sf scanner run

Scans a codebase with a selection of rules. You can scan the codebase with all the rules in the registry, or use parameters to filter the rules based on rulename, category, or ruleset. You can specify the format of the output, such as XML or JUnit. You can print the output to the console (default) or to a file using the --outfile parameter.

To run Salesforce Graph Engine, you must run a separate command: scanner run dfa. Learn more in Introduction to Salesforce Graph Engine.

Review these examples for some ideas on how to run Code Analyzer to its full potential.

This example evaluates all rules against somefile.js. When you invoke Code Analyzer without specifying any rules, it runs all rules.

  • xml: The output format.
  • somefile.js: The source code location.

This example evaluates all rules in the Design and Best Practices categories. When you specify multiple categories or rulesets, the results are combined with a logical OR.

  • xml: The output format.
  • somefile.js: The source code location.
  • Design,Best Practices: The categories of rules to run.

These examples evaluate rules against all .js files in the current directory, except for IgnoreMe.js. Wrap globs in quotes.

  • ./**/*.js,!./**/IgnoreMe.js: The source code location.

This example scans the project contained in /my-project if the current working directory is another directory. Specify tsconfig.json if the current working directory doesn't contain the tsconfig.json that corresponds to the TypeScript files being scanned.

  • /my-home-directory: The source code location.
  • /my-project/tsconfig.json: The tsconfig file location.

This example evaluates rules against somefile.js, including Jasmine in the environment variables. Uses --env to override the default ESLint environment variables to add frameworks.

  • somefile.js: The source code location.
  • {"jasmine": true}: An ESLint environment variable used to override the default.

This example evaluates rules against somefile.js using eslint-lwc and pmd engines. Use --engine to include or exclude engines. Any engine listed runs, regardless of its current disabled attribute.

  • somefile.js: The source code location.
  • eslint-lwc,pmd: The engine or engines to run.

In this example, ESLint and RetireJS run even if they’re disabled, and no other engine runs. Use --engine to include or exclude engines. Regardless of their current disabled attribute, any specified engine runs, and all others won't.

Use --engine to invoke engines that aren't enabled by default.

  • somedirectory: The source code location.
  • eslint,retire-js: The engine or engines to run.

This example executes CPD engine against known file extensions in /some/dir. CPD helps detect blocks of code duplication in selected languages.

  • /some/dir: The source code location.
  • cpd: The engine or engines to run.

This example executes rules defined in pmd_rule_ref.xml against the files in src. To use PMD with your own rule reference file, use --pmdconfig. Rule filters aren't applied.

  • src: The source code location.
  • pmd_rule_ref.xml: The location of the PMD rule reference XML file.

This example uses a custom config to scan the files in src. To use ESLint with your own .eslintrc.json file, use --eslintconfig. Make sure that the directory you run the command from has all the NPM dependencies installed.

  • src: The source code location.
  • /home/my/setup/.eslintrc.json: The location of the ESLintrc config.

This example uses --normalize-severity to output normalized severity and engine-specific severity across all engines. Normalized severity is: 1 (high), 2 (moderate), and 3 (low).

  • /some-project/: The source code location.
  • csv: The output format.

This example uses --severity-threshold to throw a non-zero exit code when rule violations of normalized severity 2 or greater are found. If any violations with the specified severity (or greater) are found, the exit code equals the severity of the most severe violation.

  • /some-project/: The source code location.
  • 2: A severity value. Possible values are: 1 (high), 2 (moderate), and 3 (low).

sf scanner run

   [-c CATEGORY_LIST]

   [-e ENGINE_LIST]

   [-f FORMAT]

   [-o OUTFILE]

   [-p PROJECTDIR_LIST]

   [-s SEVERITY-THRESHOLD]

   [-t TARGET_LIST]

   [--eslintconfig ESLINTCONFIG]

   [--json]

   [--normalize-severity]

   [--pmdconfig PMDCONFIG]

   [--tsconfig TSCONFIG]

   [--verbose-violations]

   [--verbose]

This parameter is available in Code Analyzer v 3.x (generally available).

   [--preview-pmd7]

-c | --category CATEGORY_LIST

Optional

One or more categories of rules to run. Specify multiple values as a comma-separated list.

Type: option

-e | --engine ENGINE_LIST

Optional

Specifies one or more engines to run. Submit multiple values as a comma-separated list.

Type: option

Possible Values: eslint | eslint-lwc | eslint-typescript | pmd | pmd-appexchange | retire-js | sfge | cpd

-f | --format FORMAT

Optional

Specifies the output format for results written directly to the console.

Type: option

Possible Values: csv | html | json | junit | sarif | table | xml

-o | --outfile OUTFILE

Optional

Writes output to a file.

Type: option

-p | --projectdir PROJECTDIR_LIST

Optional

Provides the relative or absolute root project directories used to set the context for Graph Engine's analysis. Specify multiple values as a comma-separated list. Each project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.

Type: option

-s | --severity-threshold SEVERITY-THRESHOLD

Optional

Throws an error when violations are found with equal or greater severity than the provided value. Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag.

Type: option

-t | --target TARGET_LIST

Optional

Specifies the source code location. Can use glob patterns. Specify multiple values as a comma-separated list. Default is ".".

Type: option

--eslintconfig ESLINTCONFIG

Optional

Specifies the location of eslintrc config to customize ESLint engine. The --tsconfig flag can’t be used with --eslintconfig flag.

Type: option

--json

Optional

Format output as JSON.

Type: boolean

--normalize-severity

Optional

Returns normalized severity 1 (high), 2 (moderate), and 3 (low), and the engine-specific severity. For the html option, the normalized severity is displayed instead of the engine severity.

Type: boolean

--pmdconfig PMDCONFIG

Optional

Specifies the location of the PMD rule reference XML file to customize rule selection.

Type: option

--tsconfig TSCONFIG

Optional

The location of the tsconfig.json file used by the eslint-typescript engine. The --tsconfig flag can’t be used with --eslintconfig flag.

Type: option

--verbose-violations

Optional

Returns retire-js violation-message details about each vulnerability, including summary, common vulnerabilities and exposures (CVE), and URLs.

Type: boolean

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

[DEPRECATED] --env ENV

Optional

Deprecated. Overrides ESLint's default environmental variables, in JSON-formatted string.

Type: option

[DEPRECATED] -r | --ruleset RULESET_LIST

Optional

Deprecated. Use category instead. One or more rulesets to run. Specify multiple values as a comma-separated list.

Type: option

This flag is available in Code Analyzer v 3.x (generally available).

--preview-pmd7

Optional

Uses PMD version 7.0.0-rc4 instead of 6.55.0 when running PMD and CPD engines.

Type: boolean