sfdx-scanner-apex
sfdx-scanner is a sfdx plugin scanning apex and triggers using Apex PMD, and javascript using eslint
If your root folder is not force-app, please set variable SALESFORCE_SFDX_SCANNER_DIRECTORY
You can select categories and single rules by defining custom arguments (example: SALESFORCE_SFDX_SCANNER_ARGUMENTS: -c "Best Practices,Security")
See more details in Help
Workaround: Restricted to PMD
sfdx-scanner-apex documentation
- Version in MegaLinter: 4.8.0
- Visit Official Web Site
- See How to configure sfdx-scanner-apex rules
- If custom
apex-pmd-ruleset.xmlconfig file isn't found, apex-pmd-ruleset.xml will be used
- If custom
- See How to disable sfdx-scanner-apex rules in files
- See Index of problems detected by sfdx-scanner-apex
Configuration in MegaLinter
- Enable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEXin ENABLE_LINTERS variable - Disable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEXin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| SALESFORCE_SFDX_SCANNER_APEX_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| SALESFORCE_SFDX_SCANNER_APEX_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| SALESFORCE_SFDX_SCANNER_APEX_CLI_LINT_MODE | Override default CLI lint mode β οΈ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| SALESFORCE_SFDX_SCANNER_APEX_PRE_COMMANDS | List of bash commands to run before the linter | None |
| SALESFORCE_SFDX_SCANNER_APEX_POST_COMMANDS | List of bash commands to run after the linter | None |
| SALESFORCE_SFDX_SCANNER_APEX_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_SFDX_SCANNER_APEX and its pre/post commands | None |
| SALESFORCE_SFDX_SCANNER_APEX_CONFIG_FILE | sfdx-scanner-apex configuration file nameUse LINTER_DEFAULT to let the linter find it |
apex-pmd-ruleset.xml |
| SALESFORCE_SFDX_SCANNER_APEX_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| SALESFORCE_SFDX_SCANNER_APEX_CLI_EXECUTABLE | Override CLI executable | ['sf'] |
| SALESFORCE_DIRECTORY | Directory containing SALESFORCE files (use any to always activate the linter) |
force-app |
IDE Integration
Use sfdx-scanner-apex in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| Eclipse | pmd-eclipse-plugin | Visit Web Site | |
| Emacs | pmd-emacs | Visit Web Site | |
| IDEA | PMD IntelliJ | ||
| Visual Studio Code | Salesforce Extension Pack |  |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 125 |   |
| salesforce | Optimized for Salesforce based projects | 53 |   |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
force-appis found. (directory name can be overridden withSALESFORCE_DIRECTORY) - If this linter is active, all files will always be linted
How the linting is performed
sfdx-scanner-apex is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using sfdx-scanner-apex configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make sfdx-scanner-apex analyze only updated files
Example calls
sf scanner:run
Help content
βΊ Warning: @salesforce/cli update available from 2.72.21 to 2.73.9.
Scan a codebase with all the rules in the registry, or use parameters to filter the rules based on rulename, category, or ruleset.
USAGE
$ sf scanner run [--verbose] [-c <value>...] [-f
csv|html|json|junit|sarif|table|xml] [-o <value>] [-s <value> | --json]
[--normalize-severity] [-p <value>...] [-r <value>...] [-e eslint|eslint-lwc
|eslint-typescript|pmd|pmd-appexchange|retire-js|sfge|cpd...] [-t
<value>...] [--tsconfig <value>] [--eslintconfig <value>] [--pmdconfig
<value>] [--env <value>] [--verbose-violations]
FLAGS
-c, --category=<value>... One or more categories of rules to run.
-e, --engine=<option>... Specify which engines to run.
<options: eslint|eslint-lwc|eslint-typescrip
t|pmd|pmd-appexchange|retire-js|sfge|cpd>
-f, --format=<option> The output format for results written
directly to the console.
<options:
csv|html|json|junit|sarif|table|xml>
-o, --outfile=<value> File to write output to.
