scanner Commands

Description for scanner rule add

Bundle custom PMD rules in JAR files. Follow PMD conventions, such as defining the custom rules in XML files under a `/category/` directory. Compile and test custom rules separately before adding them. See PMD's documentation for more information on writing rules.

Examples for scanner rule add

This example shows how to specify two JAR files directly.

sf scanner rule add --language apex --path "/Users/me/rules/Jar1.jar,/Users/me/rules/Jar2.jar"

This example shows how to specify a directory containing one or more JARs, all of which are added to the registry.

sf scanner rule add --language apex --path "/Users/me/rules"

Flags

--json

Optional

Format output as json.

Type: boolean

-l | --language LANGUAGE

Required

Language that the custom rules are evaluated against.

Type: option

-p | --path PATH

Required

One or more paths (such as a directory or JAR file) to custom rule definitions.

Specify multiple values as a comma-separated list.

Type: option

Examples for scanner rule describe

This example shows how to describe the ApexBadCrypto rule.

sf scanner rule describe --rulename ApexBadCrypto

Flags

--json

Optional

Format output as json.

Type: boolean

-n | --rulename RULENAME

Required

The name of the rule.

Type: option

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

Description for scanner rule list

Filter the output to view a smaller set of rules. Use the `scanner rule describe` command to get information about a specific rule.

Examples for scanner rule list

This example invokes the command without filter criteria, which returns all rules.

sf scanner rule list

This example returns all rules for Apex OR Javascript. Values supplied to a single filter are handled with a logical OR.

sf scanner rule list --language apex,javascript

This example returns all rules that target Apex OR Javascript, AND are members of the Braces OR Security rulesets. The different filters are combined with a logical AND.

sf scanner rule list --language apex,javascript --ruleset Braces,Security

Flags

--json

Optional

Format output as json.

Type: boolean

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

-c | --category CATEGORY

Optional

Select rules by category.

Specify multiple values as a comma-separated list.

Type: option

-r | --ruleset RULESET

The parameter --ruleset has been deprecated and will be removed in vNaN.0 or later. Use instead.

Optional

Deprecated. Use category instead. Select rules by ruleset.

Type: option

-l | --language LANGUAGE

Optional

Select rules by language.

Specify multiple values as a comma-separated list.

Type: option

-e | --engine ENGINE

Optional

Select rules by engine.

Specify multiple values as a comma-separated list.

Type: option

Permissible values are: eslint, eslint-lwc, eslint-typescript, pmd, pmd-appexchange, retire-js, cpd, sfge

Description for scanner rule remove

Use the `-p|--path` parameter to specify one or more paths to remove. If you don't specify any parameters, the command lists all valid custom paths but doesn't remove any.

Examples for scanner rule remove

This example runs the command without arguments to see a list of registered custom paths.

sf scanner rule remove

This example uses the --path parameter to deregister the rules defined in somerules.jar and any JARs/XMLs contained in the rules folder.

sf scanner rule remove --path "~/path/to/somerules.jar,~/path/to/folder/containing/rules"

This example uses the --force flag to bypass the confirmation prompt, removing all rules defined in somerules.jar. By default, a list of all rules that will be unregistered is displayed, and the action must be confirmed. To bypass that confirmation, use the --force flag.

sf scanner rule remove --force --path "~/path/to/somerules.jar"

Flags

--json

Optional

Format output as json.

Type: boolean

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

-f | --force

Optional

Bypass the confirmation prompt and immediately remove the rules.

Type: boolean

-p | --path PATH

Optional

One or more paths to remove.

Specify multiple values with a comma-separated list.

Type: option

Description for scanner run

Specify the format of the output, such as XML or JUnit. Print the output to the console (default) or to a file using the --outfile parameter.

Examples for scanner run

This example evaluates all rules against somefile.js. Invoking code analyzer without specifying any rules causes all rules to be run.

sf scanner run --format xml --target "somefile.js"

This example evaluates all rules in the Design and Best Practices categories. When you specify multiple categories or rulesets, the results are combined with a logical OR.

sf scanner run --format xml --target "somefile.js" --

These examples evaluate rules against all .js files in the current directory, except for IgnoreMe.js. Unix example:

sf scanner run --target './**/*.js,!./**/IgnoreMe.js' ...

Windows example:

sf scanner run --target ".\**\*.js,!.\**\IgnoreMe.js" ...

