ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Release Notes
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Design Your AppExchange Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
Scan Your Solution with Salesforce Code Analyzer
False Positives
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Manage Licenses for Managed Packages
Manage Features in First-Generation Managed Packages
Provide Free Trials of Your AppExchange Solution
User License Guides for Salesforce Partners
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Scan Your Solution with Salesforce Code Analyzer

As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner.

User Permissions Needed
To access the Partner Community, Partner Console, and AppExchange Security Review: Manage Listings
  • Install Salesforce CLI using these instructions.
  • To make sure that you’re running the latest version of the CLI, run sfdx update.
  • Install Java Development Kit (JDK) version 8 or later.
  • To install Salesforce Code Analyzer, run sfdx plugins install @salesforce/sfdx-scanner.
  1. Store your solution’s code locally on your computer. Ensure that the code version matches the package you’re submitting for security review.
  2. In Terminal or your favorite command-line interface, change to the top-level directory of your solution’s code and metadata.
  3. Run a first scan with sfdx scanner:run, specifying category=”Security”, and name the output file CodeAnalyzerGeneral.csv.
  4. Run a second scan with sfdx scanner:run:dfa, specifying category=”Security”, and name the output file CodeAnalyzerDFA.csv. Depending on the complexity of your codebase, the second Code Analyzer scan of your code can take a few hours.
  5. Fix any issues that Code Analyzer identifies before you submit for security review.
  6. Rescan and save your results files.
  7. Document any false positives.
  8. Upload your clean CodeAnalyzerGeneral.csv and CodeAnalyzerDFA.csv files to your security review submission.
  9. If you have false positive documentation, upload that, too.

Example

Run the first scan.

1sfdx scanner:run --format=csv --outfile=CodeAnalyzerGeneral.csv --target="./" --category="Security"

Run the second scan.

1sfdx scanner:run:dfa --format=csv --outfile=CodeAnalyzerDFA.csv --target="./" --projectdir="./" --category="Security"

If you’re unable to run the Code Analyzer CLI commands successfully, read the Salesforce Code Analyzer documentation. If you still need help, log an issue in the Salesforce Code Analyzer GitHub repository, and provide information about the errors that you encountered when generating scan results for your security review submission.