ISVforce Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Pass the AppExchange Security Review
Prepare for the AppExchange Security Review
How the AppExchange Security Review Works
Required Materials for Security Review Submission
Listing Readiness for Managed Packages
Check If Your Package Version Is Ready to List on AppExchange
Partner Security Portal
Test Your Entire Solution
Scan Your Solution with Salesforce Code Analyzer
False Positives
The AppExchange Security Review Wizard
Security Review Resources
Manage Your Security Reviews
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Scan Your Solution with Salesforce Code Analyzer

As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner.

User Permissions Needed
To access the Partner Community, Partner Console, and AppExchange Security Review: Manage Listings
  • Install Salesforce CLI using these instructions.
  • To make sure that you’re running the latest version of the CLI, run sf update.
  • Install Java Development Kit (JDK) version 8 or later.
  • To install Salesforce Code Analyzer, run sf plugins install @salesforce/sfdx-scanner.
  1. Store your solution’s code locally on your computer. Ensure that the code version matches the package you’re submitting for security review.
  2. In Terminal or your favorite command-line interface, change to the top-level directory of your solution’s code and metadata.
  3. Run a first scan with sf scanner run, specifying --category Security, and name the output file CodeAnalyzerGeneral.csv.
  4. Run a second scan with sf scanner run dfa, specifying --category Security, and name the output file CodeAnalyzerDFA.csv.
    Depending on the complexity of your codebase, the second Code Analyzer scan of your code can take a few hours.
  5. Run a third, optional scan with sf scanner run --engine pmd-appexchange, and name the output file CodeAnalyzerPmdAppExchange.csv.
  6. Fix any issues that Code Analyzer identifies before you submit for security review.
  7. Rescan and save your results files.
  8. Document any false positives.
  9. Upload your clean CodeAnalyzerGeneral.csv, CodeAnalyzerPmdAppExchange.csv, and CodeAnalyzerDFA.csv files to your security-review submission.
  10. If you have false-positive documentation, upload that, too.

Example

Run the first scan.

sf scanner run --format csv --outfile CodeAnalyzerGeneral.csv --target ./ --category Security

Run the second scan.

sf scanner run dfa --format csv --outfile CodeAnalyzerDFA.csv --target ./ --projectdir ./ --category Security

Run the third, optional scan.

sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv --target ./

If you’re unable to run the Code Analyzer CLI commands successfully, read the Salesforce Code Analyzer documentation. If you still need help, log an issue in the Salesforce Code Analyzer GitHub repository, and provide information about the errors that you encountered when generating scan results for your security-review submission.