-p, --projectdir=<value>... The relative or absolute root project
directories used to set the context for
Graph Engine's analysis.
-r, --ruleset=<value>... [Deprecated] Rulesets to run.
-s, --severity-threshold=<value> An error will be thrown when a violation is
found with a severity equal to or greater
than the specified level.
-t, --target=<value>... Source code location.
--env=<value> [Deprecated] Override ESLint's default
environment variables, in JSON-formatted
string.
--eslintconfig=<value> Specify the location of eslintrc config to
customize eslint engine. The --tsconfig flag
canβt be used with --eslintconfig flag.
--normalize-severity Include normalized severity levels 1 (high),
2 (moderate), and 3 (low) with the results.
--pmdconfig=<value> Location of PMD rule reference XML file to
customize rule selection.
--tsconfig=<value> Location of tsconfig.json file used by the
eslint-typescript engine. The --tsconfig
flag canβt be used with --eslintconfig flag.
--verbose Emit additional command output to stdout.
--verbose-violations Includes Retire-js violation-message details
about each vulnerability in the results,
including summary, common vulnerabilities
and exposures (CVE), and URLs.
GLOBAL FLAGS
--json Format output as json.
COMMANDS
scanner run dfa Scan codebase with all DFA rules by default.
βΊ Warning: @salesforce/cli update available from 2.72.21 to 2.73.9.
βΊ Warning: Plugin @salesforce/sfdx-scanner (4.8.0) differs from the version
βΊ specified by sf (4.7.0)
Warning: We plan to stop supporting v4.x of Code Analyzer in the coming months. We highly recommend that you start using v5.x, which is currently in Beta. For information on v5.x, see https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-analyzer.html.
name languages categories rulesets [dep] engine is dfa is pilot
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββ βββββββββββββββββββββ ββββββββββββββ βββββββββββββββββ ββββββ ββββββββ
VfCsrf visualforce Security pmd N N
VfHtmlStyleTagXss visualforce Security pmd N N
VfUnescapeEl visualforce Security pmd N N
ApexAssertionsShouldIncludeMessage apex Best Practices pmd N N
ApexUnitTestClassShouldHaveAsserts apex Best Practices quickstart pmd N N
ApexUnitTestClassShouldHaveRunAs apex Best Practices quickstart pmd N N
ApexUnitTestMethodShouldHaveIsTestAnnotation apex Best Practices pmd N N
ApexUnitTestShouldNotUseSeeAllDataTrue apex Best Practices quickstart pmd N N
AvoidGlobalModifier apex Best Practices quickstart pmd N N
AvoidLogicInTrigger apex Best Practices quickstart pmd N N
DebugsShouldUseLoggingLevel apex Best Practices quickstart pmd N N
UnusedLocalVariable apex Best Practices pmd N N
QueueableWithoutFinalizer apex Best Practices pmd N N
AvoidDebugStatements apex Performance pmd N N
AvoidNonRestrictiveQueries apex Performance pmd N N
EagerlyLoadedDescribeSObjectResult apex Performance pmd N N
OperationWithHighCostInLoop apex Performance quickstart pmd N N
OperationWithLimitsInLoop apex Performance quickstart pmd N N
ApexBadCrypto apex Security quickstart pmd N N
ApexCRUDViolation apex Security quickstart pmd N N
ApexDangerousMethods apex Security quickstart pmd N N
ApexInsecureEndpoint apex Security quickstart pmd N N
ApexOpenRedirect apex Security quickstart pmd N N
ApexSharingViolations apex Security quickstart pmd N N
ApexSOQLInjection apex Security quickstart pmd N N
ApexSuggestUsingNamedCred apex Security quickstart pmd N N
ApexXSSFromEscapeFalse apex Security quickstart pmd N N
ApexXSSFromURLParam apex Security quickstart pmd N N
ClassNamingConventions apex Code Style quickstart pmd N N
IfElseStmtsMustUseBraces apex Code Style quickstart pmd N N
IfStmtsMustUseBraces apex Code Style quickstart pmd N N
FieldDeclarationsShouldBeAtStart apex Code Style pmd N N
FieldNamingConventions apex Code Style quickstart pmd N N
ForLoopsMustUseBraces apex Code Style quickstart pmd N N
FormalParameterNamingConventions apex Code Style quickstart pmd N N
LocalVariableNamingConventions apex Code Style quickstart pmd N N
MethodNamingConventions apex Code Style quickstart pmd N N
OneDeclarationPerLine apex Code Style quickstart pmd N N
PropertyNamingConventions apex Code Style quickstart pmd N N
WhileLoopsMustUseBraces apex Code Style quickstart pmd N N
AvoidDeeplyNestedIfStmts apex Design quickstart pmd N N
UnusedMethod apex Design pmd N N
CyclomaticComplexity apex Design quickstart pmd N N
CognitiveComplexity apex Design pmd N N
ExcessiveClassLength apex Design quickstart pmd N N
ExcessiveParameterList apex Design quickstart pmd N N
ExcessivePublicCount apex Design quickstart pmd N N
NcssConstructorCount apex Design quickstart pmd N N
NcssMethodCount apex Design quickstart pmd N N
NcssTypeCount apex Design quickstart pmd N N
StdCyclomaticComplexity apex Design quickstart pmd N N
TooManyFields apex Design quickstart pmd N N
ApexDoc apex Documentation quickstart pmd N N
ApexCSRF apex Error Prone quickstart pmd N N
AvoidDirectAccessTriggerMap apex Error Prone quickstart pmd N N
AvoidHardcodingId apex Error Prone quickstart pmd N N
AvoidNonExistentAnnotations apex Error Prone quickstart pmd N N
EmptyCatchBlock apex Error Prone quickstart pmd N N
EmptyIfStmt apex Error Prone quickstart pmd N N
EmptyStatementBlock apex Error Prone quickstart pmd N N
EmptyTryOrFinallyBlock apex Error Prone quickstart pmd N N
EmptyWhileStmt apex Error Prone quickstart pmd N N
InaccessibleAuraEnabledGetter apex Error Prone pmd N N
MethodWithSameNameAsEnclosingClass apex Error Prone quickstart pmd N N
OverrideBothEqualsAndHashcode apex Error Prone pmd N N
TestMethodsMustBeInTestClasses apex Error Prone pmd N N
constructor-super javascript problem problem eslint N N
for-direction javascript problem problem eslint N N
getter-return javascript problem problem eslint N N
no-async-promise-executor javascript problem problem eslint N N
no-case-declarations javascript suggestion suggestion eslint N N
no-class-assign javascript problem problem eslint N N
no-compare-neg-zero javascript problem problem eslint N N
no-cond-assign javascript problem problem eslint N N
no-const-assign javascript problem problem eslint N N
no-constant-condition javascript problem problem eslint N N
no-control-regex javascript problem problem eslint N N
no-debugger javascript problem problem eslint N N
no-delete-var javascript suggestion suggestion eslint N N
no-dupe-args javascript problem problem eslint N N
no-dupe-class-members javascript problem problem eslint N N
no-dupe-else-if javascript problem problem eslint N N
no-dupe-keys javascript problem problem eslint N N
no-duplicate-case javascript problem problem eslint N N
no-empty javascript suggestion suggestion eslint N N
no-empty-character-class javascript problem problem eslint N N
no-empty-pattern javascript problem problem eslint N N
no-ex-assign javascript problem problem eslint N N
no-extra-boolean-cast javascript suggestion suggestion eslint N N
no-fallthrough javascript problem problem eslint N N
no-func-assign javascript problem problem eslint N N
no-global-assign javascript suggestion suggestion eslint N N
no-import-assign javascript problem problem eslint N N
no-inner-declarations javascript problem problem eslint N N
no-invalid-regexp javascript problem problem eslint N N
no-irregular-whitespace javascript problem problem eslint N N
no-loss-of-precision javascript problem problem eslint N N
no-misleading-character-class javascript problem problem eslint N N
no-new-symbol javascript problem problem eslint N N
no-nonoctal-decimal-escape javascript suggestion suggestion eslint N N
no-obj-calls javascript problem problem eslint N N
no-octal javascript suggestion suggestion eslint N N
no-prototype-builtins javascript problem problem eslint N N
no-redeclare javascript suggestion suggestion eslint N N
no-regex-spaces javascript suggestion suggestion eslint N N
no-self-assign javascript problem problem eslint N N
no-setter-return javascript problem problem eslint N N
no-shadow-restricted-names javascript suggestion suggestion eslint N N
no-sparse-arrays javascript problem problem eslint N N
no-this-before-super javascript problem problem eslint N N
no-undef javascript problem problem eslint N N
no-unexpected-multiline javascript problem problem eslint N N
no-unreachable javascript problem problem eslint N N
no-unsafe-finally javascript problem problem eslint N N
no-unsafe-negation javascript problem problem eslint N N
no-unsafe-optional-chaining javascript problem problem eslint N N
no-unused-labels javascript suggestion suggestion eslint N N
no-unused-vars javascript problem problem eslint N N
no-useless-backreference javascript problem problem eslint N N
no-useless-catch javascript suggestion suggestion eslint N N
no-useless-escape javascript suggestion suggestion eslint N N
no-with javascript suggestion suggestion eslint N N
require-yield javascript suggestion suggestion eslint N N
use-isnan javascript problem problem eslint N N
valid-typeof javascript problem problem eslint N N
for-direction typescript problem problem eslint-typescript N N
no-async-promise-executor typescript problem problem eslint-typescript N N
no-case-declarations typescript suggestion suggestion eslint-typescript N N
no-class-assign typescript problem problem eslint-typescript N N
no-compare-neg-zero typescript problem problem eslint-typescript N N
no-cond-assign typescript problem problem eslint-typescript N N
no-constant-condition typescript problem problem eslint-typescript N N
no-control-regex typescript problem problem eslint-typescript N N
no-debugger typescript problem problem eslint-typescript N N
no-delete-var typescript suggestion suggestion eslint-typescript N N
no-dupe-else-if typescript problem problem eslint-typescript N N
no-duplicate-case typescript problem problem eslint-typescript N N
no-empty typescript suggestion suggestion eslint-typescript N N
no-empty-character-class typescript problem problem eslint-typescript N N
no-empty-pattern typescript problem problem eslint-typescript N N
no-ex-assign typescript problem problem eslint-typescript N N
no-extra-boolean-cast typescript suggestion suggestion eslint-typescript N N
no-fallthrough typescript problem problem eslint-typescript N N
no-global-assign typescript suggestion suggestion eslint-typescript N N
no-inner-declarations typescript problem problem eslint-typescript N N
no-invalid-regexp typescript problem problem eslint-typescript N N
no-irregular-whitespace typescript problem problem eslint-typescript N N
no-misleading-character-class typescript problem problem eslint-typescript N N
no-nonoctal-decimal-escape typescript suggestion suggestion eslint-typescript N N
no-octal typescript suggestion suggestion eslint-typescript N N
no-prototype-builtins typescript problem problem eslint-typescript N N
no-regex-spaces typescript suggestion suggestion eslint-typescript N N
no-self-assign typescript problem problem eslint-typescript N N
no-shadow-restricted-names typescript suggestion suggestion eslint-typescript N N
no-sparse-arrays typescript problem problem eslint-typescript N N
no-unexpected-multiline typescript problem problem eslint-typescript N N
no-unsafe-finally typescript problem problem eslint-typescript N N
no-unsafe-optional-chaining typescript problem problem eslint-typescript N N
no-unused-labels typescript suggestion suggestion eslint-typescript N N
no-useless-backreference typescript problem problem eslint-typescript N N
no-useless-catch typescript suggestion suggestion eslint-typescript N N
no-useless-escape typescript suggestion suggestion eslint-typescript N N
no-var typescript suggestion suggestion eslint-typescript N N
no-with typescript suggestion suggestion eslint-typescript N N
prefer-const typescript suggestion suggestion eslint-typescript N N
prefer-rest-params typescript suggestion suggestion eslint-typescript N N
prefer-spread typescript suggestion suggestion eslint-typescript N N
require-yield typescript suggestion suggestion eslint-typescript N N
use-isnan typescript problem problem eslint-typescript N N
valid-typeof typescript problem problem eslint-typescript N N
@typescript-eslint/await-thenable typescript problem problem eslint-typescript N N
@typescript-eslint/ban-ts-comment typescript problem problem eslint-typescript N N
@typescript-eslint/ban-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-array-constructor typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-base-to-string typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-duplicate-enum-values typescript problem problem eslint-typescript N N
@typescript-eslint/no-duplicate-type-constituents typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-explicit-any typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-extra-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-floating-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-for-in-array typescript problem problem eslint-typescript N N
@typescript-eslint/no-implied-eval typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-loss-of-precision typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-new typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-namespace typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-non-null-asserted-optional-chain typescript problem problem eslint-typescript N N
@typescript-eslint/no-redundant-type-constituents typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-this-alias typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-assertion typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-constraint typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-argument typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-assignment typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-call typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-declaration-merging typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-enum-comparison typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-member-access typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-return typescript problem problem eslint-typescript N N
@typescript-eslint/no-unused-vars typescript problem problem eslint-typescript N N
@typescript-eslint/no-var-requires typescript problem problem eslint-typescript N N
@typescript-eslint/prefer-as-const typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/require-await typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/restrict-plus-operands typescript problem problem eslint-typescript N N
@typescript-eslint/restrict-template-expressions typescript problem problem eslint-typescript N N
@typescript-eslint/triple-slash-reference typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/unbound-method typescript problem problem eslint-typescript N N
insecure-bundled-dependencies javascript Insecure Dependencies retire-js N N
AvoidDatabaseOperationInLoop apex Performance sfge Y N
AvoidMultipleMassSchemaLookups apex Performance sfge Y N
ApexFlsViolationRule apex Security sfge Y N
RemoveUnusedMethod apex Performance sfge Y Y
PerformNullCheckOnSoqlVariables apex Performance sfge Y N
UseWithSharingOnDatabaseOperation apex Security sfge Y N
ApexNullPointerExceptionRule apex Error Prone sfge Y N
UnimplementedTypeRule apex Performance sfge N N
Installation on mega-linter Docker image
- Dockerfile commands :
# Parent descriptor install
# renovate: datasource=npm depName=@salesforce/cli
ARG SALESFORCE_CLI_VERSION=2.72.21
# renovate: datasource=npm depName=@salesforce/plugin-packaging
ARG SALESFORCE_PLUGIN_PACKAGING_VERSION=2.9.12
# renovate: datasource=npm depName=sfdx-hardis
ARG SFDX_HARDIS_VERSION=5.16.4
ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
RUN sf plugins install @salesforce/plugin-packaging@${SALESFORCE_PLUGIN_PACKAGING_VERSION} \
&& echo y|sf plugins install sfdx-hardis@${SFDX_HARDIS_VERSION} \
&& (npm cache clean --force || true) \
&& rm -rf /root/.npm/_cacache
ENV SF_AUTOUPDATE_DISABLE=true SF_CLI_DISABLE_AUTOUPDATE=true
# Linter install
# renovate: datasource=npm depName=@salesforce/sfdx-scanner
ARG SALESFORCE_SFDX_SCANNER_VERSION=4.8.0
RUN sf plugins install @salesforce/sfdx-scanner@${SALESFORCE_SFDX_SCANNER_VERSION} \
&& (npm cache clean --force || true) \
&& rm -rf /root/.npm/_cacache