Skip to content
Back to Blog
Marketplace

Salesforce Code Analyzer: Prep Your App for the AppExchange Security Review (2026)

May 1, 2024
SCSunny Chauhan
Salesforce Code Analyzer: Prep Your App for the AppExchange Security Review (2026)

Salesforce Code Analyzer is the free static-analysis tool that scans your Apex, Lightning, and Flow code for the security issues that fail the AppExchange security review — and it produces the scan reports Salesforce requires to list a managed package. Run it before you submit, not after the rejection.

The current version is v5; v4 was retired in August 2025. It's driven by a single command and a code-analyzer.yml config, and it unifies seven analysis engines under one interface.

The engines, and what each one catches

Code Analyzer runs the checks that map directly to the review's most common failures — CRUD/FLS enforcement, insecure dependencies, and hardcoded secrets.

EngineScansWhat it catches
PMDApex, VisualforceSecurity anti-patterns, CRUD/FLS gaps, code smells
Salesforce Graph Engine (sfge)Apex (data-flow)CRUD/FLS violations and sharing issues via path analysis
ESLintJavaScript, LWCJavaScript bugs and insecure patterns
RetireJSJS dependenciesKnown-vulnerable library versions (CVEs)
RegexAny (custom rules)Custom patterns, e.g. hardcoded secrets or keys
FlowSalesforce FlowsSecurity issues in Flow logic
CPDAllCopy-paste duplication

The Graph Engine (sfge) is the one that matters most for the review: its data-flow analysis catches missing CRUD/FLS checks — the number-one reason apps fail — that line-by-line linters miss.

How to run it

Install the plugin and run it against your project:

`` sf plugins install code-analyzer sf code-analyzer run --view detail ``

Configure which engines and rules run in a code-analyzer.yml file at your project root. To submit a managed package to the AppExchange, produce the Code Analyzer report Salesforce requires and include it with your submission — the review expects either a clean report or a documented justification for each finding you're treating as a false positive.

Where it fits in security-review prep

Code Analyzer covers the static-analysis half of the review. It won't test your live external endpoints — that's what a dynamic scanner like OWASP ZAP or Burp is for. A realistic prep sequence: run Code Analyzer, fix or document every finding, run a dynamic scan against any external domains, then submit with both reports and a false-positive document.

Run it early and often, not once at the end. Wiring sf code-analyzer run into your CI pipeline catches CRUD/FLS and injection issues on every commit, when they cost minutes to fix — instead of surfacing them all at once in a review report weeks before your launch date. Teams that treat the scan as a gate on every pull request rarely see the review as the bottleneck.

A note on findings: not every flagged item is a real vulnerability. The Graph Engine in particular can report a data-flow path that your code guards in a way the analyzer can't see. When that happens, document the finding as a false positive with a clear explanation rather than suppressing the rule silently — reviewers read that document, and a well-justified false positive won't hold up your submission.

Frequently Asked Questions

What is Salesforce Code Analyzer?

A free, open-source static-analysis tool from Salesforce that scans Apex, Lightning Web Components, and Flows for security and quality issues, unifying seven engines (PMD, Graph Engine, ESLint, RetireJS, Regex, Flow, CPD) under one command.

Is Code Analyzer required for the AppExchange security review?

You must submit the required code-scan reports. Code Analyzer produces them, and it's the tool Salesforce points ISVs to for the static-analysis portion of the review.

How do I run Salesforce Code Analyzer?

Install it with sf plugins install code-analyzer, then run sf code-analyzer run. Configure engines and rules in a code-analyzer.yml file.

What version of Code Analyzer should I use?

v5. Version 4 was retired in August 2025 and is no longer supported.

Which engine finds CRUD/FLS problems?

The Salesforce Graph Engine (sfge) performs data-flow analysis on Apex to catch missing CRUD/field-level security checks — the top reason apps fail the review.

Does Code Analyzer replace a dynamic security scan?

No. It handles static analysis. You still need a dynamic scanner (OWASP ZAP or Burp) to test live external endpoints for the review.

What do I do with false positives?

Document each one with a justification and include that document with your submission. Reviewers expect either a clean report or a defensible explanation for every finding.

Key Takeaway

Salesforce Code Analyzer (v5; v4 retired August 2025) is the free static-analysis tool that scans Apex, LWC, and Flows before the AppExchange security review, run with sf code-analyzer run and configured via code-analyzer.yml. It unifies seven engines — PMD, Salesforce Graph Engine (sfge), ESLint, RetireJS, Regex, Flow, and CPD. The Graph Engine's data-flow analysis catches missing CRUD/FLS checks, the top review failure. It covers static analysis only; pair it with a dynamic scan (OWASP ZAP or Burp) for external endpoints.

Sources

More Blogs

All Blogs

Ship your native CRM app this quarter.

30 minutes. We generate your first package live. 10x faster, 10x cheaper than the build you were quoting.