FAQ-000879 - External Platform Security / Security Scanning and Testing

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: How can I identify all external integrations in my package to remove them and waive the external scan requirement?

Answer: To identify and remove all external integrations in your package to waive the external scan requirement, follow these steps: 1. **Review Code and Configuration**: Check the codebase and configuration files for external endpoints, APIs, HTTP callouts, named credentials, or external URLs. 2. **Run Security Scans**: Use tools like Checkmarx, ZAP, or CodeAnalyzer to detect external callouts and vulnerabilities. 3. **Trace Data Flow**: Analyze the flow of data to identify connections with external systems, including authentication mechanisms and synchronization points. 4. **Document Findings**: List all external integrations, their purposes, and endpoints. 5. **Remove External Integrations**: Eliminate all identified external integrations, ensuring no external callouts or dependencies remain. 6. **Validate Changes**: Rerun security scans to confirm the absence of external endpoints. This process ensures your package is free of external integrations and may qualify for waiving the external scan requirement.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexInsecureEndpoint ApexSuggestUsingNamedCred AvoidDisableProtocolSecurityRemoteSiteSetting AvoidInsecureHttpRemoteSiteSetting AvoidHardcodedCredentialsInHttpHeader AvoidHardcodedCredentialsInFieldDecls AvoidHardcodedCredentialsInVarAssign AvoidHardcodedCredentialsInVarDecls

Question: How can I identify all external integrations in my package to remove them and waive the external scan requirement?

Recommended Answer Update: To identify and remove all external integrations in your package to waive the external scan requirement, follow these steps: 1. **Review Code and Configuration**: Check your codebase and configuration files for external endpoints, APIs, HTTP callouts, named credentials, or external URLs. 2. **Run Security Scans**: Use tools like Checkmarx, ZAP, or Salesforce Code Analyzer to detect external callouts and vulnerabilities. 3. **Trace Data Flow**: Analyze the flow of data to identify connections with external systems, including authentication mechanisms and synchronization points. 4. **Document Findings**: List all external integrations, their purposes, and endpoints. 5. **Remove External Integrations**: Eliminate all identified external integrations, ensuring no external callouts or dependencies remain. 6. **Validate Changes**: Rerun security scans to confirm the absence of external endpoints. This process ensures your package is free of external integrations and may qualify for waiving the external scan requirement.

Reasoning: The main change recommended is updating the security scanning tools reference to include 'Salesforce Code Analyzer' instead of just 'CodeAnalyzer' to be more specific and accurate about available Salesforce-specific tooling. All security rules selected are highly relevant to external integrations: ApexInsecureEndpoint detects insecure HTTP endpoints which are common in external integrations; ApexSuggestUsingNamedCred promotes secure credential management for external callouts; AvoidDisableProtocolSecurityRemoteSiteSetting and AvoidInsecureHttpRemoteSiteSetting relate to remote site settings configuration for external endpoints; and the hardcoded credentials rules (AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) all detect insecure credential handling patterns commonly found in external integration code. These rules directly apply because the FAQ discusses identifying and removing external integrations, and these security rules specifically target the code patterns and configurations that enable external connectivity.

Reasoning References

Current FAQ