Use MCP Tools to Analyze Your Code (Developer Preview) | Salesforce Code Analyzer

The Model Context Protocol (MCP) lets users interact with a system, such as Salesforce, using an LLM and natural language instead of an API or CLI command. MCP servers provide the LLM with tools, prompts, and resources that the LLM can use to perform specific tasks. Salesforce provides multiple ways to use MCP; see MCP Solutions for Developers for details.

Code Analyzer provides two MCP tools, released in the Salesforce DX MCP Server, which you can use to scan your code:

run_code_analyzer : Analyze your code to ensure good coding practices. Equivalent to the code-analyzer run CLI command.
describe_code_analyzer_rule : Describe a Code Analyzer rule. Equivalent to the code analyzer rules --rule-selector <rule-name> --view detail CLI command.

The Code Analyzer MCP tools offer a vibey alternative to the CLI commands or the VS Code extension. However, because MCP tools are invoked by LLMs, and LLM resources incur financial and ecological costs, we recommend using the excellent CLI commands or VS Code extension unless you specifically require an LLM.

How you access the tools depends on the MCP client you use:

If you use the Agentforce Vibes Extension, then you already have access to the Code Analyzer MCP tools. This is because Agentforce Vibes is pre-configured with the Salesforce DX MCP Server.
If you use a different MCP Client, such as Cursor or Windsurf, then you must install and configure the Salesforce DX MCP Server. See the Install and Configure the Salesforce DX MCP Server (Beta) section in the Salesforce DX Dev Guide for complete details and examples.

After you have a basic Salesforce DX MCP Server working, you might need to update its configuration to ensure access to the Code Analyzer MCP tools. In particular:

The Code Analyzer MCP tools aren't generally available, so you need to set the --allow-non-ga-tools flag to enable them.
You can also optionally restrict the MCP tools in the DX MCP server to only those in the Code Analyzer toolset (code-analysis).

This Agentforce Vibes example shows an updated args option in the a4d_mcp_settings.json file:

This example shows how to configure a VS Code with Copilot MCP client:

Code Analyzer doesn't typically require a Salesforce org. However, because the --orgs flag is required by the Salesforce DX MCP Server, you must still set it in your configuration. You don't get an error when the MCP server starts, even if you haven't set a default org in your local project.

In your MCP client, open an agentic chat window where you can enter prompts. The exact steps depend on your MCP client. For example, if you're using Agentforce, see Build with Agentforce.

Here are some sample prompts to get you started.

Run a code analysis on the GeocodingService.cls file, use its absolute path, and tell me about the violations.
Tell me more about the AvoidTermsWithImplicitBias violation.

Note that you never call a specific MCP tool directly; rather, you use natural language to tell the LLM what you want to accomplish, and the LLM then figures out which MCP tools to call to complete the task.

After you approve the tasks that the MCP client wants to execute, Code Analyzer displays the results of your prompt in the chat window. If you ran a code analysis and got a list of violations, see Interpret the Run Results.

Be aware of these limitations when your prompt invokes the run_code_analyzer MCP tool:

The tool can handle a maximum of 10 files in a single execution. If a prompt results in a list of over 10 files, the tool rejects it and returns an error.
The tool runs only the rules with the Recommended tag. In other words, there is no equivalent of the --rule-selector CLI flag when running the tool.
The tool includes only these engines in its analysis: pmd, cpd, eslint, retire-js, and regex.

Code Analyzer provides these MCP tools in the code-analysis toolset.

Tool Name	Toolset	GA?	Description
`run_code_analyzer`	`code-analysis`	NON-GA	Performs a static analysis of your code using Salesforce Code Analyzer. Includes validating that the code conforms to best practices, checking for security vulnerabilities, and identifying possible performance issues.
`describe_code_analyzer_rule`	`code-analysis`	NON-GA	Gets the description of a Salesforce Code Analyzer rule, including the engine it belongs to, its severity, and associated tags.

The tools marked NON-GA aren't generally available, and by default they're not visible to the LLM. To use these tools, specify the --allow-non-ga-tools flag when you configure the Salesforce DX MCP Server. See Access the Code Analyzer MCP Tools.