Salesforce Code Analyzer (Beta) Visual Studio Code Extension

The Salesforce Code Analyzer (beta) Visual Studio (VS) Code Extension integrates many of Code Analyzer’s most useful features into VS Code, so you can run them easily with clicks instead of with terminal commands.

Use Code Analyzer (beta) to scan multiple languages:

• PMD rule engine
• RetireJS
• Salesforce Graph Engine (Generally Available rules only)

You can also enable these languages in Code Analyzer (beta) settings.

• Java
• XML code

1. Install Salesforce CLI.
2. In your terminal, run sf plugins install @salesforce/sfdx-scanner@latest-beta. Make sure that you're running Code Analyzer version v4.x (beta).
3. Install the Code Analyzer (beta) VS Code extension.

To report issues with Code Analyzer (beta), create a bug on Github. To suggest a feature enhancement, create a request on Github.

To launch Code Analyzer (beta) and scan your code, complete these steps.

1. Open your project in VS Code.
2. Scan your code with Code Analyzer (beta).
3. Update your code based on the findings.
4. Rescan your code.
5. Scan individual methods within your code with Code Analyzer Graph Engine path-based analysis.
6. Rescan your code with Graph Engine.
7. If you’re listing a managed package on AppExchange, follow the instructions in Scan Your Solution with Code Analyzer to produce the required scan reports.

To perform a Code Analyzer (beta) scan of selected files for folders, complete these steps.

• To scan selected files or folders:

  1. Select a group of files or folders.
  2. Right-click in the VS Code Explorer and then select SF: Scan selected files or folders with Code Analyzer.

• To perform a Code Analyzer (beta) scan of a single code file:

  1. Open a code file in the VS Code editor.
  2. From the VS Code Command Palette, select SF: Scan current file with Code Analyzer.
  3. Alternatively, right-click in the VS Code editor and select SF: Scan current file with Code Analyzer.

The progress bar notifies you that the scan of your current file is active.

After your scan is complete, note how many files were scanned and how many violations were produced.

To scan your code in VS Code automatically when you open or save a file, activate these flags.

analyzeOnSave

Automatically scan the current file on save

analyzeOnOpen

Automatically scan the current file on open

To activate the settings, complete these steps in VS Code.

1. To open Settings, press Ctrl+, (Windows) or Cmd+, (macOS).
2. In the Search Settings window, enter analyzeOnSave or analyzeOnOpen.

• To enable analyzeOnSave, select Scan the current file on save automatically.
• To enable analyzeOnOpen, select Scan the current file on open automatically.

When your scan is complete, click the scan summary in the progress bar (1). You see a scrollable list of violations that Code Analyzer (beta) found (2).

Each violation message indicates the violation severity and details about the violation found, using this pattern: SevX: [Violation message]. For example:

Sev3. Validate CRUD permission before SOQL/DML operation or enforce user mode. (PMD via Code Analyzer)

To address the violations found and rescan your code:

1. Scroll through the results that Code Analyzer (beta) found.
2. Update your code directly in VS Code.
3. When your edits are complete, rescan your code, using your preferred method.

If you’re an AppExchange partner submitting your managed package for security review, you must scan it with Code Analyzer (beta) and provide test results in your solution’s AppExchange Security Review submission. To produce the required reports, follow the instructions in Scan Your Solution with Salesforce Code Analyzer.

After you scan your code with Code Analyzer (beta), there can be situations where you want to suppress a PMD violation that was identified.

To use a quick fix to suppress a PMD violation on a line of code, complete these steps.

1. Hover over the identified problem.
2. In the window that opens, click Quick Fix.
3. Click Suppress violations on this line.

By default, Code Analyzer (beta) runs all the PMD default rules against your Apex and VisualForce files. However, if you have a custom PMD configuration that better suits your needs, you can substitute your configuration in place of ours.

To use your custom PMD ruleset in Code Analyzer, complete these steps.

1. In VS Code, click Extensions.

2. Select Salesforce Code Analyzer (beta).

3. Click Settings.

4. Click Extension Settings.

5. Click the User or Workspace tab (1).

   • To override the configuration on the current project, choose Workspace.
   • To override the configuration in all projects, select User.

6. In Code Analyzer > PMD > Custom Config File (2), enter the absolute path to your custom PMD configuration. For example: /Users/MyUsername/Code/sfdx-scanner/.

To perform a Graph Engine path-based analysis on a single method complete these steps.

1. Open a file in the VS Code Editor.
2. Right-click on the method that you want to scan.
3. Select SF: Scan selected method with Graph Engine path-based analysis.

The progress bar notifies you that the scan of your current file is active.

When your scan is complete, a new tab opens with an HTML display of the violations found.

Each violation message reveals the violation severity and details about the violation.

Examples:

To address the violations found and to rescan your code, complete these steps.

1. On the VS Code tab with your Graph Engine results, review the violations that Graph Engine found.
2. On the VS Code tab with your code file open, update your code.
3. When your edits are complete, rescan your code.