Scan Your Solution with Salesforce Code Analyzer

As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner.

User Permissions Needed
To access the Partner Community, Partner Console, and AppExchange Security Review: Manage Listings
  • Install Salesforce CLI using these instructions.
  • To make sure that you’re running the latest version of the CLI, run sf update.
  • Install Java Development Kit (JDK) version 8 or later.
  • To install Salesforce Code Analyzer, run sf plugins install @salesforce/sfdx-scanner.
  1. Store your solution’s code locally on your computer. Ensure that the code version matches the package you’re submitting for security review.
  2. In Terminal or your favorite command-line interface, change to the top-level directory of your solution’s code and metadata.
  3. Run a first scan with sf scanner run, specifying --category Security, and name the output file CodeAnalyzerGeneral.csv.
  4. Run a second scan with sf scanner run dfa, specifying --category Security, and name the output file CodeAnalyzerDFA.csv.
    Depending on the complexity of your codebase, the second Code Analyzer scan of your code can take a few hours.
  5. Run a third, optional scan with sf scanner run --engine pmd-appexchange, and name the output file CodeAnalyzerPmdAppExchange.csv.
  6. Fix any issues that Code Analyzer identifies before you submit for security review.
  7. Rescan and save your results files.
  8. Document any false positives.
  9. Upload your clean CodeAnalyzerGeneral.csv, CodeAnalyzerPmdAppExchange.csv, and CodeAnalyzerDFA.csv files to your security-review submission.
  10. If you have false-positive documentation, upload that, too.

Example

Run the first scan.

sf scanner run --format csv --outfile CodeAnalyzerGeneral.csv --target ./ --category Security

Run the second scan.

sf scanner run dfa --format csv --outfile CodeAnalyzerDFA.csv --target ./ --projectdir ./ --category Security

Run the third, optional scan.

sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv --target ./

If you’re unable to run the Code Analyzer CLI commands successfully, read the Salesforce Code Analyzer documentation. If you still need help, log an issue in the Salesforce Code Analyzer GitHub repository, and provide information about the errors that you encountered when generating scan results for your security-review submission.