FAQ-000359 - Code Quality vs Security Vulnerabilities / Static Analysis Tool Issues and Fixes

For the security review, it's not required for all Apex Code Analyzer scans to be 100% passing. The key is to run the scans, address all fixable violations, re-run the scans, and submit the report. If there are false positives or non-fixable issues, you can document them and include this documentation with your submission. The AppExchange Security team will take these into account during the review process.

The existing FAQ answer is well-structured and accurate. No content was found to be outdated or conflicting with the available security rules. The answer appropriately explains that 100% passing scans aren't required, emphasizes the importance of fixing what can be fixed, and provides clear guidance on handling false positives and non-fixable issues. The tone and structure align with the brand guidelines for being direct, helpful, and actionable. Regarding the security rules selected: All core Apex security rules are relevant because this FAQ discusses the Apex Code Analyzer and acceptable severity levels for findings. The FAQ content "run the scans, address all fixable violations" directly relates to ApexBadCrypto (cryptographic security issues), ApexCRUDViolation (data access violations), ApexCSRF (cross-site request forgery), ApexDangerousMethods (dangerous method usage), ApexInsecureEndpoint (insecure endpoints), ApexOpenRedirect (open redirect vulnerabilities), ApexSharingViolations (sharing rule violations), ApexSOQLInjection (SOQL injection vulnerabilities), ApexSuggestUsingNamedCred (credential management), ApexXSSFromEscapeFalse (XSS from escape=false), and ApexXSSFromURLParam (XSS from URL parameters). These are the primary security rules that the Apex Code Analyzer would flag, making them directly applicable to the FAQ's discussion of scan results and violation handling.