sfdx-scanner-apex
sfdx-scanner is a sfdx plugin scanning apex and triggers using Apex PMD, and javascript using eslint
If your root folder is not force-app, please set variable SALESFORCE_SFDX_SCANNER_DIRECTORY
You can select categories and single rules by defining custom arguments (example: SALESFORCE_SFDX_SCANNER_ARGUMENTS: -c "Best Practices,Security"
)
See more details in Help
Workaround: Restricted to PMD
sfdx-scanner-apex documentation
- Version in MegaLinter: 3.14.0
- Visit Official Web Site
- See How to configure sfdx-scanner-apex rules
- If custom
apex-pmd-ruleset.xml
config file isn't found, apex-pmd-ruleset.xml will be used
- If custom
- See How to disable sfdx-scanner-apex rules in files
- See Index of problems detected by sfdx-scanner-apex
Configuration in MegaLinter
- Enable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEX
in ENABLE_LINTERS variable - Disable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEX
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
SALESFORCE_SFDX_SCANNER_APEX_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
SALESFORCE_SFDX_SCANNER_APEX_PRE_COMMANDS | List of bash commands to run before the linter | None |
SALESFORCE_SFDX_SCANNER_APEX_POST_COMMANDS | List of bash commands to run after the linter | None |
SALESFORCE_SFDX_SCANNER_APEX_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_SFDX_SCANNER_APEX and its pre/post commands | None |
SALESFORCE_SFDX_SCANNER_APEX_CONFIG_FILE | sfdx-scanner-apex configuration file nameUse LINTER_DEFAULT to let the linter find it |
apex-pmd-ruleset.xml |
SALESFORCE_SFDX_SCANNER_APEX_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
SALESFORCE_SFDX_SCANNER_APEX_CLI_EXECUTABLE | Override CLI executable | ['sfdx'] |
SALESFORCE_DIRECTORY | Directory containing SALESFORCE files | force-app |
IDE Integration
Use sfdx-scanner-apex in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Eclipse | pmd-eclipse-plugin | Visit Web Site | |
Emacs | pmd-emacs | Visit Web Site | |
IDEA | PMD IntelliJ | ||
Visual Studio Code | Salesforce Extension Pack |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 117 | ||
salesforce | Optimized for Salesforce based projects | 54 |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
force-app
is found. (directory name can be overridden withSALESFORCE_DIRECTORY
) - If this linter is active, all files will always be linted
How the linting is performed
sfdx-scanner-apex is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using sfdx-scanner-apex configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make sfdx-scanner-apex analyze only updated files
Example calls
sfdx scanner:run
Help content
scan a codebase with a selection of rules
USAGE
$ sfdx scanner run -t <array> [-c <array>] [-f
csv|html|json|junit|sarif|table|xml] [-o <string>] [-s <integer> | --json]
[--normalize-severity] [-p <array>] [-r <array>] [-e <array>] [--tsconfig
<string>] [--eslintconfig <string>] [--pmdconfig <string>] [--env <string>]
[--verbose-violations] [--verbose] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
FLAGS
-c, --category=<value>
one or more categories of rules to run
-e, --engine=<value>
specify which engines to run
-f, --format=(csv|html|json|junit|sarif|table|xml)
specify results output format
-o, --outfile=<value>
write output to a file
-p, --projectdir=<value>
provide root directory of project
-r, --ruleset=<value>
[deprecated] rulesets to run
-s, --severity-threshold=<value>
throw an error when a violation threshold is reached, the
--normalize-severity is invoked, and severity levels are reset to the
baseline
-t, --target=<value>
(required) source code location
--env=<value>
[deprecated] override ESLint's default environment variables, in
JSON-formatted string
--eslintconfig=<value>
specify the location of eslintrc config to customize eslint engine
--json
format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATA
L)
[default: warn] logging level for this command invocation
--normalize-severity
return normalized severity 1 (high), 2 (moderate), and 3 (low), and the
engine-specific severity
--pmdconfig=<value>
specify location of PMD rule reference XML file to customize rule selection
--tsconfig=<value>
location of tsconfig.json file
--verbose
emit additional command output to stdout
--verbose-violations
return retire-js violation message details
COMMANDS
scanner run dfa scan codebase with all DFA rules
WARNING: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
(node:1525) Warning: Deprecated config name: apiVersion. Please use org-api-version instead.