This example scans the project contained in '/my-project' if the current working directory is another directory. Specify tsconfig.json if the current working directory does not contain the tsconfig.json that corresponds to the TypeScript files being scanned.

sf scanner run --target "/my-project/**/*.ts" --tsconfig "/my-project/tsconfig.json"

This example evaluates rules against somefile.js, including Jasmine in the environment variables. Uses --env to override the default ESLint environment variables to add frameworks.

sf scanner run --target "somefile.js" --env '{"jasmine": true}'

This example evaluates rules aginst somefile.js using eslint-lwc and pmd engines. Use --engine to include or exclude engines. Any engine listed will be run, regardless of its current 'disabled' attribute.

sf scanner run --target "somefile.js" --engine "eslint-lwc,pmd"

This example executes CPD engine against known file extensions in "/some/dir". CPD helps detect blocks of code duplication in selected languages. Use --engine to invoke engines that are not enabled by default.

sf scanner run --target "/some/dir" --engine cpd

This example executes rules defined in pmd_rule_ref.xml against the files in 'src'. To use PMD with your own rule reference file, use --pmdconfig. Note that rule filters are not applied.

sf scanner run --target "src" --pmdconfig "pmd_rule_ref.xml"

This example uses a custom config to scan the files in 'src'. To use ESLint with your own .eslintrc.json file, use --eslintconfig. Make sure that the directory you run the command from has all the NPM dependencies installed.

sf scanner run --target "src" --eslintconfig "/home/my/setup/.eslintrc.json"

This example uses --normalize-severity to output normalized severity and engine-specific severity across all engines. Normalized severity is: 1 (high), 2 (moderate), and 3 (low).

sf scanner run --target "/some-project/" --format csv --normalize-severity

This example uses --severity-threshold to throw a non-zero exit code when rule violations of normalized severity 2 or greater are found. If any violations with the specified severity (or greater) are found, the exit code equals the severity of the most severe violation.

sf scanner run --target "/some-project/" --severity-threshold 2

These examples explain that the paths specified for --projectdir must contain all files specified through --target cumulatively.

sf scanner run --target "./myproject/main/default/classes/*.cls" --projectdir "./myproject/"

sf scanner run --target "./**/*.cls" --projectdir "./"

sf scanner run --target "./dir1/file1.cls,./dir2/file2.cls" --projectdir "./dir1/,./dir2/"

This example fails because the set of files included in --target is larger than that contained in --projectdir.

sf scanner run --target "./**/*.cls" --projectdir "./myproject/"

Flags

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

-c | --category CATEGORY

Optional

One or more categories of rules to run.

Specify multiple values as a comma-separated list.

Type: option

-f | --format FORMAT

Optional

The output format for results written directly to the console.

Type: option

Permissible values are: csv, html, json, junit, sarif, table, xml

-o | --outfile OUTFILE

Optional

File to write output to.

Type: option

-s | --severity-threshold SEVERITY-THRESHOLD

Optional

An error will be thrown when a violation is found with a severity equal to or greater than the specified level.

Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag.

Type: option

--normalize-severity

Optional

Include normalized severity levels 1 (high), 2 (moderate), and 3 (low) with the results.

For the html option, the normalized severity is displayed instead of the engine severity.

Type: boolean

-p | --projectdir PROJECTDIR

Optional

The relative or absolute root project directories used to set the context for Graph Engine's analysis.

Specify multiple values as a comma-separated list. Each project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.

Type: option

--json

Optional

Format output as json.

Type: boolean

-r | --ruleset RULESET

The parameter --ruleset has been deprecated and will be removed in vNaN.0 or later. Use instead.

Optional

[Deprecated] Rulesets to run.

Use category instead. One or more rulesets to run. Specify multiple values as a comma-separated list.

Type: option

-e | --engine ENGINE

Optional

Specify which engines to run.

Submit multiple values as a comma-separated list.

Type: option

Permissible values are: eslint, eslint-lwc, eslint-typescript, pmd, pmd-appexchange, retire-js, sfge, cpd

-t | --target TARGET

Optional

Source code location.

Specify multiple values as a comma-separated list. Can use glob patterns. Default is ".".

Type: option

--tsconfig TSCONFIG

Optional

Location of tsconfig.json file used by the eslint-typescript engine. The --tsconfig flag can’t be used with --eslintconfig flag.

Type: option

--eslintconfig ESLINTCONFIG

Optional

Specify the location of eslintrc config to customize eslint engine. The --tsconfig flag can’t be used with --eslintconfig flag.

Type: option

--pmdconfig PMDCONFIG

Optional

Location of PMD rule reference XML file to customize rule selection.

Type: option

--env ENV

The parameter --env has been deprecated and will be removed in vNaN.0 or later. Use instead.

Optional

[Deprecated] Override ESLint's default environment variables, in JSON-formatted string.

Overrides ESLint's default environmental variables, in JSON-formatted string.

Type: option

--verbose-violations

Optional

Includes Retire-js violation-message details about each vulnerability in the results, including summary, common vulnerabilities and exposures (CVE), and URLs.

Type: boolean

Description for scanner run dfa

Specify the format of output and print results directly or as contents of a file that you provide with --outfile flag.

