Salesforce Source Code Scanner, also known as the Checkmarx scanner, is a security tool provided through the Salesforce Partner Security Portal. It performs static code analysis to detect vulnerabilities in Apex, Visualforce, and Lightning components of Salesforce applications. This tool is essential for maintaining secure and compliant Salesforce solutions, especially when submitting them for security reviews on the Salesforce AppExchange.
How Salesforce Source Code Scanner Works
The Source Code Scanner utilizes Checkmarx security technology to analyze Salesforce-specific codebases. It identifies security flaws such as:
• SOQL injection risks
• Cross-site scripting (XSS)
• Insecure storage practices
• Improper access controls
Unlike some other scanners, the Salesforce Source Code Scanner only examines code within the Salesforce platform and does not scan external endpoints.
When to Use Salesforce Source Code Scanner
Salesforce requires running the Source Code Scanner on your solution before submitting it for security review—unless your solution is a mobile client or an API. You are provided three scans per solution version with the security review fee. Additional scans or flexibility for unpackaged code require purchasing a license directly from Checkmarx.
Complementary Tools for External Endpoint Scanning
Since the Source Code Scanner does not check external endpoints, Salesforce provides access to the Chimera scanner through the Partner Security Portal. Chimera requires uploading a token to the root of external servers, meaning it only works with endpoints you control.
For endpoints outside your control, alternative tools are recommended:
• Zed Attack Proxy (ZAP) – A free, open-source web application security scanner.
• Burp Suite – A commercial tool for web vulnerability scanning.
Best Practices for Security Reviews
• Run the Source Code Scanner during development using open-source tools like PMD Source Code Analyzer for preliminary scans.
• Use the Salesforce Source Code Scanner for final scans before submission.
• Conduct external endpoint scans with Chimera, ZAP, or Burp Suite, depending on endpoint ownership.
• Include reports from all scans when submitting your solution for security review.
Key Considerations for Using Salesforce Source Code Scanner
• Mandatory for Security Reviews: Required for solutions submitted to the Salesforce AppExchange.
• Scan Limits: Limited to three scans per version without an additional license.
• Unpackaged Code: Requires a Checkmarx license for more flexibility.
• AppExchange Linking: Must link package versions to an AppExchange listing to enable scans.
