code-analyzer-flow
Salesforce Code Analyzer for Flows (Flow Scanner engine) audits Salesforce Flows and reports detailed information about security issues. It is the Flow Scanner engine bundled with Salesforce Code Analyzer v5, run through the unified sf code-analyzer run command.
Key Features:
- Flow Security Analysis: Audits
.flow-meta.xmlFlows for security vulnerabilities such as unsafe data exposure and missing sanitization - Subflow Resolution: Analyzes the full workspace to resolve subflows while targeting the Flows you want reported
- Data-Flow Aware: Traces how data moves through Flow elements to surface risky patterns
- Unified Toolchain: Runs via the same Salesforce Code Analyzer v5 plugin and
code-analyzer.ymlconfiguration as the Apex, Aura, and LWC engines - Configurable Severity: Customizable severity thresholds to match your project's quality bar
- Multiple Output Formats: Supports CSV, JSON, HTML, and SARIF output for integration with development tools
- CI/CD Integration: Seamless integration with Salesforce development pipelines
The Flow Scanner engine requires Python 3.10 or later, which is available in the MegaLinter Salesforce image. If Python can't be resolved automatically, set the python_command setting in your code-analyzer.yml.
If your root folder is not force-app, please set variable SALESFORCE_CODE_ANALYZER_FLOW_DIRECTORY
See more details in Help
code-analyzer-flow documentation
- Version in MegaLinter: 5.14.0
- Visit Official Web Site
- See How to configure code-analyzer-flow rules
- If custom
code-analyzer-flow.ymlconfig file isn't found, code-analyzer-flow.yml will be used
- If custom
- See Index of problems detected by code-analyzer-flow
Configuration in MegaLinter
- Enable code-analyzer-flow by adding
SALESFORCE_CODE_ANALYZER_FLOWin ENABLE_LINTERS variable - Disable code-analyzer-flow by adding
SALESFORCE_CODE_ANALYZER_FLOWin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| SALESFORCE_CODE_ANALYZER_FLOW_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| SALESFORCE_CODE_ANALYZER_FLOW_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| SALESFORCE_CODE_ANALYZER_FLOW_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Exclude no file |
| SALESFORCE_CODE_ANALYZER_FLOW_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| SALESFORCE_CODE_ANALYZER_FLOW_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file |
project |
| SALESFORCE_CODE_ANALYZER_FLOW_PRE_COMMANDS | List of bash commands to run before the linter | None |
| SALESFORCE_CODE_ANALYZER_FLOW_POST_COMMANDS | List of bash commands to run after the linter | None |
| SALESFORCE_CODE_ANALYZER_FLOW_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_CODE_ANALYZER_FLOW and its pre/post commands | None |
| SALESFORCE_CODE_ANALYZER_FLOW_CONFIG_FILE | code-analyzer-flow configuration file name Use LINTER_DEFAULT to let the linter find it |
code-analyzer-flow.yml |
| SALESFORCE_CODE_ANALYZER_FLOW_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| SALESFORCE_CODE_ANALYZER_FLOW_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| SALESFORCE_CODE_ANALYZER_FLOW_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| SALESFORCE_CODE_ANALYZER_FLOW_CLI_EXECUTABLE | Override CLI executable | ['sf'] |
| SALESFORCE_DIRECTORY | Directory containing SALESFORCE files (use any to always activate the linter) |
force-app |
IDE Integration
Use code-analyzer-flow in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| Visual Studio Code | Salesforce Extension Pack | ![]() |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
![]() |
all | Default MegaLinter Flavor | 125 | |
| salesforce | Optimized for Salesforce based projects | 58 |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
force-appis found. (directory name can be overridden withSALESFORCE_DIRECTORY) - If this linter is active, all files will always be linted
How the linting is performed
- code-analyzer-flow is called one time by identified file (
fileCLI lint mode)
Example calls
sf code-analyzer run --rule-selector flow --workspace . --output-file results.csv
Help content
Analyze your code with a selection of rules to ensure good coding practices.
USAGE
$ sf code-analyzer run [--flags-dir <value>] [-w <value>...] [-t <value>...]
[-r <value>...] [-s <value>] [-v detail|table] [-f <value>...] [-c <value>]
[--include-fixes] [--include-suggestions] [--no-suppressions]
FLAGS
-c, --config-file=<value> Path to the configuration file used to
customize the engines and rules.
-f, --output-file=<value>... Name of the file where the analysis results
are written. The file format depends on the
extension you specify, such as .csv, .html,
.xml, and so on.
-r, --rule-selector=<value>... [default: Recommended] Selection of rules,
based on engine name, severity level, rule
name, tag, or a combination of criteria
separated by colons.
-s, --severity-threshold=<value> Severity level of a found violation that
must be met or exceeded to cause this
command to fail with a non-zero exit code.
-t, --target=<value>... Subset of files within your workspace to be
targeted for analysis.
-v, --view=<option> Format to display the command results in the
terminal.
<options: detail|table>
-w, --workspace=<value>... [default: .] Set of files that make up your
workspace.
