CI/CD Integration with Code Analyzer

We recommend that you integrate Salesforce Code Analyzer into your Continuous Integration/Continuous Development (CI/CD) process to scan your code regularly for potential problems. Code Analyzer makes it easier to identify issues ahead of submitting your code for the AppExchange Security Review.

To integrate Code Analyzer into your CI/CD tool, call the appropriate run command in any scripts used by your tool. We recommend that you call:

• sf scanner run whenever CI/CD detects changes to code.
• sf scanner run dfa with --target {all_classes} on a scheduled basis, such as nightly. Why do we recommend that sf scanner run dfa is executed only on a scheduled basis? Depending on the number of paths it generates, Salesforce Graph Engine can take some time to execute when you include all target classes. Alternatively, you can limit the number of paths and speed up Graph Engine execution in your CI/CD by reducing the number of targets using the flag --target {specific_class} as you can see here.

• <all classes>, <specific class>: The source code location.

Follow these CI/CD best practices.

• Use the --format junit flag, a standard format used by the CI/CD tool.
• To write your results to a file and produce a results artifact for use with your CI/CD tool, use the -o/--outfile {name}.xml flag.
• To cause a non-zero exit code when any violations meet or exceed the provided value, use the -s/–severity-threshold flag. Many CI/CD tools require thresholds.

• <name>.xml: The location where to write the output file.

To accelerate your continuous integration/continuous (CI/CD) development, create a GitHub Action workflow that uses the run-code-analyzer GitHub Action. GitHub Action workflows provide opportunities to automate your entire pipeline, from building and testing to deployment. The run-code-analyzer GitHub Action scans your code for violations using Salesforce Code Analyzer, uploads the results as an artifact, and displays the results as a job summary.

If you’re using DevOps Center, you can use the run-code-analyzer GitHub Action as you promote changes, helping you identify and address issues earlier in your development pipeline.

With the run-code-analyzer Action, you can customize:

• Which Salesforce Code Analyzer command to run: run or run dfa
• What arguments to pass with your scan
• The name of the results artifact

With run-code-analyzer, take control of your workflow’s next steps with these outputs:

• The Salesforce Code Analyzer execution exit code
• The total number of violations found
• The number of normalized low-, medium-, and high-severity violations found

For usage info on the run-code-analyzer GitHub Action, read run-code-analyzer documentation on the GitHub Actions Marketplace.

Our community of users continues to develop templates and tools that help you speed up Code Analyzer integration into your CI/CD process.

Try these community tools:

• SFDX Scan Pull Request by Mitchell Spano
• Pull Request SFDX Code Review by Aleš Remta