AppExchange Release
Phase 1: Pre-flight (local)
Section titled “Phase 1: Pre-flight (local)”Run these before touching the org. Fix everything that comes up.
1.1 Salesforce Code Analyzer v5 — full scan
Section titled “1.1 Salesforce Code Analyzer v5 — full scan”# Install (once)sf plugins install @salesforce/plugin-code-analyzer
# Run ALL rules (PMD, ESLint, RetireJS, Regex, Flow, CPD)sf code-analyzer run \ --workspace force-app \ --output-file docs/scan-results.html
# Run AppExchange-specific rulessf code-analyzer run \ --rule-selector AppExchange \ --workspace force-app \ --output-file docs/scan-appexchange.html
# Run only Security-tagged rulessf code-analyzer run \ --rule-selector Security \ --workspace force-app \ --output-file docs/scan-security.html
# Severity threshold — fail on High or Critical (CI/CD)sf code-analyzer run \ --rule-selector AppExchange \ --workspace force-app \ --severity-threshold 2 \ --output-file docs/scan-appexchange.htmlZero tolerance on: Critical (1) and High (2).
Medium (3) and below — document as false positives in docs/FALSE-POSITIVES.md.
1.2 ESLint (LWC)
Section titled “1.2 ESLint (LWC)”npm run lint1.3 LWC Jest tests
Section titled “1.3 LWC Jest tests”npm run test:unitPhase 2: Org Tests & Coverage
Section titled “Phase 2: Org Tests & Coverage”2.1 Run all Apex tests
Section titled “2.1 Run all Apex tests”sf apex run test \ --code-coverage \ --result-format human \ --wait 10 \ --target-org FlexiFREERequired: >= 75% overall coverage, every trigger must have coverage.
2.2 Check per-class coverage
Section titled “2.2 Check per-class coverage”sf apex run test \ --code-coverage \ --result-format json \ --wait 10 \ --target-org FlexiFREE \ | jq '.result.coverage.coverage[] | select(.coveredPercent < 75) | {name, coveredPercent}'Phase 3: Build Package Version (beta)
Section titled “Phase 3: Build Package Version (beta)”3.1 Bump version in sfdx-project.json
Section titled “3.1 Bump version in sfdx-project.json”"versionName": "ver 1.2.0","versionNumber": "1.2.0.NEXT"3.2 Create beta package version
Section titled “3.2 Create beta package version”sf package version create \ --package FlexibleTeamShare \ --definition-file config/package-scratch-def.json \ --installation-key-bypass \ --wait 30 \ --code-coverage \ --skip-ancestor-check3.3 Verify and check coverage
Section titled “3.3 Verify and check coverage”sf package version list --packages FlexibleTeamShare --order-by CreatedDate --verbosesf package version report --package 04tXXXXXXXXXXXXXXX --verbosePhase 4: Test Install
Section titled “Phase 4: Test Install”4.1 Install in a clean scratch/sandbox org
Section titled “4.1 Install in a clean scratch/sandbox org”sf package install \ --package 04tXXXXXXXXXXXXXXX \ --target-org TestOrg \ --wait 104.2 Smoke test
Section titled “4.2 Smoke test”- Assign
FTS_App_AccessandFTS_Data_Accesspermission sets - Configure a sharing config via the Wizard
- Add/edit/remove team members on a record
- Verify sharing records created/deleted
- Test as non-admin user (FTS_Data_Access only)
Phase 5: Promote to Release
Section titled “Phase 5: Promote to Release”sf package version promote --package 04tXXXXXXXXXXXXXXXPhase 6: Partner Security Portal — Source Scanner (Checkmarx)
Section titled “Phase 6: Partner Security Portal — Source Scanner (Checkmarx)”This is mandatory for any submission that includes a Salesforce package.
- Go to Partner Security Portal using your DevHub/packaging org credentials
- Select your promoted (released) package version
- Click Start Scan and wait for results (usually 15-30 min)
- Download the report
Handle findings
Section titled “Handle findings”- Critical/High — fix the code, rebuild, rescan
- False positives — document in
docs/FALSE-POSITIVES.md, attach to submission - Low/Info — document rationale, no fix required
Phase 7: DAST Scan (if applicable)
Section titled “Phase 7: DAST Scan (if applicable)”Flexible Team Share has no external callouts, no web UI, no API endpoints — DAST is not applicable.
Phase 8: Prepare Submission Materials
Section titled “Phase 8: Prepare Submission Materials”Required documents
Section titled “Required documents”| Material | File | Notes |
|---|---|---|
| Code Analyzer report (full) | docs/scan-results.html | From Phase 1 |
| Code Analyzer report (AppExchange) | docs/scan-appexchange.html | From Phase 1 |
| Source Scanner report | Downloaded from Portal | From Phase 6 |
| False positives doc | docs/FALSE-POSITIVES.md | Explain each finding |
| Admin/User documentation | docs/APPLICATION-OVERVIEW.md, docs/USE-CASES.md | Reviewers test your app |
| Installation guide | docs/1. Installation Guide.md | Step-by-step setup |
Review org preparation
Section titled “Review org preparation”- Install the promoted package version
- Disable MFA/2FA so the review team can log in
- Only install packages related to this review
- Create a test user with full access for the review team
- Pre-configure at least one working sharing config with sample data
Phase 9: Submit
Section titled “Phase 9: Submit”- Go to AppExchange Partner Console > Publishing > Security Review
- Select your package and promoted version
- Upload all scan reports
- Provide org login credentials for the review team
- Pay $999 fee (for paid apps; free apps — no fee)
- Submit
Timeline: 4-6 weeks. Most apps pass on 2nd attempt.
Execution Order Summary
Section titled “Execution Order Summary”Phase 1 Code Analyzer + ESLint + Jest ← fix code issuesPhase 2 Apex tests in org (>= 75%) ← fix coverage gapsPhase 3 Build beta package version ← if build fails, back to Phase 2Phase 4 Install & smoke test in clean org ← if broken, fix and rebuildPhase 5 Promote to release ← IRREVERSIBLEPhase 6 Source Scanner (Checkmarx) ← only on promoted versionPhase 7 DAST scan (if applicable) ← N/A for this appPhase 8 Prepare docs & review org ← package everythingPhase 9 Submit to AppExchange ← wait 4-6 weeks