sfdx-scanner-lwc
sfdx-scanner is a sfdx plugin scanning apex and triggers using Apex PMD, and javascript using eslint
If your root folder is not force-app, please set variable SALESFORCE_SFDX_SCANNER_LWC_DIRECTORY
You can select categories and single rules by defining custom arguments (example: SALESFORCE_SFDX_SCANNER_ARGUMENTS: -c "Best Practices,Security"
)
See more details in Help
Workaround: Restricted to LWC
sfdx-scanner-lwc documentation
- Version in MegaLinter: 3.20.0
- Visit Official Web Site
- See How to configure sfdx-scanner-lwc rules
- See How to disable sfdx-scanner-lwc rules in files
- See Index of problems detected by sfdx-scanner-lwc
Configuration in MegaLinter
- Enable sfdx-scanner-lwc by adding
SALESFORCE_SFDX_SCANNER_LWC
in ENABLE_LINTERS variable - Disable sfdx-scanner-lwc by adding
SALESFORCE_SFDX_SCANNER_LWC
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
SALESFORCE_SFDX_SCANNER_LWC_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
SALESFORCE_SFDX_SCANNER_LWC_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
SALESFORCE_SFDX_SCANNER_LWC_PRE_COMMANDS | List of bash commands to run before the linter | None |
SALESFORCE_SFDX_SCANNER_LWC_POST_COMMANDS | List of bash commands to run after the linter | None |
SALESFORCE_SFDX_SCANNER_LWC_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_SFDX_SCANNER_LWC and its pre/post commands | None |
SALESFORCE_SFDX_SCANNER_LWC_CONFIG_FILE | sfdx-scanner-lwc configuration file nameUse LINTER_DEFAULT to let the linter find it |
--eslintconfig |
SALESFORCE_SFDX_SCANNER_LWC_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
SALESFORCE_SFDX_SCANNER_LWC_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
SALESFORCE_SFDX_SCANNER_LWC_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
SALESFORCE_SFDX_SCANNER_LWC_CLI_EXECUTABLE | Override CLI executable | ['sfdx'] |
SALESFORCE_DIRECTORY | Directory containing SALESFORCE files (use any to always activate the linter) |
force-app |
IDE Integration
Use sfdx-scanner-lwc in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | Salesforce Extension Pack |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 121 | ||
salesforce | Optimized for Salesforce based projects | 54 |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
force-app
is found. (directory name can be overridden withSALESFORCE_DIRECTORY
) - If this linter is active, all files will always be linted
How the linting is performed
sfdx-scanner-lwc is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using sfdx-scanner-lwc configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make sfdx-scanner-lwc analyze only updated files
Example calls
sfdx scanner:run
Help content
(node:2390) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
scan a codebase with a selection of rules
USAGE
$ sf scanner run -t <value> [--verbose] [-c <value>] [-f
csv|html|json|junit|sarif|table|xml] [-o <value>] [-s <value> | ]
[--normalize-severity] [-p <value>] [-r <value>] [-e
eslint|eslint-lwc|eslint-typescript|pmd|pmd-appexchange|retire-js|sfge|cpd]
[--tsconfig <value>] [--eslintconfig <value>] [--pmdconfig <value>] [--env
<value>] [--verbose-violations]
FLAGS
-c, --category=<value>... one or more categories of rules to run
-e, --engine=<option>... specify which engines to run
<options: eslint|eslint-lwc|eslint-typescrip
t|pmd|pmd-appexchange|retire-js|sfge|cpd>
-f, --format=<option> specify results output format
<options:
csv|html|json|junit|sarif|table|xml>
-o, --outfile=<value> write output to a file
-p, --projectdir=<value> provide root directory of project
-r, --ruleset=<value>... [deprecated] rulesets to run
-s, --severity-threshold=<value> throw an error when a violation threshold is
reached, the --normalize-severity is
invoked, and severity levels are reset to
the baseline
-t, --target=<value>... (required) source code location
--env=<value> [deprecated] override ESLint's default
environment variables, in JSON-formatted
string
--eslintconfig=<value> specify the location of eslintrc config to
customize eslint engine
--normalize-severity return normalized severity 1 (high), 2
(moderate), and 3 (low), and the
engine-specific severity
--pmdconfig=<value> specify location of PMD rule reference XML
file to customize rule selection
--tsconfig=<value> location of tsconfig.json file
--verbose emit additional command output to stdout
--verbose-violations return retire-js violation message details
COMMANDS
scanner run dfa scan codebase with all DFA rules
(node:2406) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
› Warning: Plugin @salesforce/sfdx-scanner (3.20.0) differs from the version
› specified by sf (3.19.0)
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
name languages categories rulesets [dep] engine is dfa is pilot
────────────────────────────────────────────────────── ─────────── ───────────────────── ──────────────────────────────────────────────── ───────────────── ────── ────────
