ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Pass the AppExchange Security Review
Prepare for the AppExchange Security Review
How the AppExchange Security Review Works
Required Materials for Security Review Submission
Listing Readiness for Managed Packages
Check If Your Package Version Is Ready to List on AppExchange
Partner Security Portal
Test Your Entire Solution
Scan Your Managed Package with Salesforce Code Analyzer
False Positives
The AppExchange Security Review Wizard
Security Review Resources
Manage Your Security Reviews
Manage Your AppExchange Listings
AgentExchange Go-To-Market App Guide
Sell on AgentExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Scan Your Managed Package with Salesforce Code Analyzer

As an AppExchange partner submitting your managed package for security review, you must scan it with the Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the Source Code Scanner, also referred to as the Checkmarx scanner.

User Permissions Needed
To access the Partner Community, Partner Console, and AppExchange Security Review: Manage Listings

When you submit your code and scan report to the AppExchange Security Review, it's not necessary for the scans to be 100% passing. The main requirement is that you run the scans, address all the violations you can fix, re-run the scans, and then submit the report. Some violations, like false positives, may not be fixable. The AppExchange Security team understands these situations and adjusts their review accordingly.

Tip

Prerequisites:
  1. Store your managed package's code locally on your computer. Ensure that the code version matches the package you’re submitting for security review.
  2. In Terminal or your favorite command-line interface, change to the top-level directory of your package's code.
  3. Run this command to scan your code using the required rules. The command generates an HTML report with the results. 
    1sf code-analyzer run --rule-selector AppExchange --rule-selector Recommended:Security --output-file CodeAnalyzerReport.html
    Depending on the complexity of your codebase, the scan of your code can take a few hours.
  4. Fix any issues that Code Analyzer identifies.
  5. Rescan using the same command and save your HTML report file.
  6. Document any false positives.
  7. Upload your clean CodeAnalyzerReport.html file to your security-review submission.
  8. If you have false-positive documentation, upload that too.

If you’re unable to run the Code Analyzer CLI commands successfully, read the Salesforce Code Analyzer documentation. If you still need help, log an issue in the Salesforce Code Analyzer GitHub repository, and provide information about the errors that you encountered when generating the scan report for your security-review submission.