Salesforce Graph Engine

Salesforce Graph Engine is an open-source Salesforce tool that performs complex analysis on Apex code and identifies security vulnerabilities and code issues. Graph Engine also performs more complex checks than an average static-analysis tool because Graph Engine uses data-flow analysis.

Graph Engine is available as an open pilot through Salesforce Code Analyzer v3.x and v4.x (beta). Try it and give us your feedback.

If your code includes Apex that uses API version 60 or later, you must run Code Analyzer v4.x (beta).

The scanner run dfa command invokes the data-flow-based rules in Graph Engine. See scanner run dfa in the command reference.

Graph Engine supports multiple rules. Read our Rules documentation for full details.

Data-flow analysis is a multi-step process.


Steps run by SFGE


  • The Apex Jorje compiler analyzes your code and returns a parse tree.
  • Graph Engine translates the parse tree into vertices and adds them to the Apache TinkerPop graph database.
  • Graph Engine builds code paths starting from each identified entry point.
  • Graph Engine walks each code path and applies the selected rules at every vertex along with contextual data. The rule evaluates this information and, if applicable, creates violations.

After Graph Engine completes walking the paths, it returns all issues collected as rule violations.

Rules register interest in specific types of vertices. For example, a Create, Read, Update, Delete, and Field-Level Security (CRUD/FLS) rule expresses interest in all vertices that perform Data Manipulation Language (DML) operations.