FAQ-000877 - External Platform Security / Security Scanning and Testing

Yes, you can submit scan results from an alternative, industry-standard tool if the required scanners cannot be used. Be sure to include detailed documentation explaining why the required scanner could not be utilized and ensure the alternative tool meets the necessary security review standards.

After reviewing this FAQ, I found that it addresses the procedural aspects of the AppExchange security review process - specifically the flexibility to use alternative scanning tools when required scanners are unavailable. This is a process-oriented question rather than a technical implementation question about code security vulnerabilities. No security rules were selected because none of the available rules relate to scanner tool alternatives or security review submission procedures. The available rules focus on specific code vulnerabilities (like ApexSOQLInjection, ApexXSSFromURLParam, etc.), deprecated features (like AvoidSControls), and implementation security issues. This FAQ discusses the meta-process of the security review itself, not the technical security issues that scanners detect. The current answer is clear, complete, and accurate. It appropriately covers the key points: alternative tools are acceptable, documentation is required explaining why the standard scanner couldn't be used, and the alternative must meet security standards. The language is already concise and follows the conversational tone guidelines. No updates are needed to improve clarity, accuracy, or completeness.