If standard security tools cannot scan certain endpoints or cannot be used due to restrictions, you can try the following alternatives:
1. **Use DAST Scanners**: Tools like ZAP, Burp Suite, HCL AppScan, or WebInspect can simulate real-world attacks by interacting with the application through its front end.
2. **Exercise Endpoints**: While the DAST scanner is running as a proxy, interact with relevant API endpoints or web services to help the tool discover the full attack surface.
3. **Manual Testing**: Manually intercept, modify, or fuzz requests for deeper testing of the endpoints. Perform thorough manual testing of your solution, including all external endpoints and components that operate independently of the Salesforce platform.
4. **Use Alternative Tools**: Use alternative tools like the open-source PMD Source Code Analyzer during development, or Zap scanning for application scanning.
5. **Document Issues**: Document any false-positive security violations and provide detailed explanations for them. Document any issues encountered with the recommended tools and report them through a support case.
6. **Schedule Office Hours**: Schedule office hours with the Product Security team through the Partner Security Portal for guidance on specific security concerns or technical issues.
7. **Ensure Best Practices**: Ensure your application adheres to security best practices, such as checking for CRUD permissions and FLS settings before DML operations.
These methods can help ensure comprehensive security testing for endpoints that are challenging to scan with standard tools.