Salesforce Graph Engine Rules

Salesforce Graph Engine includes path-based and data-flow analysis rules.

RuleTypeCategoryStatusDescription
ApexFlsViolationRulePath-based analysisSecurityGenerally Available (GA)Detects Create, Read, Update, and Delete (CRUD) and Field-Level Security violations.
ApexNullPointerExceptionRulePath-based analysisError-ProneGAIdentifies Apex operations that dereference null objects and throw NullPointerExceptions.
AvoidDatabaseOperationInLoopPath-based analysisPerformanceGADetects database operations in loops that degrade performance.
AvoidMultipleMassSchemaLookupsPath-based analysisPerformanceGADetects scenarios where expensive schema lookups are made more than one time in a path.
PerformNullCheckOnSoqlVariablesPath-based analysisPerformanceGAIdentifies SOQL queries with variables in WHERE clauses that lack null checks.
RemoveUnusedMethodPath-based analysisPerformancePilotDetects methods contained in your code that aren’t invoked from any entry points that Graph Engine recognizes.
UnimplementedTypeRuleGraph-based analysisPerformanceGADetects abstract classes and interfaces that are non-global and missing implementations or extensions.
UseWithSharingOnDatabaseOperationPath-based analysisSecurityGADetects database operations outside with-sharing-annotated classes.

Run all Graph Engine rules against your code, or run a subset of rules by type or by category.

To run the path-based rules, run scanner run dfa --projectdir MyDirectory. For example:

sf scanner run dfa --projectdir /project/dir --target /project/dir/target1

To run graph-based analysis rules, run scanner run --engine sfge --projectdir MyDirectory. For example:

sf scanner run --engine sfge --projectdir /project/dir --target /project/dir/target1

To run a specific category of rules, include the category. For example:

sf scanner run dfa --category "Security" --projectdir /project/dir --target /project/dir/target

To run each Graph Engine pilot rule, include the --with-pilot flag in your request.

To run all Graph Engine rules and all pilot rules, run: sf scanner run dfa --with-pilot --engine sfge --projectdir MyDirectory. For example:

sf scanner run dfa --with-pilot --engine sfge --projectdir /project/dir --target /project/dir/target1

To run a specific category of rules including the pilot rules in that category, include the category and the --with-pilot flag. For example:

sf scanner run dfa --category “Performance” --with-pilot --engine sfge --projectdir /project/dir --target /project/dir/target1

We’re working on adding more rules. In the meantime, give us your feedback.