Newer Version Available

This content describes an older version of this product. View Latest

Security Scanners on the Portal

To identify security vulnerabilities, we require that you run security scanning tools on your solution and all external endpoints that run independently of the Salesforce platform. The Partner Security Portal hosts two of the scanners that we recommend, the Source Code Scanner (Checkmarx) and Chimera.

User Permissions Needed
To access the Source Code Scanner (Checkmarx) on the Partner Security Portal: Author Apex

We strongly recommend that you run security scans on your code and any connected endpoints throughout the development lifecycle. Run periodic scans and fix flagged issues as you go to prevent security vulnerabilities from piling up and creating more work for you later.

Tip

The Partner Security Portal provides access to two Salesforce-supported scanners: the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner service.

The Source Code Scanner (Checkmarx) checks Apex, Visualforce, and Lightning code, but doesn’t check external endpoints of a solution.

Chimera checks external endpoints, but requires you to upload a token to the root of the external server. If your solution connects to endpoints on domains that you own, you can use Chimera. If your solution connects to endpoints on domains that you don’t own, you can’t upload the token and can’t use Chimera. Use an alternative tool. For example, download the free Zed Attack Proxy (ZAP) scanner or purchase a license for Burp Suite.

Just before you submit your solution, except for mobile clients and API solutions, run the Source Code Scanner in the Partner Security Portal. If your solution connects to any non-Salesforce domains, also run Chimera, ZAP, or Burp Suite on the external endpoints. Include reports from your scans when you submit your solution for security review.

Security Scanner Scan Targets Considerations
Source Code Scanner (Checkmarx) Apex, Visualforce, and Lightning code
  • This static scanning tool uses Checkmarx security technology.
  • Mandatory for any security review submission that includes a Salesforce package or component. Not required for mobile clients or API solutions.
  • You’re provisioned three Source Code Scanner (Checkmarx) runs per solution version with the security review fee. Consider running an alternative tool as you develop, such as the open-source PMD Source Code Analyzer, and the Source Code Scanner as you finalize your submission.
  • If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits and package linking requirements, purchase a license from Checkmarx.
  • Before you can scan a package version with the Source Code Scanner, you must link the version to an AppExchange listing.
Chimera External endpoints on domains that you own
  • Checks for security vulnerabilities in external endpoints of a solution.
  • Scans solutions from a Salesforce IP address.
  • Doesn’t require a download.
  • Isn’t usable with endpoints on domains that you don’t own because it requires upload of a token to the root of the external server.
  • If your solution connects to external endpoints that you don’t own, use ZAP or Burp Suite instead of Chimera.