code quality. As a part of this analysis, a rule engine parses source code and applies a set of rules to detect coding issues. The rule engine then reports the offending code as rule violations.

Many powerful static analysis tools are available. Most of them specialize in one language or set of languages. Many applications (including typical Salesforce packages), however, contain an assortment of components created using different languages. A single static analyzer is insufficient to address all aspects of such applications. And managing multiple static analyzer tools can quickly become a pain.

This is where the Salesforce CLI Scanner plug-in shines. The plug-in aggregates the results of static analyzers that are most relevant to Salesforce developers, while providing a unified experience. With the Salesforce CLI Scanner plug-in, you get a:

  • single installation process
  • single set of commands to interact with multiple rule engines
  • unified set of rules that are checked by their respective rule engines
  • unified rule violation report that includes all issues identified by the engines

To begin with, Salesforce CLI Scanner aggregates PMD (v6.22.0) and ESlint (6.8.0). These two analyzers cover all of the languages a Salesforce developer would typically use.

Why PMD?

PMD is one of the most powerful static analyzers available and it supports a large number of different languages. It is open-sourced and has a strong community of developers actively building rules for Apex (check out this podcast if you are interested in joining them).

By default, Salesforce CLI Scanner plug-in scans only Apex code and Visualforce markup with PMD, but you can easily modify the config to add other supported languages that you are interested in.

If you have your own custom rules that apply only to your codebase, you can add them to Salesforce CLI Scanner and run them along with the built-in rules.

Why ESlint?

ESlint is arguably one of the best static analyzers for JavaScript and is also conveniently open-sourced. Because it’s very flexible in how it parses JavaScript, it can handle many use cases related to Lightning Web Components. Additionally, with the built-in eslint-typescript plug-in, the Salesforce CLI Scanner can also analyze TypeScript out-of-the-box.

Value added by Salesforce CLI Scanner

By combining and unifying two powerful static analyzers, Salesforce CLI Scanner enables you to catch a wide variety of issues in your code.

Example Apex issues include:

  • Security issues (e.g. basic sharing violations, simplified CRUD/FLS checks, CSRF and XSS vulnerabilities)
  • Performance issues (e.g. running SOQL or SOSL queries inside loops)
  • Error prone code (e.g. empty try/catch/finally blocks)

Example issues with Lightning Web Components include:

  • Unreachable code
  • Unused variables
  • Invalid regular expressions
  • Stylistic preferences such as enforcing semi-colon at the end of a statement and expecting function names in camelcase

Catching these issues early has several advantages:

  • You can fix code issues immediately and rerun Salesforce CLI Scanner right away to confirm that the issues have been resolved.
  • You can save time and effort. Studies have shown that the time and effort needed to fix an issue during development is significantly lower than addressing the changes at a later point.
  • You can shorten security review processes. These processes are faster and easier when most issues are identified and fixed before the review even begins.

Different report formats for different use cases

Salesforce CLI Scanner not only unifies rule violation reports, it also provides an array of useful reporting formats for working at various levels:

  • Simple table-style reporting to get feedback on code you are actively writing
  • CSV reporting for spreadsheet-based filtering and analytics
  • JSON and XML reporting to feed into other tools for further processing
  • HTML reporting for readable, searchable results
  • JUnit-style test failures to use with a CI/CD setup

Other handy features

Salesforce CLI Scanner comes with all of the advantages of Salesforce CLI:

  • Works on all operating systems that Salesforce CLI supports
  • Single-step installation
  • Built-in help (--help)


Salesforce engineers are actively implementing new features to further improve Salesforce CLI Scanner. One upcoming feature is the ability to detect and warn about external code dependencies that may have security vulnerabilities. They are also in the process of adding new rules to identify more security issues.

You can get started with Salesforce CLI Scanner within minutes. Here’s the documentation you need to jump in. All you need is a Salesforce CLI setup and Java (version 8 or higher).

If you have feedback, suggestions, or questions, we’d love to hear them. The Salesforce CLI Scanner code is open-sourced. Watch for an announcement on when external contributions will be accepted.

Useful links

Help documentation
Questions, feedback, bugs
Code repo

About the author

Roopa Mohan is a Principal Engineer at Salesforce. She’s been with Salesforce for almost nine years, with much of this time on the Hammer team, where she helped improve the quality of major releases. As a part of Platform-Ops team, Roopa and her teammates focus on building tools that make the lives of ISVs a little easier.

Get the latest Salesforce Developer blog posts and podcast episodes via Slack or RSS.

Add to Slack Subscribe to RSS