FAQ-001333 - Package Dependency Security Review / Extension Package Review Process

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the requirements and process for submitting extension packages for security review?
Answer
When submitting extension packages for security review: **Submission Requirements:** - If your extension package depends on an existing, approved package, you only need to submit the new extension package for security review - If the base package has not been reviewed, you must submit both the new extension package and the unreviewed base package for review - The submission must be a Managed—Released package, as unmanaged or beta packages are not accepted **Required Documentation:** 1. Application functionality documentation 2. Architecture diagrams or descriptions 3. Security scan reports (e.g., Checkmarx, DAST) and explanations for any false positives 4. Solution user documentation 5. URLs and login credentials for external components requiring authentication 6. Managed package installed in a Developer Edition org 7. Installation link or file for the platform 8. Access to all environments, packages, and external components used by the extension package (e.g., external web apps, client/mobile apps, Apex, and Visualforce components) **Review Process:** - Ensure both the extension package and the base solutions it extends have passed the security review - Provide detailed solution documentation for a thorough review - Make sure all relevant materials are included for comprehensive evaluation

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Question
What are the requirements and process for submitting extension packages for security review?
Recommended Answer Update
When submitting extension packages for security review: **Submission Requirements:** - If your extension package depends on an existing, approved package, you only need to submit the new extension package for security review - If the base package hasn't been reviewed, you must submit both the new extension package and the unreviewed base package for review - The submission must be a Managed—Released package, as unmanaged or beta packages aren't accepted **Required Documentation:** 1. Application functionality documentation 2. Architecture diagrams or descriptions 3. Security scan reports (e.g., Checkmarx, DAST) and explanations for any false positives 4. Solution user documentation 5. URLs and login credentials for external components requiring authentication 6. Managed package installed in a Developer Edition org 7. Installation link or file for the platform 8. Access to all environments, packages, and external components used by the extension package (e.g., external web apps, client/mobile apps, Apex, and Visualforce components) **Review Process:** - Ensure both the extension package and the base solutions it extends have passed the security review - Provide detailed solution documentation for a thorough review - Make sure all relevant materials are included for comprehensive evaluation - Category: Package Dependency Security Review - Subcategory: Extension Package Review Process
Reasoning
I made minor conversational improvements to align with the brand guidelines: changed 'has not been reviewed' to 'hasn't been reviewed' and 'are not accepted' to 'aren't accepted' to use natural contractions. These changes make the text more conversational and friendly while maintaining all the original technical content and structure. No security rules were associated because this FAQ covers administrative submission requirements and documentation processes rather than specific code security vulnerabilities that the available scanner rules detect. The content focuses on package submission workflow and required documentation, which are procedural requirements rather than technical security implementation issues.