Security Scan Report
This content is for the 1.0 version. Switch to the latest version for up-to-date documentation.
Scanning Tools Used
Section titled “Scanning Tools Used”| Tool | Version | Purpose |
|---|---|---|
| Salesforce Code Analyzer v5 | Latest | Apex/LWC security analysis |
| PMD (incl. AppExchange rules) | v5 | Code quality & security |
| ESLint | v5 | JavaScript/LWC analysis |
| RetireJS | v5 | Vulnerable JS libraries |
| Partner Security Portal (Checkmarx) | Latest | Mandatory source scan |
How to Generate Scan Reports
Section titled “How to Generate Scan Reports”Prerequisites
Section titled “Prerequisites”# Install Salesforce CLInpm install -g @salesforce/cli
# Install Code Analyzer v5 pluginsf plugins install @salesforce/plugin-code-analyzerRun Full Scan
Section titled “Run Full Scan”# Run all rules with HTML outputsf code-analyzer run --workspace force-app --output-file docs/scan-results.html
# Run AppExchange-specific rulessf code-analyzer run --rule-selector AppExchange --workspace force-app --output-file docs/scan-appexchange.html
# Run Security-tagged rules onlysf code-analyzer run --rule-selector Security --workspace force-app --output-file docs/scan-security.html
# Fail on High or Critical (CI/CD)sf code-analyzer run --rule-selector AppExchange --workspace force-app --severity-threshold 2 --output-file docs/scan-appexchange.htmlSecurity Best Practices Implemented
Section titled “Security Best Practices Implemented”CRUD/FLS Enforcement
Section titled “CRUD/FLS Enforcement”isCreateable()check before INSERTisUpdateable()check before UPDATEisDeletable()check before DELETE- Field-level permissions via Permission Sets
SOQL Injection Prevention
Section titled “SOQL Injection Prevention”- Bind variables used for user input
String.escapeSingleQuotes()for dynamic queries- Object names derived from Salesforce IDs (not user input)
Sharing Model Compliance
Section titled “Sharing Model Compliance”with sharingon main controllerswithout sharingonly where documented and necessary- Share records respect OWD settings
LWC Security
Section titled “LWC Security”- No
eval()or dynamic script execution - User input sanitized before display
- No hardcoded credentials
External Integration Security
Section titled “External Integration Security”| Check | Status | Notes |
|---|---|---|
| HTTP Callouts | N/A | Package makes no external calls |
| Named Credentials | N/A | Not used |
| External Objects | N/A | Not used |
| Remote Site Settings | N/A | Not required |
| CSP Violations | Pass | No Content-Security-Policy violations |
Apex Test Coverage
Section titled “Apex Test Coverage”| Class | Coverage | Status |
|---|---|---|
| ObjectTeamMemberController | >75% | Pass |
| TeamMemberWizardController | >75% | Pass |
| ShareRecordQueueable | >75% | Pass |
| SharingRecalculationBatch | >75% | Pass |
| ExpiredTeamMemberCleanupBatch | >75% | Pass |
| ObjectTeamMemberTriggerHandler | >75% | Pass |
| PostInstallHandler | >75% | Pass |
| Overall | >75% | Pass |
How to Run Tests with Coverage
Section titled “How to Run Tests with Coverage”# Run all tests with coveragesf apex run test --code-coverage --result-format human --target-org [ORG_ALIAS]
# Run specific test classsf apex run test --tests ObjectTeamMemberTest --code-coverage --result-format human --target-org [ORG_ALIAS]Scanner Commands Reference (Code Analyzer v5)
Section titled “Scanner Commands Reference (Code Analyzer v5)”# List available rulessf code-analyzer rules
# List AppExchange rules onlysf code-analyzer rules --rule-selector AppExchange
# Run with specific rule selectorsf code-analyzer run --rule-selector Security --workspace force-app
# Export to various formatssf code-analyzer run --workspace force-app --output-file results.htmlsf code-analyzer run --workspace force-app --output-file results.sarif