Salesforce Code Scanner – Health Check

As a Salesforce Developer, have you ever worried about the code in your Salesforce org and wanted to check if:

  • the code you have written/existing code is in line with the best practices?
  • you have followed the coding guidelines suggested by Salesforce?
  • there are any loop holes in the code that could cause severe security issues?
  • the quality of the code is really good?
  • the Visualforce pages and apex code are secure?
  • there are any design issues in the code?

If you said Yes to any of the questions above, read on.

There is a way to find that out easily and not just that – what if I say there is a tool that can “scan through all of your code, yes all of your code in your entire Salesforce org, analyze each and every single line of your code,  and give you a consolidate list of the security issues in your code”.  Exciting! isn’t it?  Yes, the tool is Security Source Scanner.  It is built by our own Salesforce Trust in partnership with CheckMarx. Security Source Scanner service provides developers of the platform information regarding the security of their code through next generation static analysis tools.

How it works: You just have to provide the username of the Salesforce instance (sandbox or production) and choose what kind of scan you would like to do: “Security Profile” or “Quality Profile” or “Security and Quality Profile”.  I’ve explained below the difference between the 2 profiles.  Upon submission your code will be queued and scanned. A notification of successful job creation as well as the final PDF report will be sent to the email address for the username submitted.  The PDF would not only mention the flaws in your code, it would also explain what the issue is with each of the code block and suggests the best way to fix it.

Requirements to use the scanner:

  • The company organization being scanned must
    • contain less than 2 million lines of code (excluding static resources and packages which are not scanned)
    • have metadata API enabled
    • not use IP access controls that prevent access from Salesforce IP ranges.
  • The username submitted must correspond to a user that
    • has “Author Apex” permission
    • has an email address that the submitter can access
  • Only unpackaged code is scanned. Source code within managed or unmanaged packages is not scanned to avoid inadvertently scanning code unrelated to your application.

Scan Type:  As mentioned earlier, there are 2 kinds of scans you can choose:

1. Security Profile

The scanner will help to detect the following security vulnerability types:

  • Cross Site Scripting (reflected, stored, and DOM based)
  • SOQL/SOSL Injection
  • Access Control Issues (Sharing, FLS)
  • Cross site request forgery attacks
  • Arbitrary Redirects
  • Overly permissive postMessage targets

2. Quality Profile

The Security Source Scanner will detect the following common Apex coding and design issues:

  • DML statements inside loops
  • SOQL/SOSL inside loops
  • Hardcoding[0]
  • Hardcoding Trigger.old[0]
  • Queries with no Where clause or no LIMIT clause
  • Not bulkifying apex methods
  • Async (@future) methods inside loops
  • Hardcoding IDs
  • Multiple triggers on same object
  • Static Resource referencing
  • Multiple Visualforce forms in the same page
  • Test methods without assert

Go try this with your Salesforce org.  You can start here and refer to the FAQs here.

Good luck!


6 Replies to “Salesforce Code Scanner – Health Check”

  1. Hmm it seems like your blog ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any reanmmeodctions for rookie blog writers? I’d certainly appreciate it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: