To identify security vulnerabilities, we require that you run security scanning tools on
your solution and all external endpoints that run independently of the Salesforce platform. The
Partner Security Portal hosts two of the scanners that we recommend, the Source Code Scanner
(Checkmarx) and Chimera.
| To access Source Code Scanner (Checkmarx) on the Partner Security Portal: |
Author Apex |
We strongly recommend that you run security scans on your code and any connected
endpoints throughout the development lifecycle. Run periodic scans and fix flagged issues as you
go to prevent security vulnerabilities from piling up and creating more work for you
later.
The Partner Security Portal provides access to two
Salesforce-supported scanners: the Source Code Scanner, also referred to as the Checkmarx
scanner, and the Chimera scanner service.
The Source Code Scanner (Checkmarx) checks Apex, Visualforce, and Lightning code, but doesn’t
check external endpoints of a solution.
Chimera checks external endpoints, but requires you to upload a token to the root of the
external server. If your solution connects to endpoints on domains that you own, you can use
Chimera. If your solution connects to endpoints on domains that you don’t own, you can’t upload
the token and can’t use Chimera. Use an alternative tool. For example, download the free OWASP
Zed Attack Proxy (ZAP) scanner or purchase a license for Burp Suite.
Just before you submit your solution, except for mobile clients and API solutions, run the
Source Code Scanner in the Partner Security Portal. If your solution connects to any
non-Salesforce domains, also run Chimera, OWASP ZAP, or Burp Suite on the external endpoints.
Include reports from your scans when you submit your solution for security review.
| Source Code Scanner (Checkmarx) |
Apex, Visualforce, and Lightning code |
- This static scanning tool uses Checkmarx security technology.
- Mandatory for any security review submission that includes a Salesforce package or
component. Not required for mobile clients or API solutions.
- You���re provisioned three Source Code Scanner (Checkmarx) runs per solution version with
the security review fee. Consider running an alternative tool as you develop, such as the
open-source PMD Source Code Analyzer, and the Source Code Scanner as you finalize your
submission.
- If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits
and package linking requirements, purchase a license from Checkmarx.
|
| Chimera |
External endpoints on domains that you own |
- Checks for security vulnerabilities in external endpoints of a solution.
- Scans solutions from a Salesforce IP address.
- Doesn’t require a download.
- Isn’t usable with endpoints on domains that you don’t own because it requires upload of
a token to the root of the external server.
- If your solution connects to external endpoints that you don’t own, use OWASP ZAP or
Burp Suite instead of Chimera.
|