CI/CD Integration with Code Analyzer (Beta)

We recommend that you integrate Salesforce Code Analyzer into your Continuous Integration/Continuous Development (CI/CD) process to scan your code regularly for potential problems.

Code Analyzer v5 is a pilot or beta service that is subject to the Beta Services Terms at Agreements - Salesforce.com or a written Unified Pilot Agreement if executed by Customer, and applicable terms in the Product Terms Directory. Use of this pilot or beta service is at the Customer's sole discretion.

To integrate Code Analyzer into your CI/CD tool, call the code-analyzer run CLI command in any scripts used by your tool. Call the command whenever CI/CD detects changes to your code.

Follow these CI/CD best practices.

  • To write your results to a file and produce a results artifact for use with your CI/CD tool, use the -f/--output-file flag. Use file extensions to specify the format of the output file. For example, --output-file results.xml creates an XML file.
  • To cause a non-zero exit code when any violations meet or exceed the provided value, use the -t/–-severity-threshold flag. Many CI/CD tools require thresholds.

To accelerate your continuous integration/continuous (CI/CD) development, create a GitHub Action workflow that uses the run-code-analyzer GitHub Action. GitHub Action workflows provide opportunities to automate your entire pipeline, from building and testing to deployment. The run-code-analyzer GitHub Action scans your code for violations using Salesforce Code Analyzer, uploads the results as an artifact, and displays the results as a job summary.

Be sure you use v2 of the run-code-analyzer GitHub Action, which in turn uses Code Analyzer v5. The old v1 version of the GitHub Action uses Code Analyzer v4, which we plan to stop supporting in the future.

If you’re using DevOps Center, you can use the run-code-analyzer GitHub Action as you promote changes, helping you identify and address issues earlier in your development pipeline.

With the run-code-analyzer Action, you can:

  • Customize what arguments to pass with your scan.
  • Customize the name of the results artifact.
  • Pass it a checked-in code-analyzer.yml file, just like with the code-analyzer run CLI command.

With run-code-analyzer, take control of your workflow’s next steps with these outputs:

  • The Salesforce Code Analyzer execution exit code.
  • The total number of violations found.
  • The number of critical-, high-, medium-, low-, and info-severity violations found.

For usage info on the run-code-analyzer GitHub Action, read run-code-analyzer documentation on the GitHub Actions Marketplace.