VfCsrf visualforce Security Basic VF pmd N N
VfHtmlStyleTagXss visualforce Security pmd N N
VfUnescapeEl visualforce Security Basic VF pmd N N
ApexAssertionsShouldIncludeMessage apex Best Practices pmd N N
ApexUnitTestClassShouldHaveAsserts apex Best Practices Default ruleset...,ApexUnit,quickstart pmd N N
ApexUnitTestClassShouldHaveRunAs apex Best Practices quickstart pmd N N
ApexUnitTestMethodShouldHaveIsTestAnnotation apex Best Practices pmd N N
ApexUnitTestShouldNotUseSeeAllDataTrue apex Best Practices Default ruleset...,ApexUnit,quickstart pmd N N
AvoidGlobalModifier apex Best Practices Default ruleset...,quickstart,Style pmd N N
AvoidLogicInTrigger apex Best Practices Default ruleset...,quickstart,Style pmd N N
DebugsShouldUseLoggingLevel apex Best Practices quickstart pmd N N
UnusedLocalVariable apex Best Practices pmd N N
AvoidDebugStatements apex Performance pmd N N
AvoidDmlStatementsInLoops apex Performance Default ruleset...,Performance pmd N N
AvoidSoqlInLoops apex Performance Default ruleset...,Performance pmd N N
AvoidSoslInLoops apex Performance Default ruleset...,Performance pmd N N
EagerlyLoadedDescribeSObjectResult apex Performance pmd N N
OperationWithLimitsInLoop apex Performance quickstart pmd N N
ApexBadCrypto apex Security Default ruleset...,Security,quickstart pmd N N
ApexCRUDViolation apex Security Default ruleset...,Security,quickstart pmd N N
ApexCSRF apex Security Security pmd N N
ApexDangerousMethods apex Security Default ruleset...,Security,quickstart pmd N N
ApexInsecureEndpoint apex Security Default ruleset...,Security,quickstart pmd N N
ApexOpenRedirect apex Security Default ruleset...,Security,quickstart pmd N N
ApexSharingViolations apex Security Default ruleset...,Security,quickstart pmd N N
ApexSOQLInjection apex Security Default ruleset...,Security,quickstart pmd N N
ApexSuggestUsingNamedCred apex Security Default ruleset...,Security,quickstart pmd N N
ApexXSSFromEscapeFalse apex Security Default ruleset...,Security,quickstart pmd N N
ApexXSSFromURLParam apex Security Default ruleset...,Security,quickstart pmd N N
ClassNamingConventions apex Code Style Default ruleset...,quickstart,Style pmd N N
IfElseStmtsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
IfStmtsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
FieldDeclarationsShouldBeAtStart apex Code Style pmd N N
FieldNamingConventions apex Code Style quickstart pmd N N
ForLoopsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
FormalParameterNamingConventions apex Code Style quickstart pmd N N
LocalVariableNamingConventions apex Code Style quickstart pmd N N
MethodNamingConventions apex Code Style Default ruleset...,quickstart,Style pmd N N
OneDeclarationPerLine apex Code Style Default ruleset...,quickstart pmd N N
PropertyNamingConventions apex Code Style quickstart pmd N N
VariableNamingConventions apex Code Style Default ruleset...,Style pmd N N
WhileLoopsMustUseBraces apex Code Style Default ruleset...,Braces,quickstart pmd N N
AvoidDeeplyNestedIfStmts apex Design Default ruleset...,Complexity,quickstart pmd N N
CyclomaticComplexity apex Design Metrics tempora...,Default ruleset...,quickstart pmd N N
CognitiveComplexity apex Design pmd N N
ExcessiveClassLength apex Design Default ruleset...,Complexity,quickstart pmd N N
ExcessiveParameterList apex Design Default ruleset...,Complexity,quickstart pmd N N
ExcessivePublicCount apex Design Default ruleset...,Complexity,quickstart pmd N N
NcssConstructorCount apex Design Default ruleset...,Complexity,quickstart pmd N N
NcssMethodCount apex Design Default ruleset...,Complexity,quickstart pmd N N
NcssTypeCount apex Design Default ruleset...,Complexity,quickstart pmd N N
StdCyclomaticComplexity apex Design Default ruleset...,Complexity,quickstart pmd N N
TooManyFields apex Design Default ruleset...,Complexity,quickstart pmd N N
ApexDoc apex Documentation Default ruleset...,quickstart pmd N N
ApexCSRF apex Error Prone Default ruleset...,quickstart pmd N N
AvoidDirectAccessTriggerMap apex Error Prone Default ruleset...,quickstart,Style pmd N N
AvoidHardcodingId apex Error Prone Default ruleset...,quickstart,Style pmd N N
AvoidNonExistentAnnotations apex Error Prone Default ruleset...,quickstart pmd N N
EmptyCatchBlock apex Error Prone Default ruleset...,Empty Code,quickstart pmd N N
EmptyIfStmt apex Error Prone Default ruleset...,Empty Code,quickstart pmd N N
EmptyStatementBlock apex Error Prone Default ruleset...,Empty Code,quickstart pmd N N
EmptyTryOrFinallyBlock apex Error Prone Default ruleset...,Empty Code,quickstart pmd N N
EmptyWhileStmt apex Error Prone Default ruleset...,Empty Code,quickstart pmd N N
InaccessibleAuraEnabledGetter apex Error Prone pmd N N
MethodWithSameNameAsEnclosingClass apex Error Prone Default ruleset...,quickstart,Style pmd N N
OverrideBothEqualsAndHashcode apex Error Prone pmd N N
TestMethodsMustBeInTestClasses apex Error Prone pmd N N
constructor-super javascript problem problem eslint N N
