Salesforce Code Analyzer is the free static-analysis tool that scans your Apex, Lightning, and Flow code for the security issues that fail the AppExchange security review — and it produces the scan reports Salesforce requires to list a managed package. Run it before you submit, not after the rejection.
The current version is v5; v4 was retired in August 2025. It's driven by a single command and a code-analyzer.yml config, and it unifies seven analysis engines under one interface.
The engines, and what each one catches
Code Analyzer runs the checks that map directly to the review's most common failures — CRUD/FLS enforcement, insecure dependencies, and hardcoded secrets.
| Engine | Scans | What it catches |
|---|---|---|
| PMD | Apex, Visualforce | Security anti-patterns, CRUD/FLS gaps, code smells |
| Salesforce Graph Engine (sfge) | Apex (data-flow) | CRUD/FLS violations and sharing issues via path analysis |
| ESLint | JavaScript, LWC | JavaScript bugs and insecure patterns |
| RetireJS | JS dependencies | Known-vulnerable library versions (CVEs) |
| Regex | Any (custom rules) | Custom patterns, e.g. hardcoded secrets or keys |
| Flow | Salesforce Flows | Security issues in Flow logic |
| CPD | All | Copy-paste duplication |
The Graph Engine (sfge) is the one that matters most for the review: its data-flow analysis catches missing CRUD/FLS checks — the number-one reason apps fail — that line-by-line linters miss.
How to run it
Install the plugin and run it against your project:
`` sf plugins install code-analyzer sf code-analyzer run --view detail ``
Configure which engines and rules run in a code-analyzer.yml file at your project root. To submit a managed package to the AppExchange, produce the Code Analyzer report Salesforce requires and include it with your submission — the review expects either a clean report or a documented justification for each finding you're treating as a false positive.
Where it fits in security-review prep
Code Analyzer covers the static-analysis half of the review. It won't test your live external endpoints — that's what a dynamic scanner like OWASP ZAP or Burp is for. A realistic prep sequence: run Code Analyzer, fix or document every finding, run a dynamic scan against any external domains, then submit with both reports and a false-positive document.
Run it early and often, not once at the end. Wiring sf code-analyzer run into your CI pipeline catches CRUD/FLS and injection issues on every commit, when they cost minutes to fix — instead of surfacing them all at once in a review report weeks before your launch date. Teams that treat the scan as a gate on every pull request rarely see the review as the bottleneck.
A note on findings: not every flagged item is a real vulnerability. The Graph Engine in particular can report a data-flow path that your code guards in a way the analyzer can't see. When that happens, document the finding as a false positive with a clear explanation rather than suppressing the rule silently — reviewers read that document, and a well-justified false positive won't hold up your submission.
Frequently Asked Questions
What is Salesforce Code Analyzer?
A free, open-source static-analysis tool from Salesforce that scans Apex, Lightning Web Components, and Flows for security and quality issues, unifying seven engines (PMD, Graph Engine, ESLint, RetireJS, Regex, Flow, CPD) under one command.
Is Code Analyzer required for the AppExchange security review?
You must submit the required code-scan reports. Code Analyzer produces them, and it's the tool Salesforce points ISVs to for the static-analysis portion of the review.
How do I run Salesforce Code Analyzer?
Install it with sf plugins install code-analyzer, then run sf code-analyzer run. Configure engines and rules in a code-analyzer.yml file.
What version of Code Analyzer should I use?
v5. Version 4 was retired in August 2025 and is no longer supported.
Which engine finds CRUD/FLS problems?
The Salesforce Graph Engine (sfge) performs data-flow analysis on Apex to catch missing CRUD/field-level security checks — the top reason apps fail the review.
Does Code Analyzer replace a dynamic security scan?
No. It handles static analysis. You still need a dynamic scanner (OWASP ZAP or Burp) to test live external endpoints for the review.
What do I do with false positives?
Document each one with a justification and include that document with your submission. Reviewers expect either a clean report or a defensible explanation for every finding.
Key Takeaway
Salesforce Code Analyzer (v5; v4 retired August 2025) is the free static-analysis tool that scans Apex, LWC, and Flows before the AppExchange security review, run with sf code-analyzer run and configured via code-analyzer.yml. It unifies seven engines — PMD, Salesforce Graph Engine (sfge), ESLint, RetireJS, Regex, Flow, and CPD. The Graph Engine's data-flow analysis catches missing CRUD/FLS checks, the top review failure. It covers static analysis only; pair it with a dynamic scan (OWASP ZAP or Burp) for external endpoints.
Related Articles
- Salesforce AppExchange security review: step-by-step
- Preparing your managed package for security review
- Salesforce security review checklist



