sf scanner run dfa
Scans codebase with all DFA rules by default. Specify the format of output and print results directly or as contents of a file that you provide with --outfile flag.
The scanner run dfa
command runs for a longer time than scanner run
, and it requires a target code context path. If your codebase is complex, increase the Java heap space to avoid OutOfMemory errors. See Understand LimitReached Errors.
Modify SFGE_RULE_THREAD_COUNT to adjust how long DFA-based rules execute before timing out (default: 900,000 ms or 15 minutes
). Use this control when you want Graph Engine to run longer and analyze more complex code. The equivalent flag on the scanner run dfa
command is --rule-thread-timeout
.
These examples follow Graph Engine syntax.
- The paths for all files in
--projectdir
are specified through--target
. - Globs, when in use, are wrapped in quotes.
./myproject/main/default/classes/*.cls
,./dir1/file1.cls,./dir2/file2.cls
: Example source code locations../myproject/
,./dir1/,./dir2/
: The root project directory.
These two examples evaluate rules against all .cls
files below the current directory, except for IgnoreMe.cls
.
{./**/*.cls,!./**/IgnoreMe.cls}
: The source code location.
{./**/*.cls,!./**/IgnoreMe.cls}
: The source code location.
This example targets individual methods within a file. It uses a suffix of the file's path plus a hash (#) and a semicolon-delimited list of method names. This syntax is incompatible with globs and directories. This example also evaluates rules against all methods named Method1
or Method2
in File1.cls
, and all methods named Method3
in File2.cls
.
./File1.cls#Method1;Method2,./File2.cls#Method3
: The source code location.
This example uses --normalize-severity
to output a normalized severity across all engines in addition to the engine-specific severity. Values are 1
(high), 2
(moderate), and 3
(low).
/some-project/
: The source code location.csv
: The results output format.
This example uses --severity-threshold
to throw a non-zero exit code when rule violations of a specific normalized severity or greater are found. When there are rule violations with moderate (2) or high (1) severity, the exit code equals the severity of the most severe violation.
/some-project/
: The source code location.2
: A severity value. Possible values are: 1 (high), 2 (moderate), and 3 (low).
This example uses --rule-thread-count
so more or fewer entry points can be evaluated concurrently.
6
: The number of rule evaluation threads.
This example uses --rule-thread-timeout
to increase or decrease the maximum runtime for a single entry point evaluation. You can increase the timeout from 15 minutes (default) up to 150 minutes.
9000000
: A time limit in milliseconds for evaluating a single entrypoint.
This example uses --sfgejvmargs
to pass JVM args to override system defaults while executing the Graph Engine rules. It overrides the system's default heapspace allocation to 2 GB and decreases the likelihood of encountering an OutOfMemory error.
-Xmx2g
: The Java Virtual Machine arguments.
sf scanner run dfa
[-c
CATEGORY_LIST]
[-f
FORMAT]
[-o
OUTFILE]
[-p
PROJECTDIR_LIST]
[-s
SEVERITY-THRESHOLD]
[-t
TARGET_LIST]
[--json
]
[--normalize-severity
]
[--pathexplimit
PATHEXPLIMIT]
[--rule-disable-warning-violation
]
[--rule-thread-count
RULE-THREAD-COUNT]
[--rule-thread-timeout
RULE-THREAD-TIMEOUT]
[--sfgejvmargs
SFGEJVMARGS]
[--verbose
]
[--with-pilot
]
-c
| --category
CATEGORY_LIST
Optional
One or more categories of rules to run. Specify multiple values as a comma-separated list.
Type: option
-f
| --format
FORMAT
Optional
Specifies the output format for results written directly to the console.
Type: option
Possible Values:
csv
|html
|json
|junit
|sarif
|table
|xml
-o
| --outfile
OUTFILE
Optional
Writes output to a file.
Type: option
-p
| --projectdir
PROJECTDIR_LIST
Optional
Provides the relative or absolute root project directories used to set the context for Graph Engine's analysis. Specify multiple values as a comma-separated list. Each project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.
Type: option
-s
| --severity-threshold
SEVERITY-THRESHOLD
Optional
Throws an error when violations are found with equal or greater severity than the provided value. Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag.
Type: option
-t
| --target
TARGET_LIST
Optional
Specifies the source code location. Use glob patterns or specify individual methods with #-syntax. Multiple values are specified as a comma-separated list. Default is ".".
Type: option
--json
Optional
Format output as JSON.
Type: boolean
--normalize-severity
Optional
Returns normalized severity 1 (high), 2 (moderate), and 3 (low), and the engine-specific severity. For the html option, the normalized severity is displayed instead of the engine severity.
Type: boolean
--pathexplimit
PATHEXPLIMIT
Optional
Specifies a path expansion upper boundary to limit the complexity of code Graph Engine analyzes before failing fast. Set the value to -1 to remove any upper boundary. --pathexplimit inherits value from SFGE_PATH_EXPANSION_LIMIT env-var, if set. Its default value is derived from JVM heap space allocation.
Type: option
--rule-disable-warning-violation
Optional
Disables warning violations, such as those on StripInaccessible READ access, to get only high-severity violations (default: false). Inherits value from SFGE_RULE_DISABLE_WARNING_VIOLATION env-var if set.
Type: boolean
--rule-thread-count
RULE-THREAD-COUNT
Optional
Specifies the number of rule-evaluation threads or how many entry points can be evaluated concurrently. Inherits its value from the SFGE_RULE_THREAD_COUNT environment variable, if set. The default is 4.
Type: option
--rule-thread-timeout
RULE-THREAD-TIMEOUT
Optional
Specifies the time limit for evaluating a single entry point in milliseconds. Inherits its value from the SFGE_RULE_THREAD_TIMEOUT environment variable, if set. The default is 900,000 ms or 15 minutes.
Type: option
--sfgejvmargs
SFGEJVMARGS
Optional
Specifies Java Virtual Machine arguments to override system defaults while executing Salesforce Graph Engine. For multiple arguments, add them to the same string separated by space.
Type: option
--verbose
Optional
Emit additional command output to stdout.
Type: boolean
--with-pilot
Optional
Allows pilot rules to execute.
Type: boolean
Salesforce Graph Engine has these environment variable-based controls.
Set SFGE_JVM_ARGS to work around Understand LimitReached Errors and other JVM issues while executing the scanner run dfa
command. Refer to the JVM documentation for more info. The equivalent flag on the scanner run dfa
command is --sfgejvmargs
.
Set to true
to suppress warning violations, such as those related to StripInaccessable
READ access (default: false
). The equivalent flag on the scanner run dfa
command is --rule-disable-warning-violation
.
Modify SFGE_RULE_THREAD_COUNT to adjust the number of threads that each execute DFA-based rules (default: 4
). The equivalent flag on the scanner run dfa
command is --rule-thread-count
.
Modify SFGE_RULE_THREAD_TIMEOUT to adjust how long DFA-based rules execute before timing out (default: 900,000 ms or 15 minutes
). Use this control when you want Graph Engine to run longer and analyze more complex code. The equivalent flag on the scanner run dfa
command is --rule-thread-timeout
.