--include-fixes Include fix data for violations when
available.
--include-suggestions Include suggestion data for violations when
available.
--no-suppressions Disable processing of inline and bulk
suppression markers.
GLOBAL FLAGS
--flags-dir=<value> Import flag values from a directory.
Streaming logs in real time to:
/tmp/sfca-2026_07_14_07_12_43_900.log
Selecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 0%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 14%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 28%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 30%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 31%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 32%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 33%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 34%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 35%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 36%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 37%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 38%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 39%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 40%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 41%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 42%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 53%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 57%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 62%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 72%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 74%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 75%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 75%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 84%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 85%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 87%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 96%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 98%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 99%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 100%; Elapsed time: 1sSelecting rules... done.
# Name Engine Severity Tag
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 CyclicSubflow flow 1 (Critical) Recommended, Performance, XML
2 DbInLoop flow 2 (High) Recommended, Performance, XML
3 DefaultCopy flow 3 (Moderate) Recommended, CodeStyle, XML
4 HardcodedId flow 3 (Moderate) Recommended, BestPractices, XML
5 MissingDescription flow 4 (Low) CodeStyle, XML
6 MissingFaultHandler flow 2 (High) BestPractices, XML
7 MissingNextValueConnector flow 1 (Critical) Recommended, BestPractices, XML
8 PreventPassingUserDataIntoElementWithoutSharing flow 2 (High) Recommended, Security, XML
9 PreventPassingUserDataIntoElementWithSharing flow 4 (Low) Recommended, Security, XML
10 SameRecordUpdate flow 3 (Moderate) Recommended, Security, XML
11 TriggerCallout flow 2 (High) Recommended, Performance, XML
12 TriggerEntryCriteria flow 2 (High) Recommended, Performance, XML
13 TriggerWaitEvent flow 2 (High) Recommended, Performance, XML
14 UnreachableElement flow 4 (Low) BestPractices, XML
15 UnusedResource flow 3 (Moderate) BestPractices, XML
=== Summary
Found 15 rule(s) from 1 engine(s):
15 flow rule(s) found.
Additional log information written to:
/tmp/sfca-2026_07_14_07_12_43_900.log
Installation on mega-linter Docker image
- Dockerfile commands :
# Parent descriptor install
# renovate: datasource=npm depName=@salesforce/cli
ARG NPM_SALESFORCE_CLI_VERSION=2.142.7
# renovate: datasource=npm depName=@salesforce/plugin-packaging
ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.30.1
# renovate: datasource=npm depName=sfdx-hardis
ARG SFDX_HARDIS_VERSION=7.19.2
ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
ENV XDG_DATA_HOME=/usr/local/share
RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
&& echo y|sf plugins install sfdx-hardis@${SFDX_HARDIS_VERSION} \
&& (npm cache clean --force || true) \
&& rm -rf /root/.npm/_cacache
ENV SF_AUTOUPDATE_DISABLE=true SF_CLI_DISABLE_AUTOUPDATE=true
# Linter install
# renovate: datasource=npm depName=@salesforce/plugin-code-analyzer
ARG SALESFORCE_CODE_ANALYZER_VERSION=5.14.0
RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
&& (npm cache clean --force || true) \
&& rm -rf /root/.npm/_cacache
Known errors and resolutions
When this linter fails for a known non-lint reason (remote service unavailable, malformed config, missing credentials, etc.), MegaLinter detects the pattern below in the linter output and surfaces the matching guidance.
SALESFORCE_CODE_ANALYZER_FLOW_ERROR_CONFIG_INVALID
Detection pattern (regex):
(Failed to parse the configuration content|The specified configuration file .* does not exist|The specified configuration file .* has an unsupported file extension|The configuration content is invalid)
Resolution guidance:
code-analyzer could not load the configuration file (code-analyzer.yml).
Verify the file is valid v5 YAML and that its path is reachable from the workspace.
Generate a starter config with: sf code-analyzer config -f code-analyzer.yml
SALESFORCE_CODE_ANALYZER_FLOW_ERROR_NO_TARGET_FILES
Detection pattern (regex):
(At least one file or folder must be included in the workspace|The specified target .* does not exist underneath any of the specified workspace paths|The file or folder .* does not exist)
Resolution guidance:
code-analyzer could not find any Flow files matching `**/*.flow-meta.xml`.
Verify that your Flows live under the workspace (default `force-app`) and that `SALESFORCE_CODE_ANALYZER_FLOW_DIRECTORY` points to the correct root.
SALESFORCE_CODE_ANALYZER_FLOW_ERROR_PYTHON_MISSING
Detection pattern (regex):
(Python .*(is )?missing|Could not (find|locate|discover) .*[Pp]ython|No .*[Pp]ython .* found|python_command)
Resolution guidance:
The Flow Scanner engine requires Python 3.10 or later and could not resolve a Python interpreter.
Verify Python 3.10+ is installed, or set the `python_command` setting for the flow engine in your `code-analyzer.yml`.