(Use `node --trace-warnings ...` to show where the warning was created)
NAME LANGUAGES CATEGORIES RULESETS [DEP] ENGINE IS DFA IS PILOT
────────────────────────────────────────────────────── ─────────── ───────────────────── ──────────────────────────────────────────────── ───────────────── ────── ────────
VfCsrf visualforce Security Basic VF pmd N N
VfHtmlStyleTagXss visualforce Security pmd N N
VfUnescapeEl visualforce Security Basic VF pmd N N
ApexAssertionsShouldIncludeMessage apex Best Practices pmd N N
ApexUnitTestClassShouldHaveAsserts apex Best Practices ApexUnit,Default ruleset...,quickstart pmd N N
ApexUnitTestClassShouldHaveRunAs apex Best Practices quickstart pmd N N
ApexUnitTestMethodShouldHaveIsTestAnnotation apex Best Practices pmd N N
ApexUnitTestShouldNotUseSeeAllDataTrue apex Best Practices ApexUnit,Default ruleset...,quickstart pmd N N
AvoidGlobalModifier apex Best Practices Style,Default ruleset...,quickstart pmd N N
AvoidLogicInTrigger apex Best Practices Style,Default ruleset...,quickstart pmd N N
DebugsShouldUseLoggingLevel apex Best Practices quickstart pmd N N
UnusedLocalVariable apex Best Practices pmd N N
AvoidDebugStatements apex Performance pmd N N
AvoidDmlStatementsInLoops apex Performance Default ruleset...,Performance pmd N N
AvoidSoqlInLoops apex Performance Default ruleset...,Performance pmd N N
AvoidSoslInLoops apex Performance Default ruleset...,Performance pmd N N
EagerlyLoadedDescribeSObjectResult apex Performance pmd N N
OperationWithLimitsInLoop apex Performance quickstart pmd N N
ApexBadCrypto apex Security Security,Default ruleset...,quickstart pmd N N
ApexCRUDViolation apex Security Security,Default ruleset...,quickstart pmd N N
ApexCSRF apex Security Security pmd N N
ApexDangerousMethods apex Security Security,Default ruleset...,quickstart pmd N N
ApexInsecureEndpoint apex Security Security,Default ruleset...,quickstart pmd N N
ApexOpenRedirect apex Security Security,Default ruleset...,quickstart pmd N N
ApexSharingViolations apex Security Security,Default ruleset...,quickstart pmd N N
ApexSOQLInjection apex Security Security,Default ruleset...,quickstart pmd N N
ApexSuggestUsingNamedCred apex Security Security,Default ruleset...,quickstart pmd N N
ApexXSSFromEscapeFalse apex Security Security,Default ruleset...,quickstart pmd N N
ApexXSSFromURLParam apex Security Security,Default ruleset...,quickstart pmd N N
ClassNamingConventions apex Code Style Style,Default ruleset...,quickstart pmd N N
IfElseStmtsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
IfStmtsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
FieldDeclarationsShouldBeAtStart apex Code Style pmd N N
FieldNamingConventions apex Code Style quickstart pmd N N
ForLoopsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
FormalParameterNamingConventions apex Code Style quickstart pmd N N
LocalVariableNamingConventions apex Code Style quickstart pmd N N
MethodNamingConventions apex Code Style Style,Default ruleset...,quickstart pmd N N
OneDeclarationPerLine apex Code Style Default ruleset...,quickstart pmd N N
PropertyNamingConventions apex Code Style quickstart pmd N N
VariableNamingConventions apex Code Style Style,Default ruleset... pmd N N
WhileLoopsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
AvoidDeeplyNestedIfStmts apex Design Complexity,Default ruleset...,quickstart pmd N N
CyclomaticComplexity apex Design Metrics tempora...,Default ruleset...,quickstart pmd N N
CognitiveComplexity apex Design pmd N N
ExcessiveClassLength apex Design Complexity,Default ruleset...,quickstart pmd N N
ExcessiveParameterList apex Design Complexity,Default ruleset...,quickstart pmd N N
ExcessivePublicCount apex Design Complexity,Default ruleset...,quickstart pmd N N
NcssConstructorCount apex Design Complexity,Default ruleset...,quickstart pmd N N
NcssMethodCount apex Design Complexity,Default ruleset...,quickstart pmd N N
NcssTypeCount apex Design Complexity,Default ruleset...,quickstart pmd N N
StdCyclomaticComplexity apex Design Complexity,Default ruleset...,quickstart pmd N N
TooManyFields apex Design Complexity,Default ruleset...,quickstart pmd N N
ApexDoc apex Documentation Default ruleset...,quickstart pmd N N
ApexCSRF apex Error Prone Default ruleset...,quickstart pmd N N
AvoidDirectAccessTriggerMap apex Error Prone Style,Default ruleset...,quickstart pmd N N
AvoidHardcodingId apex Error Prone Style,Default ruleset...,quickstart pmd N N
AvoidNonExistentAnnotations apex Error Prone Default ruleset...,quickstart pmd N N
EmptyCatchBlock apex Error Prone Empty Code,Default ruleset...,quickstart pmd N N
EmptyIfStmt apex Error Prone Empty Code,Default ruleset...,quickstart pmd N N
EmptyStatementBlock apex Error Prone Empty Code,Default ruleset...,quickstart pmd N N
EmptyTryOrFinallyBlock apex Error Prone Empty Code,Default ruleset...,quickstart pmd N N
EmptyWhileStmt apex Error Prone Empty Code,Default ruleset...,quickstart pmd N N
InaccessibleAuraEnabledGetter apex Error Prone pmd N N
MethodWithSameNameAsEnclosingClass apex Error Prone Style,Default ruleset...,quickstart pmd N N
