CI/CD Integration with Code Analyzer

We recommend that you integrate Salesforce Code Analyzer into your Continuous Integration/Continuous Development (CI/CD) process to scan your code regularly for potential problems.

To integrate Code Analyzer into your CI/CD tool, call the code-analyzer run CLI command in any scripts used by your tool. Call the command whenever CI/CD detects changes to your code.

Follow these CI/CD best practices.

  • To write your results to a file and produce a results artifact for use with your CI/CD tool, use the -f/--output-file flag. Use file extensions to specify the format of the output file. For example, --output-file results.xml creates an XML file.
  • To cause a non-zero exit code when any violations meet or exceed the provided value, use the -t/–-severity-threshold flag. Many CI/CD tools require thresholds.

To accelerate your continuous integration/continuous (CI/CD) development, create a GitHub Action workflow that uses the run-code-analyzer GitHub Action. GitHub Action workflows provide opportunities to automate your entire pipeline, from building and testing to deployment. The run-code-analyzer GitHub Action scans your code for violations using Salesforce Code Analyzer, uploads the results as an artifact, and displays the results as a job summary.

Be sure you use v2 of the run-code-analyzer GitHub Action, which in turn uses Code Analyzer v5. The old v1 version of the GitHub Action uses Code Analyzer v4, which is retired and no longer supported.

If you’re using DevOps Center, you can use the run-code-analyzer GitHub Action as you promote changes, helping you identify and address issues earlier in your development pipeline.

With the run-code-analyzer Action, you can:

  • Customize what arguments to pass with your scan.
  • Customize the name of the results artifact.
  • Pass it a checked-in code-analyzer.yml file, just like with the code-analyzer run CLI command.

With run-code-analyzer, take control of your workflow’s next steps with these outputs:

  • The Salesforce Code Analyzer execution exit code.
  • The total number of violations found.
  • The number of critical-, high-, medium-, low-, and info-severity violations found.

For usage info on the run-code-analyzer GitHub Action, read run-code-analyzer documentation on the GitHub Actions Marketplace.

Our community of users also develop tools that help you speed up Salesforce Code Analyzer integration into your CI/CD process.

The Salesforce Code Analyzer Task extension works with Azure DevOps and allows you to run Salesforce Code Analyzer v5 on the changed files in a pull request or on full branches to identify technical debt. It reports code violations, publishes results, and can fail the build to let you block merges. This tool was developed by Sam Crossland.

If you’re using Copado for your DevOps needs, then you can use Code Analyzer for Copado to run Code Analyzer as a quality gate in your pipeline. It runs on the changed components in your commits and deployments. You can choose the severity of errors that cause it to fail and block your deployments, or just report violations without blocking. As with standard Code Analyzer, you can also use the configuration file to customize which engines are run, create new rules, and customize existing rules. This tool was developed by Abhishek Saxena.