Examples for scanner run dfa

These examples show how the paths specified for --projectdir must contain all files specified through --target cumulatively.

sf scanner run dfa --target "./**/*.cls" --projectdir "./"

sf scanner run dfa --target "./dir1/file1.cls,./dir2/file2.cls" --projectdir "./dir1/,./dir2/"

This example fails because the set of files included in --target is larger than that contained in --projectdir.

sf scanner run dfa --target "./**/*.cls" --projectdir "./myproject/"

Globs must be wrapped in quotes, as in these Windows and Unix examples, which evaluate rules against all .cls files in the current directory and subdirectories except for IgnoreMe.cls. Unix example:

sf scanner run dfa --target "./**/*.cls,!./**/IgnoreMe.cls" ...

Windows example:

sf scanner run dfa --target ".\**\*.cls,!.\**\IgnoreMe.cls" ...

You can target individual methods within a file with a suffix hash (#) on the file's path, and with a semi-colon-delimited list of method names. This syntax is incompatible with globs and directories. This example evaluates rules against all methods named Method1 or Method2 in File1.cls, and all methods named Method3 in File2.cls.

sf scanner run dfa --target "./File1.cls#Method1;Method2,./File2.cls#Method3" ...

Use --normalize-severity to output a normalized severity across all engines, in addition to the engine-specific severity. Normalized severity is 1 (high), 2 (moderate), and 3 (low).

sf scanner run dfa --target "./some-project/" --projectdir "./some-project/" --format csv --normalize-severity

Use --severity-threshold to throw a non-zero exit code when rule violations of a specific normalized severity or greater are found. If there are any rule violations with a severity of 2 or 1, the exit code is equal to the severity of the most severe violation.

sf scanner run dfa --target "./some-project/" --projectdir "./some-project/" --severity-threshold 2

Use --rule-thread-count to allow more (or fewer) entrypoints to be evaluated concurrently.

sf scanner run dfa --rule-thread-count 6 ...

Use --rule-thread-timeout to increase or decrease the maximum runtime for a single entrypoint evaluation. This increases the timeout from the 15-minute default to 150 minutes.

sf scanner run dfa --rule-thread-timeout 9000000 ...

Use --sfgejvmargs to pass Java Virtual Machine args to override system defaults while executing Salesforce Graph Engine's rules. The example overrides the system's default heap space allocation to 8 GB and decreases chances of encountering OutOfMemory error.

sf scanner run dfa --sfgejvmargs "-Xmx8g" ...

Use --with-pilot to allow execution of pilot rules. This example allows pilot rules in the "Performance" category to execute.

sf scanner run dfa --category 'Performance' --with-pilot ...

Flags

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

-c | --category CATEGORY

Optional

One or more categories of rules to run.

Specify multiple values as a comma-separated list.

Type: option

-f | --format FORMAT

Optional

The output format for results written directly to the console.

Type: option

Permissible values are: csv, html, json, junit, sarif, table, xml

-o | --outfile OUTFILE

Optional

File to write output to.

Type: option

-s | --severity-threshold SEVERITY-THRESHOLD

Optional

An error will be thrown when a violation is found with a severity equal to or greater than the specified level.

Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag.

Type: option

--normalize-severity

Optional

Include normalized severity levels 1 (high), 2 (moderate), and 3 (low) with the results.

For the html option, the normalized severity is displayed instead of the engine severity.

Type: boolean

-p | --projectdir PROJECTDIR

Optional

The relative or absolute root project directories used to set the context for Graph Engine's analysis.

Specify multiple values as a comma-separated list. Each project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.

Type: option

--json

Optional

Format output as json.

Type: boolean

--with-pilot

Optional

Allow pilot rules to execute.

Type: boolean

-t | --target TARGET

Optional

Source code location.

Use glob patterns or specify individual methods with #-syntax. Multiple values are specified as a comma-separated list. Default is ".".

Type: option

--rule-thread-count RULE-THREAD-COUNT

Optional

Number of DFA rule-evaluation threads or how many entry points can be evaluated concurrently. Inherits its value from the SFGE_RULE_THREAD_COUNT environment variable, if set.

Type: option

--rule-thread-timeout RULE-THREAD-TIMEOUT

Optional

Time limit, in milliseconds, for evaluating a single entry point. Inherits its value from the "SFGE_RULE_THREAD_TIMEOUT" environment variable, if set.

Type: option

--rule-disable-warning-violation

Optional

Disable warning violations from Salesforce Graph Engine. Inherits value from SFGE_RULE_DISABLE_WARNING_VIOLATION env-var, if set.

Examples of warning violations include those on StripInaccessible READ access, to get only high-severity violations.

Type: boolean

--sfgejvmargs SFGEJVMARGS

Optional

Java Virtual Machine (JVM) arguments to override system defaults while executing Salesforce Graph Engine.

Separate multiple arguments by a space.

Type: option

--pathexplimit PATHEXPLIMIT

Optional

Path expansion upper boundary to limit the complexity of code that Graph Engine analyzes before failing test. Inherits it value from the "SFGE_PATH_EXPANSION_LIMIT", if set.

Set the value to -1 to remove any upper boundary. Its default value is derived from JVM heap space allocation.

Type: option