OverrideBothEqualsAndHashcode apex Error Prone pmd N N
TestMethodsMustBeInTestClasses apex Error Prone pmd N N
constructor-super javascript problem problem eslint N N
for-direction javascript problem problem eslint N N
getter-return javascript problem problem eslint N N
no-async-promise-executor javascript problem problem eslint N N
no-case-declarations javascript suggestion suggestion eslint N N
no-class-assign javascript problem problem eslint N N
no-compare-neg-zero javascript problem problem eslint N N
no-cond-assign javascript problem problem eslint N N
no-const-assign javascript problem problem eslint N N
no-constant-condition javascript problem problem eslint N N
no-control-regex javascript problem problem eslint N N
no-debugger javascript problem problem eslint N N
no-delete-var javascript suggestion suggestion eslint N N
no-dupe-args javascript problem problem eslint N N
no-dupe-class-members javascript problem problem eslint N N
no-dupe-else-if javascript problem problem eslint N N
no-dupe-keys javascript problem problem eslint N N
no-duplicate-case javascript problem problem eslint N N
no-empty javascript suggestion suggestion eslint N N
no-empty-character-class javascript problem problem eslint N N
no-empty-pattern javascript problem problem eslint N N
no-ex-assign javascript problem problem eslint N N
no-extra-boolean-cast javascript suggestion suggestion eslint N N
no-extra-semi javascript suggestion suggestion eslint N N
no-fallthrough javascript problem problem eslint N N
no-func-assign javascript problem problem eslint N N
no-global-assign javascript suggestion suggestion eslint N N
no-import-assign javascript problem problem eslint N N
no-inner-declarations javascript problem problem eslint N N
no-invalid-regexp javascript problem problem eslint N N
no-irregular-whitespace javascript problem problem eslint N N
no-loss-of-precision javascript problem problem eslint N N
no-misleading-character-class javascript problem problem eslint N N
no-mixed-spaces-and-tabs javascript layout layout eslint N N
no-new-symbol javascript problem problem eslint N N
no-nonoctal-decimal-escape javascript suggestion suggestion eslint N N
no-obj-calls javascript problem problem eslint N N
no-octal javascript suggestion suggestion eslint N N
no-prototype-builtins javascript problem problem eslint N N
no-redeclare javascript suggestion suggestion eslint N N
no-regex-spaces javascript suggestion suggestion eslint N N
no-self-assign javascript problem problem eslint N N
no-setter-return javascript problem problem eslint N N
no-shadow-restricted-names javascript suggestion suggestion eslint N N
no-sparse-arrays javascript problem problem eslint N N
no-this-before-super javascript problem problem eslint N N
no-undef javascript problem problem eslint N N
no-unexpected-multiline javascript problem problem eslint N N
no-unreachable javascript problem problem eslint N N
no-unsafe-finally javascript problem problem eslint N N
no-unsafe-negation javascript problem problem eslint N N
no-unsafe-optional-chaining javascript problem problem eslint N N
no-unused-labels javascript suggestion suggestion eslint N N
no-unused-vars javascript problem problem eslint N N
no-useless-backreference javascript problem problem eslint N N
no-useless-catch javascript suggestion suggestion eslint N N
no-useless-escape javascript suggestion suggestion eslint N N
no-with javascript suggestion suggestion eslint N N
require-yield javascript suggestion suggestion eslint N N
use-isnan javascript problem problem eslint N N
valid-typeof javascript problem problem eslint N N
for-direction typescript problem problem eslint-typescript N N
no-async-promise-executor typescript problem problem eslint-typescript N N
no-case-declarations typescript suggestion suggestion eslint-typescript N N
no-class-assign typescript problem problem eslint-typescript N N
no-compare-neg-zero typescript problem problem eslint-typescript N N
no-cond-assign typescript problem problem eslint-typescript N N
no-constant-condition typescript problem problem eslint-typescript N N
no-control-regex typescript problem problem eslint-typescript N N
no-debugger typescript problem problem eslint-typescript N N
no-delete-var typescript suggestion suggestion eslint-typescript N N
no-dupe-else-if typescript problem problem eslint-typescript N N
no-duplicate-case typescript problem problem eslint-typescript N N
no-empty typescript suggestion suggestion eslint-typescript N N
no-empty-character-class typescript problem problem eslint-typescript N N
no-empty-pattern typescript problem problem eslint-typescript N N
no-ex-assign typescript problem problem eslint-typescript N N
no-extra-boolean-cast typescript suggestion suggestion eslint-typescript N N
no-fallthrough typescript problem problem eslint-typescript N N
no-global-assign typescript suggestion suggestion eslint-typescript N N
no-inner-declarations typescript problem problem eslint-typescript N N
no-invalid-regexp typescript problem problem eslint-typescript N N
