Salesforce Code Analyzer

Learn about Code Analyzer and its key components.

Code Analyzer is a powerful tool designed to help Salesforce Platform developers maintain high standards of code quality and efficiency. It automatically scans and evaluates Apex, Visualforce, Flows, and Lightning components, providing real-time feedback and suggestions for improvement. With this tool you can catch potential issues early in the development process, such as security vulnerabilities, performance bottlenecks, and violations of coding best practices. By addressing these issues proactively, you ensure that your Salesforce applications are robust, secure, and performant, ultimately leading to a better user experience and more reliable systems.

  • Engines: Engines are the underlying modules of Code Analyzer that execute the rules. Code Analyzer brings together different code-scanning engines, such as PMD, RetireJS, and ESLint, under a single, unified experience. Each engine is responsible for a particular type of analysis, such as:

    • Static Code Analysis: Examine code without executing it to identify potential issues.
    • Security Scans: Detect security vulnerabilities and ensuring compliance with security standards.
    • Performance Profiling: Scan for performance anti-patterns using static analysis. See Engines for the full list of supported engines.

  • Rules: Rules encapsulate the specific guidelines and standards used to evaluate code. Code Analyzer comes with over 500 built-in rules that you can start using right away. Rules are associated with a specific enine, and are assigned default tags and severities which you use to select a specific rule, or set of rules, to run. You can customize the rule's default tags and severity. Rules cover a wide range of aspects, including:

    • Coding Conventions: Ensure that your code adheres to best practices and style guidelines.
    • Security Best Practices: Identify and mitigate security vulnerabilities, such as unsecured SOQL queries and insecure data handling.
    • Performance Optimizations: Detect and address performance bottlenecks and inefficiencies.

    To view details about all the rules that are pre-bundled with Code Analyzer, run this CLI command after you've installed Salesforce CLI and the Code Analyzer plugin:

    To view summary information about the rules for a specific engine, specify it with the --rule-selector flag. This example lists the rules for eslint:

You can integrate Code Analyzer into various development environments and workflows, which makes it versatile and convenient for developers. Here are the main integration options:

  • Salesforce CLI Commands: You can run Code Analyzer CLI commands from a terminal or command line, which allows you to integrate it into your build and deployment processes. This option is particularly useful for automating code quality checks and ensuring that code meets the required standards before you commit or deploy it.

  • VS Code: The Visual Studio Code Extension for Code Analyzer provides real-time feedback directly within VS Code. This integration allows you to see issues and suggestions as you write code, making it easier to address problems immediately and maintain high code quality. Additionally, Agentforce for Developers is seamlessly integrated with Code Analyzer, so you can eaily fix code using Quick Fix suggestions.

  • GitHub Actions: We provide a GitHub Action that you can integrate into your own GitHub workflow to enable continuous integration and deployment (CI/CD) pipelines to automatically run code quality checks. The Code Analyzer GitHub Action scans your code for violations, uploads the results as an artifact, and displays the results as a job summary.

While the default configuration of Code Analyzer is designed to be sufficient for most users, advanced users can customize it to better fit their specific needs. Customization is achieved through a YAML configuration file, typically called code-analyzer.yml. Some examples of how you can customize your configuration include:

  • Add Custom Rules: Define and implement custom rules to address specific coding standards or organizational requirements.
  • Customize Engine Behavior: Adjust the behavior of the engines to fine-tune the analysis process. For example, you can configure the severity levels of existing and custom rules, or exclude specific files or directories from the analysis.

One of the key benefits of Code Analyzer is its ability to help developers pass the AppExchange Security Review. The AppExchange Security Review is a rigorous process that ensures all managed packages listed on the AppExchange meet Salesforce's security and quality standards. By using Code Analyzer, developers can streamline the security review process, reduce the likelihood of rejections, and ensure that their managed packages are secure and performant.

Did you previously use Code Analyzer v4? Then read on to discover the differentces between v4 and v5.

As of August 2025, Code Analyzer v4 is retired and we no longer support it.

Code Analyzer v5 introduces a new Salesforce CLI plugin, @salesforce/plugin-code-analyzer, which brings a set of new CLI commands in the code-analyzer topic. These commands provide the same functionality as before, such as listing available rules and running them on your code base. However, we've improved the overall experience, making the commands more intuitive and powerful. Unlike v4, the new CLI now features a single, versatile run command with a powerful rule selection mechanism that allows you to precisely choose the exact set of rules you want to run. You can even run a single rule if you want.

Configuring Code Analyzer v5 is now more straightforward and flexible than ever. We’ve provided a default configuration that works well for most users without requiring any customizations. However, if you want to modify existing rule properties, add new rules, customize engine behavior, or adjust other aspects of Code Analyzer, you can create a custom configuration file. This configuration file, code-analyzer.yml, is a single YAML-based file that’s easy to update. You can store it within your Salesforce project workspace, making it simple to apply in continuous integration and continuous delivery (CI/CD) pipelines. We're particularly proud of the new feature that allows you to assign individual tags to each rule. This feature allows you to more easily select the rules that meet your specific needs.

We also introduced two new engines:

  • The Regex engine allows you to run and create simple regular expression-based rules inside of your Code Analyzer configuration file.
  • The Flow Scanner engine audits Salesforce Flows and reports detailed information about security issues.

The output has dramatically improved with Code Analyzer v5. The terminal now displays more responsive real-time progress updates. You can now write results to multiple output types, and we improved the format of these outputs, including csv, xml, json, and html. Our new HTML report allows you to navigate violations more easily with search, grouping, and more.

Finally, in v5 you now execute the AppExchange Security rules using syntax similar to any other rule: by running code-analyzer run --rule-selector AppExchange. In v4 we provided a separate pmd-appexchange engine.

Read the migration guide for detailed information about migrating ESLint and PMD custom configurations and examples of how the CLI commands changed between v4 and v5.