for-direction javascript problem problem eslint N N
getter-return javascript problem problem eslint N N
no-async-promise-executor javascript problem problem eslint N N
no-case-declarations javascript suggestion suggestion eslint N N
no-class-assign javascript problem problem eslint N N
no-compare-neg-zero javascript problem problem eslint N N
no-cond-assign javascript problem problem eslint N N
no-const-assign javascript problem problem eslint N N
no-constant-condition javascript problem problem eslint N N
no-control-regex javascript problem problem eslint N N
no-debugger javascript problem problem eslint N N
no-delete-var javascript suggestion suggestion eslint N N
no-dupe-args javascript problem problem eslint N N
no-dupe-class-members javascript problem problem eslint N N
no-dupe-else-if javascript problem problem eslint N N
no-dupe-keys javascript problem problem eslint N N
no-duplicate-case javascript problem problem eslint N N
no-empty javascript suggestion suggestion eslint N N
no-empty-character-class javascript problem problem eslint N N
no-empty-pattern javascript problem problem eslint N N
no-ex-assign javascript problem problem eslint N N
no-extra-boolean-cast javascript suggestion suggestion eslint N N
no-fallthrough javascript problem problem eslint N N
no-func-assign javascript problem problem eslint N N
no-global-assign javascript suggestion suggestion eslint N N
no-import-assign javascript problem problem eslint N N
no-inner-declarations javascript problem problem eslint N N
no-invalid-regexp javascript problem problem eslint N N
no-irregular-whitespace javascript problem problem eslint N N
no-loss-of-precision javascript problem problem eslint N N
no-misleading-character-class javascript problem problem eslint N N
no-new-symbol javascript problem problem eslint N N
no-nonoctal-decimal-escape javascript suggestion suggestion eslint N N
no-obj-calls javascript problem problem eslint N N
no-octal javascript suggestion suggestion eslint N N
no-prototype-builtins javascript problem problem eslint N N
no-redeclare javascript suggestion suggestion eslint N N
no-regex-spaces javascript suggestion suggestion eslint N N
no-self-assign javascript problem problem eslint N N
no-setter-return javascript problem problem eslint N N
no-shadow-restricted-names javascript suggestion suggestion eslint N N
no-sparse-arrays javascript problem problem eslint N N
no-this-before-super javascript problem problem eslint N N
no-undef javascript problem problem eslint N N
no-unexpected-multiline javascript problem problem eslint N N
no-unreachable javascript problem problem eslint N N
no-unsafe-finally javascript problem problem eslint N N
no-unsafe-negation javascript problem problem eslint N N
no-unsafe-optional-chaining javascript problem problem eslint N N
no-unused-labels javascript suggestion suggestion eslint N N
no-unused-vars javascript problem problem eslint N N
no-useless-backreference javascript problem problem eslint N N
no-useless-catch javascript suggestion suggestion eslint N N
no-useless-escape javascript suggestion suggestion eslint N N
no-with javascript suggestion suggestion eslint N N
require-yield javascript suggestion suggestion eslint N N
use-isnan javascript problem problem eslint N N
valid-typeof javascript problem problem eslint N N
for-direction typescript problem problem eslint-typescript N N
no-async-promise-executor typescript problem problem eslint-typescript N N
no-case-declarations typescript suggestion suggestion eslint-typescript N N
no-class-assign typescript problem problem eslint-typescript N N
no-compare-neg-zero typescript problem problem eslint-typescript N N
no-cond-assign typescript problem problem eslint-typescript N N
no-constant-condition typescript problem problem eslint-typescript N N
no-control-regex typescript problem problem eslint-typescript N N
no-debugger typescript problem problem eslint-typescript N N
no-delete-var typescript suggestion suggestion eslint-typescript N N
no-dupe-else-if typescript problem problem eslint-typescript N N
no-duplicate-case typescript problem problem eslint-typescript N N
no-empty typescript suggestion suggestion eslint-typescript N N
no-empty-character-class typescript problem problem eslint-typescript N N
no-empty-pattern typescript problem problem eslint-typescript N N
no-ex-assign typescript problem problem eslint-typescript N N
no-extra-boolean-cast typescript suggestion suggestion eslint-typescript N N
no-fallthrough typescript problem problem eslint-typescript N N
no-global-assign typescript suggestion suggestion eslint-typescript N N
no-inner-declarations typescript problem problem eslint-typescript N N
no-invalid-regexp typescript problem problem eslint-typescript N N
no-irregular-whitespace typescript problem problem eslint-typescript N N
no-misleading-character-class typescript problem problem eslint-typescript N N
no-nonoctal-decimal-escape typescript suggestion suggestion eslint-typescript N N
