If you're listing on AppExchange in 2026, the security review is the gate that decides whether your enterprise pipeline opens this quarter or slips to next. The fee model changed in March 2023, Chimera was retired in June 2025, and the self-review wizard now auto-approves most updates after your first pass. I pulled the latest Salesforce ISVforce docs, the Concret.io and Noltic PDO reports, and the failure patterns we see at Appnigma to write the single guide I wish I had when I was helping a B2B SaaS founder ship their first managed package.
TL;DR: The Salesforce AppExchange security review is a mandatory code and behavioral audit every managed package passes before it can be listed. It costs $999 per submission attempt for paid apps ($0 for free apps), takes 6 to 9 weeks for the initial pass plus 2 to 3 weeks per resubmission, and roughly half of first-time submissions fail according to PDO partner reports. Salesforce retired Chimera DAST on June 16, 2025, so partners must now run OWASP ZAP, Burp Suite, or Qualys. The eight check categories are defined in the ISVforce Security Review guidelines. The biggest failure cause: missing CRUD and Field-Level Security enforcement on Apex DML and SOQL.
The Salesforce security review checklist
Run this before you submit. Each item maps to one of the most common rejection reasons, so clearing the list is the difference between a first-try pass and a 2–3 week resubmission.
- Enforce CRUD and field-level security on every SOQL and DML operation (
Security.stripInaccessible,WITH SECURITY_ENFORCED) — this is the number-one failure, by a wide margin. - Add
with sharingorinherited sharingto every Apex class. - Remove hardcoded secrets; store them in Protected Custom Metadata, Protected Custom Settings, or Named Credentials.
- Use bind variables or
String.escapeSingleQuoteson all dynamic SOQL to prevent injection. - Escape all output and avoid
escape="false"; handle CSRF on state-changing requests. - Declare every external endpoint via Remote Site Settings or Named Credentials, and enforce TLS.
- Update vulnerable third-party libraries and bundle JavaScript as static resources rather than hotlinking.
- Run Salesforce Code Analyzer plus a dynamic scan (OWASP ZAP or Burp), and document every false positive.
- Keep secrets and stack traces out of debug logs and error pages.
- Prepare test credentials, a demo walkthrough, and a data-flow description for the reviewer.
What is the Salesforce AppExchange security review?
The Salesforce AppExchange security review is a mandatory code-level and behavioral audit Salesforce runs on every managed package before it can be listed on AppExchange. The review combines static analysis (Checkmarx CxSAST, Salesforce Code Analyzer), dynamic application security testing (OWASP ZAP, Burp Suite, or Qualys since Chimera was retired in June 2025), and manual review against the eight check categories defined in the ISVforce Security Review guidelines.
It applies to every ISV that wants to distribute a paid or free managed package on AppExchange. There is no way to skip it. There is no fast lane. Every one of the 6,233 apps live on AppExchange as of December 2025 went through this same gate.
Citation capsule: The canonical source is Salesforce ISVforce Guide, Security Review Guidelines. Combined with State of AppExchange 2026 (sfapps.info) for app-count figures.
How much does the Salesforce security review cost in 2026?
$999 per submission attempt for paid apps. $0 for free apps. No partner-tier discount exists. The fee applies to the initial submission and to every resubmission after a failed review. Fail twice, and you've paid $2,997 in fees alone, before you count the engineering time and lost deal pipeline.
| Item | 2026 cost | Notes |
|---|---|---|
| Initial security review (paid app) | $999 | Per submission attempt |
| Initial security review (free app) | $0 | No fee for free apps |
| Resubmission after failure | $999 (paid) or $0 (free) | Applies per attempt, not capped |
| Auto-approval of version updates | $0 | Via self-review wizard, post-March 2023 |
| Trust Tier discount | None | Select and Summit ISVs pay the same $999 |
What changed in March 2023: Salesforce moved from a $2,550 initial fee plus $150 annual model to the per-attempt $999 model. The new structure penalizes failure (resubmission costs the same as initial) and rewards quality (an app that passes on the first try pays once and is done until major architecture changes). Source: Salesforce Developer Docs, Security Review Fees.
How long does the security review take?
Pre-queue validation runs in 1 to 2 days. The full initial review takes 6 to 9 weeks. A resubmission after fixing findings takes 2 to 3 weeks. Most version updates of an already-approved package are auto-approved in minutes via the self-review wizard introduced in March 2023, unless the update introduces new objects, new callouts, or significant architecture changes.
| Phase | Duration | What's happening |
|---|---|---|
| Pre-queue validation | 1 to 2 days | Automated check that submission materials are complete and the package installs cleanly |
| Initial review | 6 to 9 weeks | Checkmarx SAST, Salesforce Code Analyzer, manual review, DAST against demo org |
| Resubmission review | 2 to 3 weeks | Re-runs scans on the resubmitted package, validates fixes for each prior finding |
| Version update (after first pass) | Minutes (auto-approve) or 2 to 3 weeks (manual re-review) | Auto unless update adds new sensitive objects, new callouts, or architecture changes |
Source: Salesforce Developers Blog, Prepare Your App to Pass the Security Review and Concret.io review timeline.
What does the security review actually check?
Eight categories. The full list, with what each one means for your code, comes straight from the Salesforce ISVforce Guide, Create a Secure Solution.
| Category | What it checks |
|---|---|
| Authentication and session management | SECURE flag on cookies, session invalidation on logout, sufficient entropy in session IDs, no session ID in URLs or logs |
| Authorization | CRUD and Field-Level Security enforced on every DML and SOQL. 'with sharing' declared on Apex classes touching user data. Integration users' FLS audited. |
| Input validation | SOQL/SOSL injection prevented via bind variables or String.escapeSingleQuotes. XSS and CSRF protections in place. |
| Output encoding | HTMLENCODE, JSENCODE, URLENCODE applied in Visualforce. LWC uses template binding rather than raw HTML. |
| Cryptography | No MD5 or SHA-1. Crypto class with platform-managed keys. No DIY encryption schemes. |
| Communication security | HTTPS-only callouts. Valid TLS (1.2+). CSP-safe Remote Sites. No plaintext endpoints. |
| Logging and error handling | No PII or session IDs in debug logs. Generic error pages for users; full detail only to authenticated admins. |
| Storage of secrets | No hardcoded API keys or tokens. Use Named Credentials, Protected Custom Metadata, or External Credentials. |
What tools does Salesforce use during the review?
The review combines automated scanners and manual analysis. Knowing which tools run against your code lets you run them locally first and clean up findings before submission.
| Tool | Type | Status (2026) |
|---|---|---|
| Checkmarx CxSAST | Static analysis of Apex, Visualforce, Lightning | Mandatory. The single most common source of findings. |
| Salesforce Code Analyzer (wraps PMD, ESLint, RetireJS) | Static analysis, open source | Required submission artifact. Run it locally. |
| Chimera | Dynamic application security testing | RETIRED on June 16, 2025. Do not reference Chimera in submissions. |
| OWASP ZAP | DAST | Acceptable Chimera replacement. Open source. |
| Burp Suite | DAST | Acceptable Chimera replacement. Industry standard. |
| Qualys | DAST / vulnerability scanner | Acceptable Chimera replacement. Enterprise tier. |
| RetireJS | JavaScript library vulnerability check | Inside Code Analyzer. Flags outdated jQuery, lodash, moment. |
| Manual review | Human reviewer | Always. Reads your Solution Architecture Document, exercises your demo org. |
Chimera was retired June 16, 2025. If you're following a 2024 or older guide that tells you to "submit Chimera output," ignore it. Run OWASP ZAP, Burp Suite, or Qualys against your demo org and include the report in your submission materials. Source: Noltic, 2026 Security Review Guide.
Top 10 reasons apps fail the security review (and how to fix each)
Aggregated from the Salesforce Developers Blog (April 2023), Concret.io failure guide, and our own customer data at Appnigma:
| # | Failure | Fix |
|---|---|---|
| 1 | Missing or weak CRUD + FLS enforcement on Apex DML and SOQL | Use WITH SECURITY_ENFORCED in SOQL or Security.stripInaccessible on results. Audit every DML. |
| 2 | SOQL or SOSL injection via string concatenation | Switch to bind variables. If you must do dynamic SOQL, wrap user input with String.escapeSingleQuotes. |
| 3 | Missing 'with sharing' on Apex classes (defaults to 'without sharing') | Set 'with sharing' explicitly. Document any 'without sharing' class with a written justification. |
| 4 | Insecure endpoints (HTTP, expired TLS, non-CSP remote sites) | Force HTTPS. Pin TLS 1.2 or higher. Add every external endpoint to CSP Trusted Sites. |
| 5 | Outdated JS libraries (jQuery, lodash, moment with known CVEs) | Run RetireJS. Upgrade to current versions or remove. Avoid CDN-loaded libraries where possible. |
| 6 | XSS in Visualforce or LWC | Apply HTMLENCODE or JSENCODE in Visualforce. In LWC, use template binding instead of lwc:dom='manual' with raw HTML. |
| 7 | Hardcoded credentials or API keys in source | Move all secrets to Named Credentials, Protected Custom Metadata, or External Credentials. |
| 8 | Session ID exfiltration (debug logs, URLs, third-party tags) | Strip session IDs from logs. Never pass session IDs via GET parameters or third-party pixels. |
| 9 | Information leakage via stray System.debug in production | Remove debug. Adopt a logging framework with an environment-level off switch. |
| 10 | Ignored or unjustified Checkmarx false positives | Write a clear false-positive justification for every finding you do not fix. Reviewers will not accept 'false positive' as a one-word answer. |
Code-level example: fixing the #1 failure (CRUD/FLS enforcement)
Before (will fail Checkmarx and security review):
List<Account> accs = [SELECT Id, Name, Industry FROM Account];
update accs;After (enforces FLS at query time and before DML):
List<Account> accs = [
SELECT Id, Name, Industry
FROM Account
WITH SECURITY_ENFORCED
];
SObjectAccessDecision sanitized = Security.stripInaccessible(
AccessType.UPDATABLE, accs
);
update sanitized.getRecords();How do you prepare for the security review?
