Salesforce Code Analyzer v5 (Beta)

Version 5 of Code Analyzer maintains its essential mandate: ensuring that your code adheres to best practices, allowing you to identify problems earlier in the development process. Code Analyzer continues to bring together multiple code scanners under a single, unified experience.

Code Analyzer v5 is a pilot or beta service that is subject to the Beta Services Terms at Agreements - Salesforce.com or a written Unified Pilot Agreement if executed by Customer, and applicable terms in the Product Terms Directory. Use of this pilot or beta service is at the Customer's sole discretion.

We’ve rearchitected the product to make it even easier for you to use. We’ve also made it progressively more powerful, helping new users get started while providing advanced customization capabilities for more experienced users. This Beta release gives you a taste of the changes.

Version 5 introduces a new Salesforce CLI plugin, @salesforce/plugin-code-analyzer, which brings a set of new CLI commands in the code-analyzer topic. These commands provide the same functionality as before, such as listing available rules and running them on your code base. However, we've improved the overall experience, making the commands more intuitive and powerful. Unlike v4, the new CLI now features a single, versatile run command with a powerful rule selection mechanism that allows you to precisely choose the exact set of rules you want to run. You can even run a single rule if you want.

Configuring Code Analyzer v5 is now more straightforward and flexible than ever. We’ve provided a default configuration that works well for most users without requiring any customizations. However, if you want to modify existing rule properties, add new rules, customize engine behavior, or adjust other aspects of Code Analyzer, you can create a custom configuration file. This configuration file, code-analyzer.yml, is a single YAML-based file that’s easy to update. You can store it within your Salesforce project workspace, making it simple to apply in continuous integration and continuous delivery (CI/CD) pipelines. We're particularly proud of the new feature that allows you to assign individual tags to each rule. This feature allows you to more easily select the rules that meet your specific needs.

We also introduced two new engines:

  • The Regex engine allows you to run and create simple regular expression-based rules inside of your Code Analyzer configuration file.
  • The Flowtest engine audits Salesforce Flows and reports detailed information about security issues.

The output has dramatically improved with Code Analyzer v5. The terminal now displays more responsive real-time progress updates. You can now write results to multiple output types, and we improved the format of these outputs, including csv, xml, json, and html. Our new HTML report allows you to navigate violations more easily with search, grouping, and more.

Finally, in v5 you now execute the AppExchange Security rules using syntax similar to any other rule: by running code-analyzer run --rule-selector AppExchange. In v4 we provided a separate pmd-appexchange engine.

This Beta release of Code Analyzer v5 comes pre-bundled with these engines: