FAQ-000948 - External Service Security Testing / Third-Party API and Service Scanning

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What documentation is required if I cannot perform an active security scan on a third-party API my app integrates with?
Answer
If you cannot perform an active security scan on a third-party API, you need to provide: 1. **Documentation on the Third-Party API**: Include details about the API, such as its purpose and integration with your app. 2. **Security Certifications or Reports**: Submit any security certifications or reports conducted by the third party, like a penetration test report. 3. **Explanation Statement**: Provide a statement explaining why the scan cannot be performed and include relevant details about the third-party system's security measures. When integrating with external APIs that don't allow active scanning for the AppExchange Security Review, you need to provide the following documentation: 1. Detailed solution documentation, including architecture diagrams or descriptions. 2. Postman collections of all the APIs being used. 3. Credentials for the third-party application or service, if applicable. 4. False-positive documentation, if relevant. 5. Any additional details about the external API's functionality and security measures. This documentation helps the review team assess the integration's security without active scanning and demonstrates the security posture of the third-party API in your submission.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexSuggestUsingNamedCred
Question
What documentation is required if I cannot perform an active security scan on a third-party API my app integrates with?
Recommended Answer Update
If you cannot perform an active security scan on a third-party API, you need to provide: 1. **Documentation on the Third-Party API**: Include details about the API, such as its purpose and integration with your app. 2. **Security Certifications or Reports**: Submit any security certifications or reports conducted by the third party, like a penetration test report. 3. **Explanation Statement**: Provide a statement explaining why the scan cannot be performed and include relevant details about the third-party system's security measures. When integrating with external APIs that don't allow active scanning for the AppExchange Security Review, you need to provide the following documentation: 1. Detailed solution documentation, including architecture diagrams or descriptions. 2. Postman collections of all the APIs being used. 3. Credentials for the third-party application or service, if applicable. 4. False-positive documentation, if relevant. 5. Any additional details about the external API's functionality and security measures. This documentation helps the review team assess the integration's security without active scanning and demonstrates the security posture of the third-party API in your submission.
Reasoning
The FAQ content is accurate and well-structured, providing comprehensive guidance for developers who cannot perform active security scans on third-party APIs. No significant changes are needed to the content as it correctly covers all the necessary documentation requirements. I included ApexSuggestUsingNamedCred as a related rule because this FAQ discusses third-party API integrations, and the rule specifically addresses secure credential management for external service calls. The FAQ content mentions 'Credentials for the third-party application or service, if applicable' which directly relates to the rule's purpose of suggesting named credentials for secure API authentication rather than hardcoded credentials in Apex code.
Reasoning References