no-irregular-whitespace typescript problem problem eslint-typescript N N
no-misleading-character-class typescript problem problem eslint-typescript N N
no-mixed-spaces-and-tabs typescript layout layout eslint-typescript N N
no-nonoctal-decimal-escape typescript suggestion suggestion eslint-typescript N N
no-octal typescript suggestion suggestion eslint-typescript N N
no-prototype-builtins typescript problem problem eslint-typescript N N
no-regex-spaces typescript suggestion suggestion eslint-typescript N N
no-self-assign typescript problem problem eslint-typescript N N
no-shadow-restricted-names typescript suggestion suggestion eslint-typescript N N
no-sparse-arrays typescript problem problem eslint-typescript N N
no-unexpected-multiline typescript problem problem eslint-typescript N N
no-unsafe-finally typescript problem problem eslint-typescript N N
no-unsafe-optional-chaining typescript problem problem eslint-typescript N N
no-unused-labels typescript suggestion suggestion eslint-typescript N N
no-useless-backreference typescript problem problem eslint-typescript N N
no-useless-catch typescript suggestion suggestion eslint-typescript N N
no-useless-escape typescript suggestion suggestion eslint-typescript N N
no-var typescript suggestion suggestion eslint-typescript N N
no-with typescript suggestion suggestion eslint-typescript N N
prefer-const typescript suggestion suggestion eslint-typescript N N
prefer-rest-params typescript suggestion suggestion eslint-typescript N N
prefer-spread typescript suggestion suggestion eslint-typescript N N
require-yield typescript suggestion suggestion eslint-typescript N N
use-isnan typescript problem problem eslint-typescript N N
@typescript-eslint/adjacent-overload-signatures typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/await-thenable typescript problem problem eslint-typescript N N
@typescript-eslint/ban-ts-comment typescript problem problem eslint-typescript N N
@typescript-eslint/ban-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-array-constructor typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-empty-function typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-empty-interface typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-explicit-any typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-extra-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-extra-semi typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-floating-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-for-in-array typescript problem problem eslint-typescript N N
@typescript-eslint/no-implied-eval typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-inferrable-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-loss-of-precision typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-new typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-namespace typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-non-null-asserted-optional-chain typescript problem problem eslint-typescript N N
@typescript-eslint/no-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-this-alias typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-assertion typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-constraint typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-argument typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-assignment typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-call typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-member-access typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-return typescript problem problem eslint-typescript N N
@typescript-eslint/no-unused-vars typescript problem problem eslint-typescript N N
@typescript-eslint/no-var-requires typescript problem problem eslint-typescript N N
@typescript-eslint/prefer-as-const typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/prefer-namespace-keyword typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/require-await typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/restrict-plus-operands typescript problem problem eslint-typescript N N
@typescript-eslint/restrict-template-expressions typescript problem problem eslint-typescript N N
@typescript-eslint/triple-slash-reference typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/unbound-method typescript problem problem eslint-typescript N N
insecure-bundled-dependencies javascript Insecure Dependencies retire-js N N
UnusedMethodRule apex Performance sfge Y Y
ApexFlsViolationRule apex Security sfge Y N
MultipleMassSchemaLookupRule apex Performance sfge Y Y
ApexNullPointerExceptionRule apex Error Prone sfge Y N
UnimplementedTypeRule apex Performance sfge N N
Installation on mega-linter Docker image
- Dockerfile commands :
# Parent descriptor install
ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
RUN echo y|sfdx plugins:install sfdx-hardis \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache
# Linter install
RUN sfdx plugins:install @salesforce/sfdx-scanner \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache