The Model Context Protocol (MCP) lets users interact with a system, such as Salesforce, using an LLM and natural language instead of an API or CLI command. MCP servers provide the LLM with tools, prompts, and resources that the LLM can use to perform specific tasks. Salesforce provides multiple ways to use MCP; see MCP Solutions for Developers for details.
Salesforce Code Analyzer includes MCP tools in the Salesforce DX MCP Server to scan your code. See Code Analyzer MCP Tools Reference for details.
The Code Analyzer MCP tools offer a vibey alternative to the CLI commands or the VS Code extension. However, because MCP tools are invoked by LLMs, and LLM resources incur financial and ecological costs, we recommend using the excellent CLI commands or VS Code extension unless you specifically require an LLM.
How you access the tools depends on the MCP client you use:
- If you use the Agentforce Vibes Extension, then you already have access to the Code Analyzer MCP tools. This is because Agentforce Vibes is pre-configured with the Salesforce DX MCP Server.
- If you use a different MCP Client, such as Cursor or Windsurf, then you must install and configure the Salesforce DX MCP Server. See the Install and Configure the Salesforce DX MCP Server (Beta) section in the Salesforce DX Dev Guide for complete details and examples.
After you have a basic Salesforce DX MCP Server working, you might need to update its configuration to ensure access to the Code Analyzer MCP tools. In particular:
- You can also optionally restrict the MCP tools in the DX MCP server to only those in the Code Analyzer toolset (
code-analysis). - Most Salesforce Code Analyzer MCP tools are generally available. To use tools that aren’t yet generally available, set the
--allow-non-ga-toolsflag.
This Agentforce Vibes example shows an updated args option in the a4d_mcp_settings.json file:
This example shows how to configure a VS Code with Copilot MCP client:
Code Analyzer doesn't typically require a Salesforce org. However, because the --orgs flag is required by the Salesforce DX MCP Server, you must still set it in your configuration. You don't get an error when the MCP server starts, even if you haven't set a default org in your local project.
In your MCP client, open an agentic chat window where you can enter prompts. The exact steps depend on your MCP client. For example, if you're using Agentforce, see Build with Agentforce.
Here are some sample prompts to get you started.
- Run a code analysis on the GeocodingService.cls file, use its absolute path, and tell me about the violations.
- Tell me more about the AvoidTermsWithImplicitBias violation.
- Show me the top two high-severity violations from the last run.
- List all available Code Analyzer rules for typescript language.
- List all available Code Analyzer rules for PMD security violations.
Note that you never call a specific MCP tool directly; rather, you use natural language to tell the LLM what you want to accomplish, and the LLM then figures out which MCP tools to call to complete the task.
After you approve the tasks that the MCP client wants to execute, Code Analyzer displays the results of your prompt in the chat window. If you ran a code analysis and got a list of violations, see Interpret the Run Results.
Be aware of these limitations when your prompt invokes the run_code_analyzer MCP tool:
- The tool can handle a maximum of 10 files in a single execution. If a prompt results in a list of over 10 files, the tool rejects it and returns an error.
- The tool includes only these engines in its analysis:
pmd,cpd,eslint,retire-js, andregex.
Code Analyzer provides these MCP tools in the code-analysis toolset.
Description: Performs a static analysis of your code using Salesforce Code Analyzer. It validates that the code conforms to best practices, checks for security vulnerabilities, and identifies possible performance issues. Equivalent to the code-analyzer run CLI command.
Toolset:* code-analysis
Release Status: GA
Input Properties:
| Property | Description | Example |
|---|---|---|
target(required) | Specify the files to analyze in an array containing up to 10 file paths. Paths must be absolute. You can’t use relative paths. Each path must point to an existing file, not a directory. | "target": ["/Users/project/MyClass.cls", "/Users/project/Helper.cls"] |
workingDirectory (required) | Specify the absolute path to the project’s root directory. Code Analyzer searches the root directory for either the code-analyzer.yml or code-analyzer.yaml configuration file. If a configuration file is found, its settings, such as custom rules, severities, and ignore patterns, are applied. If a configuration file isn’t found, the default configuration is used. | "workingDirectory": "/Users/project" |
selector (optional) | Use selector to specify which rules to execute. You can define rules by name, engine, tag, severity level, or a combination of these. If you don’t specify rules, the default is recommended. | "selector": "WhileLoopsMustUseBraces" "selector": "Security" "selector": "Critical" "selector": "Security:pmd" "selector": "pmd" "selector": "(Security,Performance):eslint" Supported engines: pmd, eslint, retire-js, cpd, regex Unsupported engines: sfge, flow |
configPath (optional) | Specify a custom location or name for the configuration file. You must use an absolute path. It overrides any configuration files in the working directory. | "configPath": "/Users/project/custom-config.yml" |
Description: Displays the available Code Analyzer rules. The LLM identifies the available rules and requests the checks listed in the rule selector. Equivalent to the code-analyzer rules --rule-selector <selector> CLI command.
Toolset: code-analysis
Release Status: GA
Input Properties:
| Property | Description | Example |
|---|---|---|
selector (required) | Specify which rules to list by engine, tag, severity level, or any combination of these. Tag and severity values are case-insensitive. | "selector": "Recommended" "selector": "Performance:pmd:Critical" "selector": "pmd:(Performance,Security):2" "selector": "(Apex,JavaScript):Recommended" "selector": "Security:High" |
allowFullList (optional) | Returns all the rules when selector = "All". Use only when needed. The default is false. | "allowFullList": true |
ruleName (required) | Specify the name of the rule. | "ruleName": "WhileLoopsMustUseBraces" |
engineName (required) | Specify the engine that the rule belongs to. | "engineName": "pmd" |
Description: Retrieves analysis results using the output file from a previous run. The LLM paginates through results or filters by criteria, such as file name or severity level.
Toolset: code-analysis
Release Status: GA
Input Properties:
| Property | Description | Example |
|---|---|---|
resultsFile (required) | Specify the path to the results JSON file. | "resultsFile": "/tmp/results.json" |
selector (required) | Specify the filtering criteria using selector syntax. | "selector": "Security:pmd" "selector": "Critical" "selector": "(Security,Performance):eslint" "selector": "rule=MyRuleName" "selector": "file=src/app" |
topN (optional) | Specify the maximum number of results to return, up to 1000. The default is 10. | "topN": 5 |
allowLargeResultSet (optional) | Required when topN is greater than 10. | "allowLargeResultSet": true |
sortBy (optional) | Specify the field to use to sort the values: severity, rule, engine, file, or none. | "sortBy": "severity" |
sortDirection (optional) | Specify the sort direction: asc (ascending) or desc (descending). | "sortDirection": "desc" |
Description: Creates a PMD rule using the MCP client. Use the MCP tools get_ast_nodes_to_generate_xpath and create_custom_rule to generate custom PMD rules for Apex and Visualforce code in MCP clients such as Agentforce Vibes. See Create a Custom PMD Rule Using MCP Tools for more information.
Toolset: code-analysis
Release Status: Non GA
Input Properties:
| Property | Description | Example |
|---|---|---|
xpath (required for PMD) | Specify the XPath expression to use to define the violation pattern. | "xpath": "//MethodDeclaration[@Name='test']" |
ruleName (required) | Specify the name of the rule. | "ruleName": "NoSystemDebug" |
description (required) | Describe the rule and its purpose. | "description": "Prevent System.debug in prod" |
language (required) | Specify the programming language associated with the rule or analysis. | "language": "apex" |
engine (required) | Specify the analysis engine to use to evaluate the rule or perform the analysis. | "engine": "pmd" |
priority (required) | Specify the rule’s severity level, ranging from 1 (highest) to 5 (lowest). | "priority": 2 |
workingDirectory (required) | Specify the path to the workspace directory. | "workingDirectory": "/Users/project" |
Description: Extracts the AST (abstract syntax tree) nodes specific to a prompt in the MCP client. See How to use non GA MCP tools for more information.
Toolset: code-analysis
Release Status: Non GA
Input Properties:
| Property | Description | Example |
|---|---|---|
sampleCode (required) | Specify the code snippet that triggers a violation of the rule. | "sampleCode": "public class Test { void m(){System.debug();}}" |
language (required) | Specify the programming language to use for the code snippet or analysis. | "language": "apex" |
engine (required) | Specify the analysis engine to use to evaluate the code or enforce the rule. | "engine": "pmd" |