Launching your app on the Salesforce AppExchange is a major milestone—but before you can go live, you must pass Salesforce’s Security Review. This article explains the Salesforce AppExchange Security Review process, ensuring your managed package meets Salesforce’s strict standards for data protection, code quality, and customer trust.
Whether you’re a technical cofounder or product leader, understanding this review process is crucial. In this step-by-step guide, we’ll break down what to expect, what to prepare, and how to navigate it efficiently. Having expertise in appexchange app development is essential for successfully navigating the security review and ensuring your app meets all compliance requirements.
What Is the AppExchange Security Review?
The AppExchange Security Review is a mandatory evaluation for all managed packages and any solution that will be distributed publicly on the Salesforce AppExchange. It’s conducted by Salesforce’s internal security team and covers:
Code vulnerabilities (e.g. XSS, SOQL injection)
Data storage and encryption
API access and authentication
Adherence to Salesforce platform best practices
Secure handling of external integrations
User interface design and functionality
During the review, each component of the app architecture is assessed for security.
The review applies whether your app is a full-fledged SaaS product or a small internal utility—if it’s listed, it must pass. This process ensures the app meets Salesforce's security standards.
Step-by-Step: How the Review Works
Step 1: Join the Salesforce Partner Program
You’ll need to register your company as a Salesforce ISV Partner via the Partner Community.
Once accepted, you’ll get access to:
Business Org Hub (for managing listings)
License Management App (LMA)
Security Review submission portal
The Partner Community also provides valuable resources to help you prepare your app for security review.
Note: Make sure your application details are accurate and complete, as this can impact the approval process.
💡 Tip: Use your business email and provide clear use case information in your application for faster approval.
Step 2: Build and Package Your App
This stage is critical in the AppExchange security review process.
Before submitting for review, you must create a managed package. This should include:
Custom objects and fields
Apex classes and triggers (if used)
Lightning Web Components or Visualforce (if used)
Proper permissions, metadata, and packaging
When building your app, ensure compliance with all applicable regulatory standards (e.g., HIPAA, PCI-DSS) during packaging.
If you’re building your app in-house, consider using ISV Copilot by Appnigma — it guides you through packaging, validates your code for security risks, and automates documentation generation for the review process.
Step 3: Run Salesforce's Scanner Tools
Use the Salesforce CLI Scanner or Checkmarx scanner to:
Scan Apex code for security issues and find potential vulnerabilities
Analyze scanner reports to identify key findings and areas needing improvement
Be aware that scanner results may include false positives, so review findings carefully before making changes
Generate pre-review reports
Clean up any major errors or red flags
Perform manual testing in addition to automated scans to ensure thorough security validation
⚠️ Required: All scanner reports must be uploaded as part of your security submission package.
Step 4: Gather Required Documentation
When submitting your app, Salesforce will ask for:
Scanner results (PDF/CSV format)
Architecture diagram or data flow diagram
Summary of security findings
Explanation of how you handle auth and data
Test login credentials to install the app in a scratch org
Your explanations should clearly outline:
What external systems you call
Where data is stored or logged
What permissions are requested and why
Step 5: Submit for Review
Upload your package, scanner reports, and documentation through the Partner Portal as part of your security review submissions. You’ll receive a confirmation and estimated timeline.
Salesforce charges a $999 fee for security reviews of paid apps and for re-reviews triggered by code changes or periodic audits. Free apps are currently exempt from the security review fee, but all apps—paid or free—must successfully pass security reviews before being listed.
Reviews typically take 4–6 weeks depending on app complexity and backlog. Expect communication from the Salesforce security team if they require clarifications or fixes.
✅ Pro tip: Submit ahead of Dreamforce or fiscal quarter ends—those times often have longer queues.
Step 6: Address Feedback and Re-Test (If Needed)
If the Salesforce team identifies issues, you’ll get a detailed report with required remediations. All identified issues must be addressed before resubmission. Common reasons for rejection:
Storing sensitive data unencrypted
Not respecting FLS/CRUD permissions
Over-permissioned OAuth scopes
Hardcoded secrets or URLs
After receiving the report, transmit the security team's feedback to your developers for remediation. You must fix the issues, re-scan your code, and re-submit for review. After completing the required fixes, verify that all issues have been resolved. If issues are not fixed, your app may fail the security review. ISV Copilot provides remediation guidance based on your scanner results. Once all steps are completed, you can proceed to the next steps of publishing.
Step 7: Approval and AppExchange Listing
Once you pass, you’ll receive:
Approval notice from Salesforce
Go-ahead to publish your app listing
Permission to use the “Security Reviewed” badge
Each app version must pass the security review before being listed. When releasing a new version, Salesforce may require a periodic re-review to ensure compliance and security standards. A security review may be required for each major version update.
Your listing is now visible on the AppExchange and ready for customer installs.
Understanding Security Requirements
Navigating the Salesforce AppExchange security review process starts with a deep understanding of the security requirements set by the Salesforce Product Security team. The initial security review is designed to ensure that every app listed on the AppExchange meets strict standards for protecting user data, maintaining code quality, and following best practices. Failing to address security vulnerabilities or not meeting these requirements can delay your app’s listing and impact your reputation with users.
The security review team evaluates each app for a range of security issues, including data exposure, improper access controls, and insecure coding practices. Developers should expect the review process to be thorough, with the security team using both automated code scans and manual review techniques to identify potential risks. Understanding the types of vulnerabilities commonly found—such as improper data handling or weak authentication—can help you prepare your app to pass the security review on the first attempt.
To improve your chances of passing, it’s essential to create a robust security strategy from the start. This means not only relying on automated scanners but also conducting manual reviews and testing to catch issues that tools might miss. The security review process values apps that demonstrate a proactive approach to security, so addressing feedback from the security review team and making necessary code changes is key. Submitting a well-prepared app, with all required documentation and a clear explanation of how you manage and protect data, will help streamline the review and reduce the risk of failing.
Remember, the AppExchange security review is not a one-time hurdle. As you update your app or release new versions, you’ll need to resubmit for review to ensure ongoing compliance with Salesforce’s evolving security standards. Staying engaged with the security review team, understanding their feedback, and continuously improving your app’s security posture are essential steps for long-term success on the AppExchange.
In summary, understanding and addressing security requirements is fundamental to passing the Salesforce security review and maintaining your app’s listing. By preparing thoroughly, following best practices, and treating security as an ongoing priority, developers can create secure, compliant apps that earn customer trust and stand out in the AppExchange marketplace.
What If You're Not a Developer?
The security review process can be intimidating—especially for non-technical founders or ops teams. That’s why Appnigma built ISV Copilot: a smart assistant that:
Guides you through the security checklist
Flags packaging or metadata issues
Generates the docs Salesforce requires
Helps you navigate partner onboarding
Provides practical tips and best practices for passing the security review
It’s ideal for SaaS companies that are building their package internally but want to fast-track their AppExchange launch without delays or surprises.
Final Thoughts
Security Review is a rite of passage for any serious Salesforce app. While it’s thorough and rigorous, it’s important to take the time to understand the security review process. With the right tools—and some upfront preparation—you can pass on your first try and get to market faster.
Already building your app? Try ISV Copilot and get step-by-step help navigating the review and Salesforce partnership process.
