Scan Your Solution with Salesforce Code Analyzer
As an AppExchange partner submitting your managed package for security review, you must
scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange
Security Review submission. This scan is in addition to the scan that you must complete using
the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner,
also referred to as the Checkmarx scanner, and the Chimera scanner.
User Permissions Needed | |
---|---|
To access the Partner Community, Partner Console, and AppExchange Security Review: | Manage Listings |
- Install Salesforce CLI using these instructions.
- To make sure that you’re running the latest version of the CLI, run sf update.
- Install Java Development Kit (JDK) version 8 or later.
- To install Salesforce Code Analyzer, run sf plugins install @salesforce/sfdx-scanner.
- Store your solution’s code locally on your computer. Ensure that the code version matches the package you’re submitting for security review.
- In Terminal or your favorite command-line interface, change to the top-level directory of your solution’s code and metadata.
- Run a first scan with sf scanner run, specifying --category Security, and name the output file CodeAnalyzerGeneral.csv.
-
Run a second scan with sf scanner run dfa,
specifying --category Security, and name the output
file CodeAnalyzerDFA.csv.
Depending on the complexity of your codebase, the second Code Analyzer scan of your code can take a few hours.
- Run a third, optional scan with sf scanner run --engine pmd-appexchange, and name the output file CodeAnalyzerPmdAppExchange.csv.
- Fix any issues that Code Analyzer identifies before you submit for security review.
- Rescan and save your results files.
- Document any false positives.
- Upload your clean CodeAnalyzerGeneral.csv, CodeAnalyzerPmdAppExchange.csv, and CodeAnalyzerDFA.csv files to your security-review submission.
- If you have false-positive documentation, upload that, too.
Example
Run the first scan.
sf scanner run --format csv --outfile CodeAnalyzerGeneral.csv --target ./ --category Security
Run the second scan.
sf scanner run dfa --format csv --outfile CodeAnalyzerDFA.csv --target ./ --projectdir ./ --category Security
Run the third, optional scan.
sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv --target ./
If you’re unable to run the Code Analyzer CLI commands successfully, read the Salesforce Code Analyzer documentation. If you still need help, log an issue in the Salesforce Code Analyzer GitHub repository, and provide information about the errors that you encountered when generating scan results for your security-review submission.