no-octal typescript suggestion suggestion eslint-typescript N N
no-prototype-builtins typescript problem problem eslint-typescript N N
no-regex-spaces typescript suggestion suggestion eslint-typescript N N
no-self-assign typescript problem problem eslint-typescript N N
no-shadow-restricted-names typescript suggestion suggestion eslint-typescript N N
no-sparse-arrays typescript problem problem eslint-typescript N N
no-unexpected-multiline typescript problem problem eslint-typescript N N
no-unsafe-finally typescript problem problem eslint-typescript N N
no-unsafe-optional-chaining typescript problem problem eslint-typescript N N
no-unused-labels typescript suggestion suggestion eslint-typescript N N
no-useless-backreference typescript problem problem eslint-typescript N N
no-useless-catch typescript suggestion suggestion eslint-typescript N N
no-useless-escape typescript suggestion suggestion eslint-typescript N N
no-var typescript suggestion suggestion eslint-typescript N N
no-with typescript suggestion suggestion eslint-typescript N N
prefer-const typescript suggestion suggestion eslint-typescript N N
prefer-rest-params typescript suggestion suggestion eslint-typescript N N
prefer-spread typescript suggestion suggestion eslint-typescript N N
require-yield typescript suggestion suggestion eslint-typescript N N
use-isnan typescript problem problem eslint-typescript N N
@typescript-eslint/adjacent-overload-signatures typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/await-thenable typescript problem problem eslint-typescript N N
@typescript-eslint/ban-ts-comment typescript problem problem eslint-typescript N N
@typescript-eslint/ban-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-array-constructor typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-empty-function typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-empty-interface typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-explicit-any typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-extra-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-extra-semi typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-floating-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-for-in-array typescript problem problem eslint-typescript N N
@typescript-eslint/no-implied-eval typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-inferrable-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-loss-of-precision typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-new typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-namespace typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-non-null-asserted-optional-chain typescript problem problem eslint-typescript N N
@typescript-eslint/no-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-this-alias typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-assertion typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-constraint typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-argument typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-assignment typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-call typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-member-access typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-return typescript problem problem eslint-typescript N N
@typescript-eslint/no-unused-vars typescript problem problem eslint-typescript N N
@typescript-eslint/no-var-requires typescript problem problem eslint-typescript N N
@typescript-eslint/prefer-as-const typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/prefer-namespace-keyword typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/require-await typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/restrict-plus-operands typescript problem problem eslint-typescript N N
@typescript-eslint/restrict-template-expressions typescript problem problem eslint-typescript N N
@typescript-eslint/triple-slash-reference typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/unbound-method typescript problem problem eslint-typescript N N
insecure-bundled-dependencies javascript Insecure Dependencies retire-js N N
AvoidDatabaseOperationInLoop apex Performance sfge Y N
AvoidMultipleMassSchemaLookups apex Performance sfge Y N
ApexFlsViolationRule apex Security sfge Y N
RemoveUnusedMethod apex Performance sfge Y Y
PerformNullCheckOnSoqlVariables apex Performance sfge Y N
UseWithSharingOnDatabaseOperation apex Security sfge Y N
ApexNullPointerExceptionRule apex Error Prone sfge Y N
UnimplementedTypeRule apex Performance sfge N N
Installation on mega-linter Docker image
- Dockerfile commands :
# Parent descriptor install
ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
RUN sf plugins install @salesforce/plugin-packaging \
&& echo y|sfdx plugins:install sfdx-hardis \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache
# Linter install
RUN sfdx plugins:install @salesforce/sfdx-scanner \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache