Skip to content

code-analyzer-flow

GitHub stars GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

Salesforce Code Analyzer for Flows (Flow Scanner engine) audits Salesforce Flows and reports detailed information about security issues. It is the Flow Scanner engine bundled with Salesforce Code Analyzer v5, run through the unified sf code-analyzer run command.

Key Features:

  • Flow Security Analysis: Audits .flow-meta.xml Flows for security vulnerabilities such as unsafe data exposure and missing sanitization
  • Subflow Resolution: Analyzes the full workspace to resolve subflows while targeting the Flows you want reported
  • Data-Flow Aware: Traces how data moves through Flow elements to surface risky patterns
  • Unified Toolchain: Runs via the same Salesforce Code Analyzer v5 plugin and code-analyzer.yml configuration as the Apex, Aura, and LWC engines
  • Configurable Severity: Customizable severity thresholds to match your project's quality bar
  • Multiple Output Formats: Supports CSV, JSON, HTML, and SARIF output for integration with development tools
  • CI/CD Integration: Seamless integration with Salesforce development pipelines

The Flow Scanner engine requires Python 3.10 or later, which is available in the MegaLinter Salesforce image. If Python can't be resolved automatically, set the python_command setting in your code-analyzer.yml.

If your root folder is not force-app, please set variable SALESFORCE_CODE_ANALYZER_FLOW_DIRECTORY

See more details in Help

code-analyzer-flow documentation

code-analyzer - GitHub

Configuration in MegaLinter

Variable Description Default value
SALESFORCE_CODE_ANALYZER_FLOW_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
SALESFORCE_CODE_ANALYZER_FLOW_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
SALESFORCE_CODE_ANALYZER_FLOW_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Exclude no file
SALESFORCE_CODE_ANALYZER_FLOW_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
SALESFORCE_CODE_ANALYZER_FLOW_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
project
SALESFORCE_CODE_ANALYZER_FLOW_PRE_COMMANDS List of bash commands to run before the linter None
SALESFORCE_CODE_ANALYZER_FLOW_POST_COMMANDS List of bash commands to run after the linter None
SALESFORCE_CODE_ANALYZER_FLOW_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling SALESFORCE_CODE_ANALYZER_FLOW and its pre/post commands None
SALESFORCE_CODE_ANALYZER_FLOW_CONFIG_FILE code-analyzer-flow configuration file name
Use LINTER_DEFAULT to let the linter find it
code-analyzer-flow.yml
SALESFORCE_CODE_ANALYZER_FLOW_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
SALESFORCE_CODE_ANALYZER_FLOW_DISABLE_ERRORS Run linter but consider errors as warnings false
SALESFORCE_CODE_ANALYZER_FLOW_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
SALESFORCE_CODE_ANALYZER_FLOW_CLI_EXECUTABLE Override CLI executable ['sf']
SALESFORCE_DIRECTORY Directory containing SALESFORCE files (use any to always activate the linter) force-app

IDE Integration

Use code-analyzer-flow in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code Salesforce Extension Pack Install in VSCode

MegaLinter Flavors

This linter is available in the following flavors

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 125 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 58 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • Activated only if sub-directory force-app is found. (directory name can be overridden with SALESFORCE_DIRECTORY)
  • If this linter is active, all files will always be linted

How the linting is performed

  • code-analyzer-flow is called one time by identified file (file CLI lint mode)

Example calls

sf code-analyzer run --rule-selector flow --workspace . --output-file results.csv

Help content

Analyze your code with a selection of rules to ensure good coding practices.

USAGE
  $ sf code-analyzer run [--flags-dir <value>] [-w <value>...] [-t <value>...]
    [-r <value>...] [-s <value>] [-v detail|table] [-f <value>...] [-c <value>]
    [--include-fixes] [--include-suggestions] [--no-suppressions]

FLAGS
  -c, --config-file=<value>         Path to the configuration file used to
                                    customize the engines and rules.
  -f, --output-file=<value>...      Name of the file where the analysis results
                                    are written. The file format depends on the
                                    extension you specify, such as .csv, .html,
                                    .xml, and so on.
  -r, --rule-selector=<value>...    [default: Recommended] Selection of rules,
                                    based on engine name, severity level, rule
                                    name, tag, or a combination of criteria
                                    separated by colons.
  -s, --severity-threshold=<value>  Severity level of a found violation that
                                    must be met or exceeded to cause this
                                    command to fail with a non-zero exit code.
  -t, --target=<value>...           Subset of files within your workspace to be
                                    targeted for analysis.
  -v, --view=<option>               Format to display the command results in the
                                    terminal.
                                    <options: detail|table>
  -w, --workspace=<value>...        [default: .] Set of files that make up your
                                    workspace.
      --include-fixes               Include fix data for violations when
                                    available.
      --include-suggestions         Include suggestion data for violations when
                                    available.
      --no-suppressions             Disable processing of inline and bulk
                                    suppression markers.

GLOBAL FLAGS
  --flags-dir=<value>  Import flag values from a directory.


