ISVforce Guide
jSummer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
AppExchange Security Review
How Does AppExchange Security Review Work?
Test Your Entire Solution
Security Review Resources
Newer Version Available
Pass the AppExchange Security Review
[Effective Date: January 18, 2023] At Salesforce, nothing is more important than the
trust of our customers. Trust requires security. To distribute a managed package, Salesforce
Platform API solution, or Marketing Cloud API solution on AppExchange, it must pass our security
review. Learn how to prepare for and pass the security review.
The description of the AppExchange Security Review in this section and the links herein is current as of the listed effective date. SFDC may update or modify the AppExchange Security Review from time to time in its sole discretion, with or without notice.
Note
Partner Applications, which includes managed packages, Salesforce Platform API solutions, Marketing Cloud API solutions, and other solutions referred to herein, are Non-SFDC Applications as defined in Salesforce’s Main Services Agreement (available at https://www.salesforce.com/company/legal/agreements or successor URL). Notwithstanding any security review of a Partner Application, Salesforce makes no guarantees regarding the quality or security of any Partner Application and Customers are responsible for evaluating the quality, security, and functionality of Partner Applications.
Important
-
AppExchange Security Review
Before you can publicly list your managed package, Salesforce Platform API solution, or Marketing Cloud API solution on AppExchange, it must pass a security review. The AppExchange security review tests the security posture of your solution, including how well it protects customer data. -
How Does AppExchange Security Review Work?
Before initiating an AppExchange security review, you perform your own testing and gather supporting materials that help us assess the security of your solution. During a review, our Product Security team attempts to identify security vulnerabilities in your solution. If the team identifies vulnerabilities, you have access to personalized technical guidance to help you address the identified vulnerabilities. -
Partner Security Portal
The Partner Security Portal is the main hub for your security review needs. The portal hosts the Source Code Scanner (Checkmarx) and Chimera automated security scanning tools. Use these tools to identify security vulnerabilities in your solution. The portal is also where you go to schedule office hours appointments with AppExchange security engineers and Security Review Operations team members. Office hours provide a forum for you to ask questions about the security review process and to discuss how to rework code that has security vulnerabilities. -
Test Your Entire Solution
Test the full scope of your solution using manual testing and automated security scanner tools. When you perform security scans, include all external endpoints that run independently of the Salesforce platform. Document false positive security violations and fix all code that doesn’t meet Salesforce security guidelines. -
False Positives
As you navigate the AppExchange security review process, you're likely to encounter false positive issues with your solution. A false positive occurs when a security-scanning tool or code reviewer flags code that appears to pose a security vulnerability but actually doesn’t. Instead, the flagged vulnerability is nonexistent, nonexploitable, or not required to support a valid use case or functionality. -
Security Review Resources
These resources can help you prepare for the AppExchange security review.