ISVforce Guide
jSummer '25 preview (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Use Managed Packages to Develop Your AppExchange Solution
How the AppExchange Security Review Works
Required Materials for Security Review Submission
Listing Readiness for Managed Packages
Check If Your Package Version Is Ready to List on AppExchange
Test Your Entire Solution
Scan Your Solution with Salesforce Code Analyzer
Security Review Resources
OEM User License Guide
Prepare for the AppExchange Security Review
The AppExchange security review tests the security posture of your solution, including how well it protects customer data. The goal is to help you identify security vulnerabilities that a hacker, malware, or other threat can exploit. Before you submit your solution for review, perform end-to-end testing, configure test environments, and create supporting documentation.
-
How the AppExchange Security Review Works
The security review process is a combination of enforcement mechanisms paired with personalized advice and tools. Before initiating an AppExchange security review, perform your own testing and gather the materials that help us assess the security of your solution. During a review, our Product Security team attempts to identify security vulnerabilities in your solution. Throughout the process, you can get guidance tailored to your solution. Connect with security review team members during their office hours. -
Required Materials for Security Review Submission
Learn about the materials that you must provide, such as test environments and documentation, when submitting your solution for an AppExchange security review. Mobile apps have platform-specific submission requirements. Extension packages undergo security review and Salesforce requires the same materials for them as for a standalone solution. -
Listing Readiness for Managed Packages
Listing readiness indicates whether a managed-released package version is ready to list on AppExchange or if it first must pass security review. Learn the difference between security review status and listing readiness. Discover when and how first- and second-generation package (1GP and 2GP) versions inherit listing readiness from previous versions. Make informed decisions about whether to submit a package version for security review. -
Check If Your Package Version Is Ready to List on AppExchange
Listing readiness indicates whether a managed-released package version is approved to list on AppExchange or if it first must pass security review. If the org that contains the package version is connected to the AppExchange Partner Console, go to the Console's Solution tab to quickly see if the version is ready to list. -
Partner Security Portal
The Partner Security Portal is the main hub for ISV partners' security review needs. The portal hosts the Source Code Scanner (Checkmarx) and Chimera automated code scanning tools. Use these tools to identify security vulnerabilities in your solution. The portal is also where you go to schedule office hours appointments with AppExchange security engineers and Security Review Operations team members. Office hours provide a forum for you to ask questions about the security review process and to discuss how to rework code that has security vulnerabilities. -
Test Your Entire Solution
Test the full scope of your solution using manual testing and automated security scanner tools. When you perform security scans, include all external endpoints that run independently of the Salesforce platform. Document false-positive security violations, and fix all code that doesn’t meet Salesforce security guidelines. -
Scan Your Solution with Salesforce Code Analyzer
As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal. The tools used are the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner. -
False Positives
As you navigate the AppExchange security review process, you're likely to encounter false positive issues with your solution. A false positive occurs when a security-scanning tool or code reviewer flags code that appears to pose a security vulnerability but actually doesn’t. Instead, the flagged vulnerability is nonexistent, nonexploitable, or not required to support a valid use case or functionality. -
The AppExchange Security Review Wizard
Submit your solutions for security review using the security review wizard in the AppExchange Partner Console. After you submit, visit the wizard to track the progress of the submission, review feedback from Salesforce, and communicate with us. -
Security Review Resources
These resources can help you prepare for the AppExchange security review.