sfdx-scanner-apex
sfdx-scanner is a sfdx plugin scanning apex and triggers using Apex PMD, and javascript using eslint
If your root folder is not force-app, please set variable SALESFORCE_SFDX_SCANNER_DIRECTORY
You can select categories and single rules by defining custom arguments (example: SALESFORCE_SFDX_SCANNER_ARGUMENTS: -c "Best Practices,Security"
)
See more details in Help
Workaround: Restricted to PMD
sfdx-scanner-apex documentation
- Version in MegaLinter: 4.6.0
- Visit Official Web Site
- See How to configure sfdx-scanner-apex rules
- If custom
apex-pmd-ruleset.xml
config file isn't found, apex-pmd-ruleset.xml will be used
- If custom
- See How to disable sfdx-scanner-apex rules in files
- See Index of problems detected by sfdx-scanner-apex
Configuration in MegaLinter
- Enable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEX
in ENABLE_LINTERS variable - Disable sfdx-scanner-apex by adding
SALESFORCE_SFDX_SCANNER_APEX
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
SALESFORCE_SFDX_SCANNER_APEX_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
SALESFORCE_SFDX_SCANNER_APEX_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
SALESFORCE_SFDX_SCANNER_APEX_CLI_LINT_MODE | Override default CLI lint mode β οΈ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
SALESFORCE_SFDX_SCANNER_APEX_PRE_COMMANDS | List of bash commands to run before the linter | None |
SALESFORCE_SFDX_SCANNER_APEX_POST_COMMANDS | List of bash commands to run after the linter | None |
SALESFORCE_SFDX_SCANNER_APEX_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling SALESFORCE_SFDX_SCANNER_APEX and its pre/post commands | None |
SALESFORCE_SFDX_SCANNER_APEX_CONFIG_FILE | sfdx-scanner-apex configuration file nameUse LINTER_DEFAULT to let the linter find it |
apex-pmd-ruleset.xml |
SALESFORCE_SFDX_SCANNER_APEX_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
SALESFORCE_SFDX_SCANNER_APEX_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
SALESFORCE_SFDX_SCANNER_APEX_CLI_EXECUTABLE | Override CLI executable | ['sf'] |
SALESFORCE_DIRECTORY | Directory containing SALESFORCE files (use any to always activate the linter) |
force-app |
IDE Integration
Use sfdx-scanner-apex in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Eclipse | pmd-eclipse-plugin | Visit Web Site | |
Emacs | pmd-emacs | Visit Web Site | |
IDEA | PMD IntelliJ | ||
Visual Studio Code | Salesforce Extension Pack |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
salesforce | Optimized for Salesforce based projects | 54 |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
force-app
is found. (directory name can be overridden withSALESFORCE_DIRECTORY
) - If this linter is active, all files will always be linted
How the linting is performed
sfdx-scanner-apex is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using sfdx-scanner-apex configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make sfdx-scanner-apex analyze only updated files
Example calls
sf scanner:run
Help content
βΊ Warning: @salesforce/cli update available from 2.60.13 to 2.61.8.
(node:1754) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Scan a codebase with all the rules in the registry, or use parameters to filter the rules based on rulename, category, or ruleset.
USAGE
$ sf scanner run [--verbose] [-c <value>...] [-f
csv|html|json|junit|sarif|table|xml] [-o <value>] [-s <value> | --json]
[--normalize-severity] [-p <value>...] [-r <value>...] [-e eslint|eslint-lwc
|eslint-typescript|pmd|pmd-appexchange|retire-js|sfge|cpd...] [-t
<value>...] [--tsconfig <value>] [--eslintconfig <value>] [--pmdconfig
<value>] [--env <value>] [--verbose-violations]
FLAGS
-c, --category=<value>... One or more categories of rules to run.
-e, --engine=<option>... Specify which engines to run.
<options: eslint|eslint-lwc|eslint-typescrip
t|pmd|pmd-appexchange|retire-js|sfge|cpd>
-f, --format=<option> The output format for results written
directly to the console.
<options:
csv|html|json|junit|sarif|table|xml>
-o, --outfile=<value> File to write output to.
-p, --projectdir=<value>... The relative or absolute root project
directories used to set the context for
Graph Engine's analysis.
-r, --ruleset=<value>... [Deprecated] Rulesets to run.
-s, --severity-threshold=<value> An error will be thrown when a violation is
found with a severity equal to or greater
than the specified level.
-t, --target=<value>... Source code location.
--env=<value> [Deprecated] Override ESLint's default
environment variables, in JSON-formatted
string.
--eslintconfig=<value> Specify the location of eslintrc config to
customize eslint engine. The --tsconfig flag
canβt be used with --eslintconfig flag.
--normalize-severity Include normalized severity levels 1 (high),
2 (moderate), and 3 (low) with the results.
--pmdconfig=<value> Location of PMD rule reference XML file to
customize rule selection.
--tsconfig=<value> Location of tsconfig.json file used by the
eslint-typescript engine. The --tsconfig
flag canβt be used with --eslintconfig flag.
--verbose Emit additional command output to stdout.
--verbose-violations Includes Retire-js violation-message details
about each vulnerability in the results,
including summary, common vulnerabilities
and exposures (CVE), and URLs.
GLOBAL FLAGS
--json Format output as json.
COMMANDS
scanner run dfa Scan codebase with all DFA rules by default.
βΊ Warning: @salesforce/cli update available from 2.60.13 to 2.61.8.
(node:1766) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
name languages categories rulesets [dep] engine is dfa is pilot
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββ βββββββββββββββββββββ ββββββββββββββ βββββββββββββββββ ββββββ ββββββββ
VfCsrf visualforce Security pmd N N
VfHtmlStyleTagXss visualforce Security pmd N N
VfUnescapeEl visualforce Security pmd N N
ApexAssertionsShouldIncludeMessage apex Best Practices pmd N N
ApexUnitTestClassShouldHaveAsserts apex Best Practices quickstart pmd N N
ApexUnitTestClassShouldHaveRunAs apex Best Practices quickstart pmd N N
ApexUnitTestMethodShouldHaveIsTestAnnotation apex Best Practices pmd N N
ApexUnitTestShouldNotUseSeeAllDataTrue apex Best Practices quickstart pmd N N
AvoidGlobalModifier apex Best Practices quickstart pmd N N
AvoidLogicInTrigger apex Best Practices quickstart pmd N N
DebugsShouldUseLoggingLevel apex Best Practices quickstart pmd N N
UnusedLocalVariable apex Best Practices pmd N N
AvoidDebugStatements apex Performance pmd N N
AvoidNonRestrictiveQueries apex Performance pmd N N
EagerlyLoadedDescribeSObjectResult apex Performance pmd N N
OperationWithHighCostInLoop apex Performance quickstart pmd N N
OperationWithLimitsInLoop apex Performance quickstart pmd N N
ApexBadCrypto apex Security quickstart pmd N N
ApexCRUDViolation apex Security quickstart pmd N N
ApexDangerousMethods apex Security quickstart pmd N N
ApexInsecureEndpoint apex Security quickstart pmd N N
ApexOpenRedirect apex Security quickstart pmd N N
ApexSharingViolations apex Security quickstart pmd N N
ApexSOQLInjection apex Security quickstart pmd N N
ApexSuggestUsingNamedCred apex Security quickstart pmd N N
ApexXSSFromEscapeFalse apex Security quickstart pmd N N
ApexXSSFromURLParam apex Security quickstart pmd N N
ClassNamingConventions apex Code Style quickstart pmd N N
IfElseStmtsMustUseBraces apex Code Style quickstart pmd N N
IfStmtsMustUseBraces apex Code Style quickstart pmd N N
FieldDeclarationsShouldBeAtStart apex Code Style pmd N N
FieldNamingConventions apex Code Style quickstart pmd N N
ForLoopsMustUseBraces apex Code Style quickstart pmd N N
FormalParameterNamingConventions apex Code Style quickstart pmd N N
LocalVariableNamingConventions apex Code Style quickstart pmd N N
MethodNamingConventions apex Code Style quickstart pmd N N
OneDeclarationPerLine apex Code Style quickstart pmd N N
PropertyNamingConventions apex Code Style quickstart pmd N N
WhileLoopsMustUseBraces apex Code Style quickstart pmd N N
AvoidDeeplyNestedIfStmts apex Design quickstart pmd N N
UnusedMethod apex Design pmd N N
CyclomaticComplexity apex Design quickstart pmd N N
CognitiveComplexity apex Design pmd N N
ExcessiveClassLength apex Design quickstart pmd N N
ExcessiveParameterList apex Design quickstart pmd N N
ExcessivePublicCount apex Design quickstart pmd N N
NcssConstructorCount apex Design quickstart pmd N N
NcssMethodCount apex Design quickstart pmd N N
NcssTypeCount apex Design quickstart pmd N N
StdCyclomaticComplexity apex Design quickstart pmd N N
TooManyFields apex Design quickstart pmd N N
ApexDoc apex Documentation quickstart pmd N N
ApexCSRF apex Error Prone quickstart pmd N N
AvoidDirectAccessTriggerMap apex Error Prone quickstart pmd N N
AvoidHardcodingId apex Error Prone quickstart pmd N N
AvoidNonExistentAnnotations apex Error Prone quickstart pmd N N
EmptyCatchBlock apex Error Prone quickstart pmd N N
EmptyIfStmt apex Error Prone quickstart pmd N N
EmptyStatementBlock apex Error Prone quickstart pmd N N
EmptyTryOrFinallyBlock apex Error Prone quickstart pmd N N
EmptyWhileStmt apex Error Prone quickstart pmd N N
InaccessibleAuraEnabledGetter apex Error Prone pmd N N
MethodWithSameNameAsEnclosingClass apex Error Prone quickstart pmd N N
OverrideBothEqualsAndHashcode apex Error Prone pmd N N
TestMethodsMustBeInTestClasses apex Error Prone pmd N N
constructor-super javascript problem problem eslint N N
for-direction javascript problem problem eslint N N
getter-return javascript problem problem eslint N N
no-async-promise-executor javascript problem problem eslint N N
no-case-declarations javascript suggestion suggestion eslint N N
no-class-assign javascript problem problem eslint N N
no-compare-neg-zero javascript problem problem eslint N N
no-cond-assign javascript problem problem eslint N N
no-const-assign javascript problem problem eslint N N
