A web application scanner is a security tool that scans and tests external endpoints of a web application to identify vulnerabilities such as cross-site scripting (XSS), SQL injection, and security misconfigurations. Salesforce requires you to use a web application scanner when submitting a solution for security review, especially if your solution connects to external endpoints.

Salesforce provides access to Chimera, a scanner that tests external endpoints from Salesforce IP addresses without requiring a download. However, Chimera only works with endpoints on domains you own, as it requires uploading a token to the root of the external server. If your solution connects to endpoints on domains you don’t own, Salesforce recommends using third-party tools like Zed Attack Proxy (ZAP) or Burp Suite. ZAP is a free, open-source security scanner, while Burp Suite is a paid tool requiring a separate license. Both tools effectively test for web application vulnerabilities, ensuring your solution meets Salesforce’s security standards.