Test the full scope of your solution using manual testing and automated security scanner
tools. When you perform security scans, include all external endpoints that run independently of
the Salesforce platform. Document false positive security violations, and fix all code that
doesn’t meet Salesforce security guidelines.
Testing Scope
Test all pieces of the solution that you submit for security review. Ensure that the solution
architecture is secure, including endpoints that aren’t hosted on the Salesforce platform. Your
attention to all components and layers of your solution helps minimize the risk of hackers or
malware exploiting potential entry points.
The full scope of your solution is subject to security review testing. For example, we can
perform pen tests that attack your Development Edition test org and attempt to access sensitive
data or authenticate with false credentials.
To determine testing scope, use a follow-the-data approach. Wherever the customer or data goes
is in scope. For example, your Salesforce customer is required to log in to your company
website, or data is synced to a third-party server. Test these pieces to ensure that they’re
securely transferring credentials and data.
When either of these criteria is true, external endpoints are within the scope of the security
review and a required part of your security testing.
- The endpoint plays a role in authenticating the end user as part of buying, getting support
for, or using your solution. This definition includes a connected app that doesn’t require
manual credential entry.
- Salesforce data is transferred to or from the endpoint.
Before you perform security testing on external endpoints that you don’t
own, complete two actions. First, obtain any necessary permission to perform security testing
from the third parties that own the external endpoints. Second, follow the guidelines in Salesforce IP
Addresses & Domains to Allow.
Automated Scanning Tools
To identify security vulnerabilities in your solution and external endpoints, we require that
you run specific automated security scanning tools.
We strongly recommend that
you run security scans on your code and any connected endpoints throughout the development
lifecycle. Run periodic scans and fix flagged issues as you go to prevent security
vulnerabilities from piling up and creating more work for you later.
If your solution is a managed package, Salesforce Platform API solution, or Marketing Cloud
API solution, it must pass a security review. If you’re listing a managed package, you’re
required to scan your solution using Salesforce Code Analyzer and submit comprehensive scan
results in the AppExchange Security Review Wizard. If you’re unable to use Code Analyzer, you
must provide a clear justification for why you didn’t run Code Analyzer on your code.
If your solution isn’t a managed package, or you choose not to use Code Analyzer, you can
access two Salesforce-supported security scanners on the Partner Security Portal: the Source
Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner.
This table summarizes the automated security scanner tools that we require or recommend.
| Salesforce Code Analyzer |
Apex, JavaScript, Lightning, TypeScript, and Visualforce code |
- Salesforce Code Analyzer unifies scanning tools, such as ESLint, JavaScript, PMD,
Retire JS, and Salesforce Graph Engine, in one easy-to-install Salesforce CLI plug-in.
Salesforce Graph Engine in particular helps detect create, read, update, and delete and
field-level security (CRUD/FLS) violations.
- You can install Salesforce Code Analyzer on a local development machine or integrate it
into a continuous integration (CI) process.
- Salesforce Code Analyzer includes customized rules to scan Lightning Web Component
JavaScript.
- Salesforce Code Analyzer doesn’t scan external endpoints.
- Salesforce Code Analyzer offers multiple output formats: CSV, HTML, JSON, and
JUnit.
|
Yes |
No |
| Source Code Scanner (Checkmarx) |
Apex, Visualforce, and Lightning code |
- This static scanning tool uses Checkmarx security technology.
- You must provide a Checkmarx scan for any security review submission that includes a
Salesforce package or component. These scans aren’t required for mobile clients or API
solutions.
- You’re provisioned three Source Code Scanner runs per package version with the security
review fee.
- If you want the flexibility and freedom to scan unpackaged code, or to bypass the 3
scan limit and package linking requirements, purchase a license from Checkmarx.
|
Yes |
Yes |
| PMD Source Code Analyzer |
Apex code |
- The PMD scanner is a free, open-source tool that is also available as a VS Code
Extension.
- This tool is an alternative to the Source Code Scanner for solutions that contain Apex
code.
- As you prepare your solution for security review, and as a supplement to the Source
Code scanner, run PMD scans an unlimited number of times.
- PMD typically reports more false positives than the Source Code Scanner tool.
|
No |
No |
| Chimera |
External endpoints on domains that you own |
- Chimera checks external endpoints of a solution.
- Chimera scans solutions from a Salesforce IP address.
- This scanner doesn’t require a download.
- You can’t use Chimera with endpoints on domains that you don’t own because it requires
upload of a token to the root of the external server.
- If your solution connects to external endpoints that you don’t own, use OWASP ZAP or
Burp Suite.
|
Yes |
Yes |
| OWASP Zed Attack Proxy (ZAP) |
External endpoints |
- The ZAP Scanner is a free, community-driven proxy for web app security testing.
- Zap requires a download.
-
Setting Up ZAP for Browser provides guidance for initiating
security scans with this tool.
|
Yes |
No |
| Burp Suite |
External endpoints |
- Salesforce doesn’t provision Burp Suite licenses for security review. Purchase a
license independently.
- Burp Suite requires a download.
|
Yes |
No |
j