ISVforce Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Pass the AppExchange Security Review
Prepare for the AppExchange Security Review
How the AppExchange Security Review Works
Required Materials for Security Review Submission
Listing Readiness for Managed Packages
Check If Your Package Version Is Ready to List on AppExchange
Partner Security Portal
Log In to the Partner Security Portal
Source Code Scanner on the Portal
Types of Security Review Office Hours
Schedule a Security Review Office Hours Appointment
Test Your Entire Solution
Scan Your Managed Package with Salesforce Code Analyzer
False Positives
The AppExchange Security Review Wizard
Security Review Resources
Manage Your Security Reviews
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Source Code Scanner on the Portal

To identify security vulnerabilities, we require that you run security scanning tools on your solution and all external endpoints that run independently of the Salesforce platform. he Partner Security Portal hosts the Source Code Scanner (Checkmarx).

User Permissions Needed
To access the Source Code Scanner (Checkmarx) on the Partner Security Portal: Author Apex

We strongly recommend that you run security scans on your code and any connected endpoints throughout the development lifecycle. Run periodic scans and fix flagged issues as you go to prevent security vulnerabilities from piling up and creating more work for you later.

Tip

The Source Code Scanner (Checkmarx) checks Apex, Visualforce, and Lightning code, but doesn’t check external endpoints of a solution. To scan external endpoints, use any Dynamic Application Security Test (DAST) scanner that you prefer, such as ZAP, Burp Suite, HCL AppScan or WebInspect.

Just before you submit your solution, except for mobile clients and API solutions, run the Source Code Scanner in the Partner Security Portal. If your solution connects to any non-Salesforce domains, also run a DAST scan on the external endpoints. Include reports from your scans when you submit your solution for security review.

The Source Code Scanner (Checkmarx) is a static code analysis tool used to scan Apex, Visualforce, and Lightning code for security vulnerabilities. There are a few things to keep in mind when using this scanner.

  • You’re required to include Source Code Scanner (Checkmarx) scanner reports in any security review submission that includes a Salesforce package or component. They’re not required for mobile clients or API solutions.
  • Three runs per solution version are included in the security review fee. Consider running an alternative tool as you develop, such as the open-source PMD Source Code Analyzer, and the Source Code Scanner as you finalize your submission. Reserve your three runs to create the scanner report that you include in your security review submission.
  • If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits and package linking requirements, purchase a license from Checkmarx.
  • Before you can scan a package version with the Source Code Scanner, you must link the version to an AppExchange listing.