Produce Code Analyzer Reports for AppExchange Security Review

If you're an AppExchange partner and plan to list a managed package on AppExchange, the package must undergo and pass security review. Part of the security review process is scanning your code with Code Analyzer and uploading the scan reports.

To produce the required scan reports for your AppExchange listing, you must run Code Analyzer using the CLI commands, either using VS Code's integrated terminal or in a standalone terminal or command window. Use --rule-selector Recommended --rule-selector AppExchange to select the AppExchange rules. For example:

Then attach your scan reports to your submission in the AppExchange Security Review Wizard. See Scan Your Solution with Salesforce Code Analyzer for details.

When you submit your code and scan reports to the AppExchange Security Review, it's not necessary for the scans to be 100% passing. The main requirement is that you run the scans, address all the violations you can fix, re-run the scans, and then submit the reports. Some violations, like false positives, may not be fixable, and the AppExchange Security team understands these situations and adjusts their review accordingly.