Streaming logs in real time to:
    /tmp/sfca-2026_07_14_07_12_43_900.log

Selecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 0%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 14%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 28%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 30%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 31%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 32%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 33%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 34%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 35%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 36%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 37%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 38%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 39%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 40%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 41%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 42%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 53%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 57%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 62%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 72%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 74%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 75%; Elapsed time: 0sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 75%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 84%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 85%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 87%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 96%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 98%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 99%; Elapsed time: 1sSelecting rules... Eligible engines: retire-js, regex, eslint, flow, pmd, cpd, sfge; Completion: 100%; Elapsed time: 1sSelecting rules... done.

  #    Name                                              Engine   Severity       Tag
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  1    CyclicSubflow                                     flow     1 (Critical)   Recommended, Performance, XML
  2    DbInLoop                                          flow     2 (High)       Recommended, Performance, XML
  3    DefaultCopy                                       flow     3 (Moderate)   Recommended, CodeStyle, XML
  4    HardcodedId                                       flow     3 (Moderate)   Recommended, BestPractices, XML
  5    MissingDescription                                flow     4 (Low)        CodeStyle, XML
  6    MissingFaultHandler                               flow     2 (High)       BestPractices, XML
  7    MissingNextValueConnector                         flow     1 (Critical)   Recommended, BestPractices, XML
  8    PreventPassingUserDataIntoElementWithoutSharing   flow     2 (High)       Recommended, Security, XML
  9    PreventPassingUserDataIntoElementWithSharing      flow     4 (Low)        Recommended, Security, XML
  10   SameRecordUpdate                                  flow     3 (Moderate)   Recommended, Security, XML
  11   TriggerCallout                                    flow     2 (High)       Recommended, Performance, XML
  12   TriggerEntryCriteria                              flow     2 (High)       Recommended, Performance, XML
  13   TriggerWaitEvent                                  flow     2 (High)       Recommended, Performance, XML
  14   UnreachableElement                                flow     4 (Low)        BestPractices, XML
  15   UnusedResource                                    flow     3 (Moderate)   BestPractices, XML



=== Summary

Found 15 rule(s) from 1 engine(s):
    15 flow rule(s) found.

Additional log information written to:
    /tmp/sfca-2026_07_14_07_12_43_900.log

Installation on mega-linter Docker image

  • Dockerfile commands :
# Parent descriptor install
# renovate: datasource=npm depName=@salesforce/cli
ARG NPM_SALESFORCE_CLI_VERSION=2.142.7
# renovate: datasource=npm depName=@salesforce/plugin-packaging
ARG NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION=2.30.1
# renovate: datasource=npm depName=sfdx-hardis
ARG SFDX_HARDIS_VERSION=7.19.2
ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
ENV XDG_DATA_HOME=/usr/local/share
RUN sf plugins install @salesforce/plugin-packaging@${NPM_SALESFORCE_PLUGIN_PACKAGING_VERSION} \
    && echo y|sf plugins install sfdx-hardis@${SFDX_HARDIS_VERSION} \
    && (npm cache clean --force || true) \
    && rm -rf /root/.npm/_cacache
ENV SF_AUTOUPDATE_DISABLE=true SF_CLI_DISABLE_AUTOUPDATE=true
# Linter install
# renovate: datasource=npm depName=@salesforce/plugin-code-analyzer
ARG SALESFORCE_CODE_ANALYZER_VERSION=5.14.0
RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
    && (npm cache clean --force || true) \
    && rm -rf /root/.npm/_cacache

Known errors and resolutions

When this linter fails for a known non-lint reason (remote service unavailable, malformed config, missing credentials, etc.), MegaLinter detects the pattern below in the linter output and surfaces the matching guidance.

SALESFORCE_CODE_ANALYZER_FLOW_ERROR_CONFIG_INVALID

Detection pattern (regex):

(Failed to parse the configuration content|The specified configuration file .* does not exist|The specified configuration file .* has an unsupported file extension|The configuration content is invalid)

Resolution guidance:

code-analyzer could not load the configuration file (code-analyzer.yml).
Verify the file is valid v5 YAML and that its path is reachable from the workspace.
Generate a starter config with: sf code-analyzer config -f code-analyzer.yml

SALESFORCE_CODE_ANALYZER_FLOW_ERROR_NO_TARGET_FILES

Detection pattern (regex):

(At least one file or folder must be included in the workspace|The specified target .* does not exist underneath any of the specified workspace paths|The file or folder .* does not exist)

Resolution guidance:

code-analyzer could not find any Flow files matching `**/*.flow-meta.xml`.
Verify that your Flows live under the workspace (default `force-app`) and that `SALESFORCE_CODE_ANALYZER_FLOW_DIRECTORY` points to the correct root.

SALESFORCE_CODE_ANALYZER_FLOW_ERROR_PYTHON_MISSING

Detection pattern (regex):

(Python .*(is )?missing|Could not (find|locate|discover) .*[Pp]ython|No .*[Pp]ython .* found|python_command)

Resolution guidance:

The Flow Scanner engine requires Python 3.10 or later and could not resolve a Python interpreter.
Verify Python 3.10+ is installed, or set the `python_command` setting for the flow engine in your `code-analyzer.yml`.