FAQ-000116 - Automated Security Scanning / Client-Side Code Vulnerability Scanning

To automatically scan your client-side code for common vulnerabilities, use the Salesforce Code Analyzer. This tool supports multiple engines, such as ESLint, PMD, RetireJS, and Salesforce Graph Engine, to identify vulnerabilities in JavaScript, Lightning, TypeScript, and Visualforce code. You can install the Code Analyzer as a Salesforce CLI plugin, run scans during your development lifecycle, and address flagged issues. For ongoing monitoring, integrate the tool into your continuous integration (CI) process. Additionally, for external endpoints, consider using Dynamic Application Security Testing (DAST) scanners like ZAP or Burp Suite.

The FAQ content is largely accurate and helpful. I made minimal adjustments to improve clarity and flow: 1) Fixed a redundant phrase - changed 'you can also integrate' to simply 'integrate' since this is a natural continuation of scanning practices, 2) Corrected the slightly awkward phrasing of 'Dynamic Application Security Test' to the more standard 'Dynamic Application Security Testing'. These changes maintain all original content while improving readability. Regarding security rules selection: The FAQ discusses client-side vulnerability scanning, which directly relates to multiple client-side security rules that the Code Analyzer can detect. AvoidCreateElementScriptLinkTag relates to the FAQ's mention of JavaScript scanning for unsafe script/link element creation. AvoidUnescapedHtmlInAura and AvoidHardCodedCredentialsInAura relate to Lightning code scanning mentioned in the FAQ. @lwc/lwc/no-inner-html relates to the FAQ's mention of Lightning Web Component security scanning. VfUnescapeEl and VfHtmlStyleTagXss relate to the FAQ's mention of Visualforce code scanning for XSS vulnerabilities. The LibraryWithKnown*SeverityVulnerability rules directly relate to the FAQ's mention of RetireJS engine, which specifically scans for vulnerable JavaScript libraries.