FAQ-001212 - Manual Security Review vs Automated Scanning / Replicating Official Review Process

To align your internal security processes with Salesforce's official AppExchange Security Review methodology, follow these comprehensive steps: **Required Tools and Scanning:** 1. **Use Salesforce Code Analyzer:** - Install the plugin into Salesforce CLI - Run with required rules: `sf code-analyzer run --target . --rule-selector AppExchange --rule-selector Recommended:Security --output-file CodeAnalyzerReport.html` - Supports engines like PMD, ESLint, RetireJS, and Salesforce Graph Engine - Identifies CRUD/FLS violations and other Salesforce-specific issues 2. **Run Source Code Scanner (Checkmarx):** - Access via Partner Security Portal - Required for scanning Apex, Visualforce, and Lightning code - Identifies vulnerabilities in solutions and external endpoints - Save the three included runs for final submission **Comprehensive Testing Approach:** 3. **Perform Manual Testing:** - Test throughout development lifecycle - Conduct end-to-end testing of full solution scope - Test all external endpoints operating independently of Salesforce - Include penetration testing and dynamic security testing 4. **Address Issues Systematically:** - Fix all identified issues or document false positives with detailed explanations - Ensure code version matches the package being submitted - Rescan after fixes and generate updated reports - Address all classes of issues across entire application, not just flagged examples **Submission Preparation:** 5. **Prepare Required Materials:** - Developer Edition org with solution installed - Complete solution documentation - Clean scan reports and false-positive documentation - All external component documentation 6. **Follow Security Guidelines:** - Adhere to Salesforce security best practices - Ensure Lightning Ready compliance - Implement secure coding practices throughout development **Ongoing Process:** 7. **Test Regularly:** Conduct testing throughout development to avoid accumulating issues 8. **Seek Expert Guidance:** Use Partner Security Portal to schedule office hours with security experts 9. **Maintain Consistency:** Avoid unnecessary changes between submissions unless required **Key Differences from Internal Scanning:** The official review includes manual assessments, penetration testing, and comprehensive evaluation of solution architecture that goes beyond automated tool capabilities. It's a black-box, time-limited process that identifies representative examples rather than exhaustive lists. By following these practices, you can minimize discrepancies between your internal testing and the official review process.

I made one minor update to the Code Analyzer command by correcting the syntax to use `--target .` instead of missing the target parameter. This ensures the command will run properly when developers copy it. I also removed the redundant 'the' article before 'Partner Security Portal' for better flow. All other content remains unchanged as it is accurate and comprehensive. The FAQ content directly relates to numerous security rules because it discusses comprehensive scanning and testing processes that would detect the types of vulnerabilities these rules identify. Specifically: ApexCRUDViolation relates to the FAQ's mention of 'CRUD/FLS violations'; ApexSharingViolations, ApexSOQLInjection, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, ApexOpenRedirect, ApexInsecureEndpoint, and ApexBadCrypto all relate to the 'Salesforce-specific issues' the FAQ mentions Code Analyzer identifies; ApexSuggestUsingNamedCred and the hardcoded credential rules relate to the security best practices the FAQ recommends implementing; VfCsrf and VfUnescapeEl relate to the Visualforce scanning capabilities mentioned; and @lwc/lwc/no-inner-html relates to the Lightning code scanning the FAQ discusses.