Run the review against yourself before Salesforce does. The 6 to 9 week wait window is the worst time to discover a finding you could have caught locally in a Friday afternoon.
- Run Checkmarx CxSAST locally. Salesforce gives partners access via the Partner Security Portal. Fix every finding you can. Justify every one you cannot.
- Run Salesforce Code Analyzer. Open source, ships with sfdx. Catches PMD, ESLint, and RetireJS findings before submission.
- Run a DAST scan against your demo org. Pick OWASP ZAP, Burp Suite, or Qualys. Save the report. You'll attach it to the submission.
- Write the Solution Architecture Document. Diagram the data flow, integration surface, sharing model, and external endpoints. The reviewer reads this first.
- Provision a demo org with test credentials. Pre-load it with realistic data. Document login steps. The reviewer will use this org to exercise every feature.
- Submit through the Security Review wizard in the Partner Community. Pay the $999 fee (paid apps only) and wait for the email when the review enters the queue.
Companion deep dives: Our security review checklist walks line-by-line through what reviewers look for, and our step-by-step submission guide covers the wizard UI and required attachments.
What happens if your app fails the security review?
Half of first-time submissions fail. That figure is a PDO industry estimate, not an official Salesforce number, but it's consistent across Concret.io, Noltic, and our own customer base. Plan for it.
If your app fails:
- Salesforce returns a detailed report listing every violation by file and line with a remediation reference.
- You fix the findings and attest to the fixes in the self-review wizard.
- You resubmit. The follow-up review takes 2 to 3 weeks.
- For paid apps, the $999 fee applies again per resubmission. Free apps remain free.
The hidden cost of a failed review: $999 resubmission + 2 to 3 weeks of delay + every enterprise deal in your pipeline that needed AppExchange before signing. For a B2B SaaS company chasing a $100K+ ARR enterprise contract, a failed review can be a quarter slipping. The fee is the smallest part.
What changed in 2023 and 2025?
Two structural changes broke most older AppExchange security review guides.
| When | What changed | What it means for you |
|---|---|---|
| March 16, 2023 | Fee model switched from $2,550 initial + $150 annual to $999 per submission attempt. Self-review wizard introduced for version updates. | You pay every time you resubmit, but you no longer pay an annual fee. Once you pass, most version updates auto-approve in minutes. |
| June 16, 2025 | Chimera DAST was retired. Partners must now run their own DAST scan (OWASP ZAP, Burp Suite, or Qualys) and submit the report. | If you're following a guide that mentions 'Chimera output,' it's outdated. The DAST step is now your responsibility. |
Can you pass the security review without Salesforce developers?
Most B2B SaaS companies that need to list on AppExchange don't have a Salesforce developer on staff. The traditional answer was to hire a PDO at $20,000 to $40,000 for the build plus the security review prep. The 6 to 12 month timeline plus the 50% first-pass failure rate makes that a brutal bet for a startup chasing an enterprise deal.
The shorter answer in 2026: yes, if your code is generated against the secure coding standards from the start. Most security review failures come from a small set of pattern mistakes (CRUD/FLS, sharing model, SOQL injection, encoding). Those are exactly the patterns an AI-native managed-package generator can enforce by default.
At Appnigma AI, we generate every managed package with:
- 'with sharing' declared on every Apex class touching user data
- WITH SECURITY_ENFORCED in every SOQL query, or Security.stripInaccessible when dynamic
- Bind variables in every dynamic query, no string concatenation
- HTMLENCODE / JSENCODE in every Visualforce binding
- Named Credentials for every external endpoint, no hardcoded secrets
- Solution Architecture Document and DAST report templates pre-filled from the package metadata
Customers shipping on AppExchange this way: Warmly, Hyperbound, Pylon, Avoma, UserEvidence, Aline, Alguna, Salesbricks, and Seam AI. None of them hired a Salesforce dev team.
