ISVforce Guide
jNewer Version Available
Pass the AppExchange Security Review
To distribute managed packages, Salesforce Platform API solutions, or Marketing Cloud Engagement API solutions on AppExchange, they must pass our security review.
The description of the AppExchange Security Review in this section and the links herein is current as of the listed effective date. SFDC may update or modify the AppExchange Security Review from time to time in its sole discretion, with or without notice.
Note
Partner Applications, which includes managed packages, Salesforce Platform API solutions, Marketing Cloud Engagement API solutions, and other solutions referred to herein, are Non-SFDC Applications as defined in Salesforce’s Main Services Agreement (available at https://www.salesforce.com/company/legal/agreements or successor URL). Notwithstanding any security review of a Partner Application, Salesforce makes no guarantees regarding the quality or security of any Partner Application and Customers are responsible for evaluating the quality, security, and functionality of Partner Applications.
Important
-
AppExchange Security Review
The AppExchange security review tests the security posture of your solution, including how well it protects customer data. The security review helps you identify security vulnerabilities that a hacker, malware, or other threat can exploit. -
How the AppExchange Security Review Works
Before initiating an AppExchange security review, perform your own testing and gather supporting materials that help us assess the security of your solution. During a review, our Product Security team attempts to identify security vulnerabilities in your solution. If the team identifies vulnerabilities, you have access to personalized technical guidance to help you address them. -
Test Your Entire Solution
Test the full scope of your solution using manual testing and automated security scanner tools. When you perform security scans, include all external endpoints that run independently of the Salesforce platform. Document false-positive security violations, and fix all code that doesn’t meet Salesforce security guidelines. -
Scan Your Solution with Salesforce Code Analyzer
As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner. -
False Positives
As you navigate the AppExchange security review process, you're likely to encounter false positive issues with your solution. A false positive occurs when a security-scanning tool or code reviewer flags code that appears to pose a security vulnerability but actually doesn’t. Instead, the flagged vulnerability is nonexistent, nonexploitable, or not required to support a valid use case or functionality. -
Security Review Resources
These resources can help you prepare for the AppExchange security review.