Use the VS Code Extension to Analyze Your Code

The Salesforce Code Analyzer Visual Studio (VS) Code Extension integrates many of Code Analyzer’s most useful features into VS Code, so you can run them easily with clicks instead of with terminal commands.

Use Code Analyzer to scan your code using these static analyzers, also known as rule engines:

• PMD rule engine. The VS Code extension also supports the pmd-appexchange custom PMD variant, although it's not enabled by default. Enable it with a setting.
• RetireJS
• ESLint
• Salesforce Graph Engine (Generally Available rules only)

The Salesforce Code Analyzer VS Code Extension is included in the Salesforce for VS Code expanded pack. The Code Analyzer VS Code extension also relies on Salesforce CLI. To ensure that all these moving parts work together, make sure you adhere to these minimum system requirements:

• Visual Studio Code: Version 1.82.0 or later.
• Java Platform, Standard Edition Development Kit (JDK): Versions 11, 17, or 21.
• Salesforce CLI: Version 2.0.2 or later.

1. Install Salesforce CLI.

2. Install the Salesforce Extensions for Visual Studio Code (Expanded) extension pack.

   This extension pack installs tools for developing on Salesforce Platform, including the Code Analyzer VS Code extension. The extension also installs the required Salesforce Code Analyzer CLI plugin (@salesforce/sfdx-scanner) using this CLI command:

3. (Optional) Specify the engines you want to use in your code scans. VS Code is configured to run a default set of engines, but you can specify more. To learn how to specify the engines, and other settings, see Use Settings to Customize How Code Analyzer Works.

Follow these general steps to scan your code; see subsections for details about specific steps.

1. Open your project in VS Code.
2. Scan your code with Code Analyzer using the RetireJS, PMD, and ESLint engines.
3. Update your code based on the findings.
4. Rescan your code to ensure you addressed all the issues; iterate as needed.
5. Scan individual methods within your code with Code Analyzer Graph Engine path-based analysis.
6. Update your code based on the findings.
7. Rescan your code with Graph Engine as needed.
8. If you’re listing a managed package on AppExchange, see Produce Code Analyzer Reports for AppExchange Security Review.

To perform a Code Analyzer scan of selected files or folders, complete these steps.

• To scan selected files or folders:

  1. Select a group of files or folders.
  2. Right-click in the VS Code Explorer and then select SFDX: Scan selected files or folders with Code Analyzer.

• To perform a Code Analyzer scan of a single code file:

  1. Open a code file in the VS Code editor.
  2. From the VS Code Command Palette, select SFDX: Scan current file with Code Analyzer.
  3. Alternatively, right-click in the VS Code editor and select SFDX: Scan current file with Code Analyzer.

The progress bar notifies you that the scan of your current file is active.

After your scan is complete, note how many files were scanned and how many violations were produced.

When your scan is complete, click the scan summary in the progress bar (1). You see a scrollable list of violations that Code Analyzer found (2).

Each violation message indicates the violation severity and details about the violation found, using this pattern: SevX: [Violation message]. For example:

Sev3. Validate CRUD permission before SOQL/DML operation or enforce user mode. (PMD via Code Analyzer)

To address the violations found and rescan your code:

1. Scroll through the results that Code Analyzer found.
2. Update your code directly in VS Code.
3. When your edits are complete, rescan your code, using your preferred method.

To perform a Graph Engine path-based analysis on a single method complete these steps.

1. Open a file in the VS Code Editor.
2. Right-click on the method that you want to scan.
3. Select SFDX: Scan selected method with Graph Engine path-based analysis.

The progress bar notifies you that the scan of your current file is active.

When your scan is complete, a new tab opens with an HTML display of the violations found.

Each violation message reveals the violation severity and details about the violation.

Examples:

To address the violations found and to rescan your code, complete these steps.

1. On the VS Code tab with your Graph Engine results, review the violations that Graph Engine found.
2. On the VS Code tab with your code file open, update your code.
3. When your edits are complete, rescan your code.

Here are a few tips that can help you as you scan your code.

After you scan your code with Code Analyzer, there can be situations where you want to suppress a PMD violation that was identified. You can suppress violations on a line of code or the entire class.

To use a quick fix to suppress a PMD violation, complete these steps.

1. Hover over the identified problem.
2. In the window that opens, click Quick Fix.
3. Click Suppress violations on this line or Suppress violations on this class as needed.

After you've run a scan, you sometimes want to clear the violations that appear in your file and start again. No problem! Simply right-click in the VS Code editor while viewing the file and select SFDX: Clear Code Analyzer violations from current file. You can also select the command from the Explorer view and clear violations in multiple selected files or a folder.

Depending on the size of your Apex class, a Graph Engine analysis can take a long time. To cancel a running Salesforce Graph Engine analysis without waiting for it to finish, complete these steps:

1. Click the Running Graph Engine analysis message in the VS Code progress bar:

   

2. Click Cancel in the notification that pops up.

   

As with most VS Code extensions, you can customize how Code Analyzer works by updating the associated settings. Examples of these settings include:

• Specify the engines you want to use in your code scans.
• Configure Code Analyzer to automatically scan your code when you open or save a file.
• Replace the default PMD configuration file with your own custom file; be sure you specify the absolute path to the file.
• Suppress warning violations in the Salesforce Graph Engine.
• Specify the category of rules to run.
• Normalize the severity across all engines.

The names of Code Analyzer settings all start with Code Analyzer >. Here's how to find them:

1. Open the VS Code Settings tab (Code > Settings > Settings).
2. Enter Code Analyzer in the search box, and then click Salesforce Code Analyzer under Extensions.
3. To specify engines for the current project, click the Workspace tab, or click User for all projects.
4. Update the settings as needed. The setting descriptions provide the default and possible values when appropriate.

If you're an AppExchange partner and plan to list a managed package on AppExchange, the package must undergo and pass security review. Part of the security review process is scanning your code with Code Analyzer and uploading the scan reports.

First run Code Analyzer using the VS Code extension and update your code as needed. Then, to produce the required scan reports for your AppExchange listing, you must run Code Analyzer using the CLI commands, either using VS Code's integrated terminal or in a standalone terminal or command window. Attach your scan reports to your submission in the AppExchange Security Review Wizard. See Scan Your Solution with Salesforce Code Analyzer for details.

ApexGuru uses AI and machine learning to detect and help you fix performance-related problems in your code. ApexGuru's automated code optimization features are directly integrated into the Code Analyzer VS Code extension. See ApexGuru Insights for more information about ApexGuru.

To report issues with Code Analyzer, create a bug on Github. To suggest a feature enhancement, create a request on Github.