Generate a security-review-ready managed package in 60 seconds. Type a prompt. Get Apex that clears Checkmarx and Salesforce Code Analyzer on the first scan. Book a demo.
Frequently asked questions
What is the Salesforce security review?
The Salesforce AppExchange security review is a mandatory code-level and behavioral audit Salesforce runs on every managed package before it can be listed on AppExchange. The review combines static analysis (Checkmarx CxSAST, Salesforce Code Analyzer), dynamic application security testing (OWASP ZAP, Burp Suite, Qualys since Chimera was retired June 16, 2025), and manual review against the eight check categories defined in the ISVforce Security Review guidelines.
How much does the Salesforce security review cost?
The Salesforce AppExchange security review costs $999 per submission attempt for paid apps and $0 for free apps. The fee applies to the initial submission and to every resubmission after a failed review. The legacy $2,550 initial plus $150 annual fee model was retired on March 16, 2023. No partner tier discount exists.
How long does the Salesforce security review take?
A pre-queue validation runs in 1 to 2 days. After that, the full review takes 6 to 9 weeks for an initial submission. A resubmission after fixing findings takes 2 to 3 weeks. Most version updates of an already-approved package are auto-approved in minutes via the self-review wizard, unless the update introduces new objects, callouts, or significant architecture changes.
What does the Salesforce security review check?
The review covers eight categories: authentication and session management, authorization (CRUD plus Field-Level Security enforcement, sharing model), input validation (SOQL injection, XSS, CSRF), output encoding, cryptography (no MD5 or SHA-1, use platform Crypto class), communication security (HTTPS callouts only, valid TLS, CSP-safe remote sites), logging and error handling (no PII in debug logs), and storage of secrets (Named Credentials, Protected Custom Metadata, External Credentials).
What happens if my Salesforce app fails the security review?
Salesforce returns a detailed report listing every violation by file and line with a remediation reference. You fix the findings, attest in the self-review wizard, and resubmit. The follow-up review takes 2 to 3 weeks, and for paid apps the $999 fee applies again per resubmission. Roughly half of first-time submissions fail according to PDO partner reports.
How do I prepare for the Salesforce security review?
Run Checkmarx CxSAST and Salesforce Code Analyzer locally before submission. Run an approved DAST tool (OWASP ZAP, Burp Suite, or Qualys, since Chimera was retired June 16, 2025) against your demo org. Write a false-positive justification for every finding you do not fix. Prepare the Solution Architecture Document, test credentials, and a demo org. Submit through the Security Review wizard in the Partner Community.
Does Salesforce still use Chimera for the security review?
No. Salesforce retired Chimera on June 16, 2025. Partners must now run dynamic application security testing using OWASP ZAP, Burp Suite, or Qualys against their demo org and submit the report as part of the security review materials.
Can I pass the Salesforce security review without Salesforce developers?
Yes. AI-native managed-package generators like Appnigma produce Apex with sharing, CRUD/FLS enforcement, bind-variable SOQL, output encoding, and Named Credentials by default. Because the generated code follows Salesforce's secure coding standards from the start, it clears Checkmarx and Salesforce Code Analyzer on the first pass. Customers including Warmly, Hyperbound, Pylon, Avoma, and Salesbricks listed on AppExchange without hiring Apex engineers.
Where to go next
The security review is one gate inside the larger ISV journey. The companion reads:
- The 2026 Salesforce ISV Partner Program guide. Tiers, costs, ISV vs OEM, and the path to becoming an ISV.
- The 2026 security review fee breakdown. Deep dive on every cost line item.
- The security review checklist. Line-by-line what reviewers look for.
- Security review submission, step by step. The Partner Community wizard UI and required attachments.
- The 2026 managed package guide. The artifact you're submitting for review.
- How to build a managed package without code. The no-code path.
Sources
- Salesforce Developers, Prepare Your App to Pass the AppExchange Security Review
- Salesforce ISVforce Guide, Security Review Guidelines
- Salesforce ISVforce Guide, Create a Secure Solution
- Salesforce ISVforce Guide, Security Review Fees
- Salesforce ISVforce Guide, Security Review Wizard
- Trailhead, ISV Security Review module
- Noltic, How to Pass the AppExchange Security Review (2026)
- Concret.io, Security Review Fees and FAQs
- Concret.io, Navigating Security Review Failure for ISVs
- MagicFuse, Updates and Tips for Passing the Security Review
- State of AppExchange 2026 (sfapps.info dataset)



