Salesforce requires every managed package to pass a security review before it lists on the AppExchange, and about half fail the first attempt — most often on missing CRUD and field-level security checks. Here is what the review checks and how to prepare your package to pass.
Introduction to Salesforce Security Review
Getting your Salesforce managed package approved for AppExchange is essential. The Salesforce Security Review ensures every app meets strict security, trust, and compliance standards. If you're preparing your first managed package, you’re in the right place. Learn more from the Salesforce Managed Package Guide.
Why Every Managed Package Must Pass This Review
Salesforce hosts thousands of third-party apps, and the ecosystem relies heavily on trust. The review protects customer data and ensures compliant behavior across enterprise environments. Explore the Salesforce AppExchange.
What Salesforce Checks During the Process
Salesforce scans for:
- Vulnerable code patterns
- Proper CRUD/FLS enforcement
- Secure integrations
- Authentication controls
- Web vulnerabilities
Understanding the Importance of Security in the AppExchange Ecosystem
Security is central to the platform. Learn more about packaging essentials: Salesforce Managed Package (Appnigma)
Impact of a Failed Review
A failed review results in delays, additional fixes, and extra testing cycles.
Key Requirements Before Submitting Your Managed Package
Packaging Your App Correctly
Ensure proper visibility, packaging integrity, and version management.
Ensuring Namespace and License Setup
Reserve your namespace prefix and configure LMO settings. Learn about namespace setup.
Preparing Documentation and Support Details
Provide guides, diagrams, and support notes for the reviewers.
Technical Security Checkpoints You Must Pass
Apex Code Security Requirements
Follow secure coding standards and avoid unsafe operations. Learn more about Salesforce Integrations on Appnigma.
CRUD & FLS Enforcement
This is the top reason apps fail review.
Avoiding Hardcoded IDs
Use dynamic references and avoid static IDs.
Governor Limits and Bulkification
Use bulk-safe code and avoid inefficient patterns.
Secure Integrations and API Usage
OAuth Best Practices
Follow secure OAuth flows: Salesforce OAuth 2.0
Secure Storage of Secrets
Use Named Credentials, encrypted fields, and protected metadata.
Lightning Web Components (LWC) Security
Locker Service & Lightning Web Security
Follow the official security rules from: Lightning Web Security
Secure Event Handling
Validate payloads and prevent accidental data exposure.
Static Code Analysis and Tools to Use
Recommended tools for review readiness:
- PMD
- CodeScan
- Checkmarx
Common Reasons Salesforce Rejects Packages
- Missing CRUD/FLS
- Weak or insecure integrations
- Unsafe JavaScript patterns
- Poor error handling
Preparing Your AppExchange Security Review Submission
Include:
- Threat model
- Data flow diagrams
- Pen test documentation
- Permission testing results
What Happens After You Submit
Expected Timeline
The review usually takes 4–6 weeks.
How to Respond to Review Feedback
Provide fixes, documentation, and test evidence.
Resubmitting After Fixes
Once everything is corrected, resubmit without penalties.
Best Practices to Speed Up Approval
- Follow recommendations from the Salesforce scanner
- Keep package components minimal
- Test the entire package in a fresh org
Conclusion
Preparing your managed package for the Salesforce Security Review ensures trust, reduces risk, and sets your product up for AppExchange success.
A secure app isn’t just necessary—it’s smart business.
FAQs
1. How long does the Salesforce Security Review take? Usually 4–6 weeks.
2. Do all managed packages need a security review? Yes.
3. Can I skip CRUD/FLS enforcement? No.
4. Are external integrations allowed? Yes, if secure.
5. Can I use JavaScript libraries in LWC? Yes, if Lightning Web Security–compliant.
The failure reasons that sink most first submissions
Appnigma's founder ran 300+ of these reviews from the Salesforce side. The same issues came up first, every time — and Salesforce's own published data confirms the order: missing CRUD/field-level security enforcement is the number-one failure by a wide margin. Here are the categories that account for most rejections, and the fix for each.
| # | Failure category | Root cause | The fix |
|---|---|---|---|
| 1 | CRUD/FLS not enforced | DML/SOQL without access checks | Security.stripInaccessible, WITH SECURITY_ENFORCED, Schema.describe checks |
| 2 | Insecure or outdated libraries | Bundled JS/dependencies with known CVEs | Upgrade libraries; bundle current versions as static resources |
| 3 | Sharing violation | Apex classes missing with sharing | Add with sharing or inherited sharing to every class |
| 4 | Insecure secret storage | API keys in custom fields or plaintext | Protected Custom Metadata/Settings; Named Credentials |
| 5 | SOQL injection | Dynamic SOQL built with string concatenation | Bind variables; String.escapeSingleQuotes |
| 6 | XSS / CSRF | Unescaped output; no anti-CSRF handling | Output encoding; avoid escape=false; framework CSRF tokens |
What the docs don't spell out: reviewers check whether a fix is real or superficial, and whether the same vulnerability class appears elsewhere in your code. A patch in one class won't pass if the same pattern is left in three others.
How long the review takes
| Stage | Who runs it | Duration |
|---|---|---|
| Readiness check | Security Review Operations | 1–2 weeks |
| First test | Product Security | 3–4 weeks |
| Resubmission test (if failed) | Product Security | 2–3 weeks |
| Total, first pass | — | ~6–9 weeks |
The review is also periodic — listed packages face re-review over time, so security isn't a one-time gate.
Frequently Asked Questions
What does Salesforce check during the security review?
Static code security (CRUD/FLS, sharing, SOQL injection, XSS), dynamic/runtime security of any external endpoints (TLS, CSRF), secret storage, and a manual penetration test of authentication and access control.
Why do most managed packages fail the first time?
Industry estimates put first-attempt failure near 50%. The number-one cause, by Salesforce's own ranking, is missing CRUD/field-level security enforcement, followed by outdated libraries and sharing violations.
Where am I allowed to store API keys and secrets?
In Protected Custom Metadata or Protected Custom Settings, or via Named Credentials — never in custom fields, plaintext, or debug logs.
Do I need with sharing on every Apex class?
Yes in practice. Missing sharing declarations are the third-most-common failure; add with sharing or inherited sharing unless you have a documented reason not to.
How long does the review take?
Roughly 6–9 weeks for a first pass: 1–2 weeks readiness, 3–4 weeks first test, and 2–3 weeks for a resubmission if needed.
Is the security review a one-time requirement?
No. Listed packages are subject to periodic re-reviews, so you maintain security over the life of the app.
Does a no-code or declarative build make the review easier?
It can. Declarative logic that respects platform sharing and FLS by default designs out the top failure classes (CRUD/FLS, sharing, SOQL injection). It does not exempt you from the review or from documenting external integrations.
Does the security review apply to AgentExchange agent listings?
Yes. After Salesforce unified its marketplaces into AgentExchange in April 2026, the same security bar applies to agents and agent actions that touch data.
Key Takeaway
Every Salesforce managed package must pass a security review before listing on the AppExchange (now AgentExchange), and roughly half fail the first attempt. The top failure, by Salesforce's own ranking, is missing CRUD/field-level security enforcement, followed by outdated libraries, sharing violations, and insecure secret storage (store secrets in Protected Custom Metadata/Settings or Named Credentials). A first pass takes about 6–9 weeks, and listed packages face periodic re-review.
Related Articles
- Salesforce AppExchange security review: step-by-step
- Salesforce Code Analyzer for security review prep
- Salesforce security review checklist



