FAQ-000058 - API Security Testing and Provider Issues / Third-Party API Security Requirements

Yes, security scans are required for third-party APIs integrated in managed packages. You must submit scan reports for all third-party integrations before submitting your app for security review. Reviewers will evaluate the third-party integrations as part of the review process. Note: The specific scanning tools mentioned may vary based on current Salesforce requirements. Check the latest security review documentation for approved scanning tools and procedures.

The current answer contains several issues that need clarification: 1) It mentions specific scanning tools (Chimera or Zap scanner) without verification that these are current requirements, 2) It includes confusing language about submitting authentication credentials which could be misinterpreted as sharing actual credentials rather than scan reports, and 3) The sentence structure is awkward with redundant information. The recommended update removes the specific tool references to avoid outdated information, clarifies that scan reports (not credentials) should be submitted, eliminates redundancy, and adds a note about checking current requirements. The related security rules were selected because they directly relate to third-party API security: ApexInsecureEndpoint addresses secure endpoint usage which is fundamental to third-party API security; ApexSuggestUsingNamedCred relates to secure credential management for API integrations; and the AvoidHardcodedCredentials rules (HttpHeader, FieldDecls, VarAssign, VarDecls) all address proper credential handling when integrating with third-party APIs, which is a core concern when scanning and securing these integrations.