Source Code Scanner on the Portal
User Permissions Needed | |
---|---|
To access the Source Code Scanner (Checkmarx) on the Partner Security Portal: | Author Apex |
The Source Code Scanner (Checkmarx) checks Apex, Visualforce, and Lightning code, but doesn’t check external endpoints of a solution. To scan external endpoints, use any Dynamic Application Security Test (DAST) scanner that you prefer, such as ZAP, Burp Suite, HCL AppScan or WebInspect.
Just before you submit your solution, except for mobile clients and API solutions, run the Source Code Scanner in the Partner Security Portal. If your solution connects to any non-Salesforce domains, also run a DAST scan on the external endpoints. Include reports from your scans when you submit your solution for security review.
The Source Code Scanner (Checkmarx) is a static code analysis tool used to scan Apex, Visualforce, and Lightning code for security vulnerabilities. There are a few things to keep in mind when using this scanner.
- You’re required to include Source Code Scanner (Checkmarx) scanner reports in any security review submission that includes a Salesforce package or component. They’re not required for mobile clients or API solutions.
- Three runs per solution version are included in the security review fee. Consider running an alternative tool as you develop, such as the open-source PMD Source Code Analyzer, and the Source Code Scanner as you finalize your submission. Reserve your three runs to create the scanner report that you include in your security review submission.
- If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits and package linking requirements, purchase a license from Checkmarx.
- Before you can scan a package version with the Source Code Scanner, you must link the version to an AppExchange listing.