no-constant-condition javascript problem problem eslint N N
no-control-regex javascript problem problem eslint N N
no-debugger javascript problem problem eslint N N
no-delete-var javascript suggestion suggestion eslint N N
no-dupe-args javascript problem problem eslint N N
no-dupe-class-members javascript problem problem eslint N N
no-dupe-else-if javascript problem problem eslint N N
no-dupe-keys javascript problem problem eslint N N
no-duplicate-case javascript problem problem eslint N N
no-empty javascript suggestion suggestion eslint N N
no-empty-character-class javascript problem problem eslint N N
no-empty-pattern javascript problem problem eslint N N
no-ex-assign javascript problem problem eslint N N
no-extra-boolean-cast javascript suggestion suggestion eslint N N
no-fallthrough javascript problem problem eslint N N
no-func-assign javascript problem problem eslint N N
no-global-assign javascript suggestion suggestion eslint N N
no-import-assign javascript problem problem eslint N N
no-inner-declarations javascript problem problem eslint N N
no-invalid-regexp javascript problem problem eslint N N
no-irregular-whitespace javascript problem problem eslint N N
no-loss-of-precision javascript problem problem eslint N N
no-misleading-character-class javascript problem problem eslint N N
no-new-symbol javascript problem problem eslint N N
no-nonoctal-decimal-escape javascript suggestion suggestion eslint N N
no-obj-calls javascript problem problem eslint N N
no-octal javascript suggestion suggestion eslint N N
no-prototype-builtins javascript problem problem eslint N N
no-redeclare javascript suggestion suggestion eslint N N
no-regex-spaces javascript suggestion suggestion eslint N N
no-self-assign javascript problem problem eslint N N
no-setter-return javascript problem problem eslint N N
no-shadow-restricted-names javascript suggestion suggestion eslint N N
no-sparse-arrays javascript problem problem eslint N N
no-this-before-super javascript problem problem eslint N N
no-undef javascript problem problem eslint N N
no-unexpected-multiline javascript problem problem eslint N N
no-unreachable javascript problem problem eslint N N
no-unsafe-finally javascript problem problem eslint N N
no-unsafe-negation javascript problem problem eslint N N
no-unsafe-optional-chaining javascript problem problem eslint N N
no-unused-labels javascript suggestion suggestion eslint N N
no-unused-vars javascript problem problem eslint N N
no-useless-backreference javascript problem problem eslint N N
no-useless-catch javascript suggestion suggestion eslint N N
no-useless-escape javascript suggestion suggestion eslint N N
no-with javascript suggestion suggestion eslint N N
require-yield javascript suggestion suggestion eslint N N
use-isnan javascript problem problem eslint N N
valid-typeof javascript problem problem eslint N N
for-direction typescript problem problem eslint-typescript N N
no-async-promise-executor typescript problem problem eslint-typescript N N
no-case-declarations typescript suggestion suggestion eslint-typescript N N
no-class-assign typescript problem problem eslint-typescript N N
no-compare-neg-zero typescript problem problem eslint-typescript N N
no-cond-assign typescript problem problem eslint-typescript N N
no-constant-condition typescript problem problem eslint-typescript N N
no-control-regex typescript problem problem eslint-typescript N N
no-debugger typescript problem problem eslint-typescript N N
no-delete-var typescript suggestion suggestion eslint-typescript N N
no-dupe-else-if typescript problem problem eslint-typescript N N
no-duplicate-case typescript problem problem eslint-typescript N N
no-empty typescript suggestion suggestion eslint-typescript N N
no-empty-character-class typescript problem problem eslint-typescript N N
no-empty-pattern typescript problem problem eslint-typescript N N
no-ex-assign typescript problem problem eslint-typescript N N
no-extra-boolean-cast typescript suggestion suggestion eslint-typescript N N
no-fallthrough typescript problem problem eslint-typescript N N
no-global-assign typescript suggestion suggestion eslint-typescript N N
no-inner-declarations typescript problem problem eslint-typescript N N
no-invalid-regexp typescript problem problem eslint-typescript N N
no-irregular-whitespace typescript problem problem eslint-typescript N N
no-misleading-character-class typescript problem problem eslint-typescript N N
no-nonoctal-decimal-escape typescript suggestion suggestion eslint-typescript N N
no-octal typescript suggestion suggestion eslint-typescript N N
no-prototype-builtins typescript problem problem eslint-typescript N N
no-regex-spaces typescript suggestion suggestion eslint-typescript N N
no-self-assign typescript problem problem eslint-typescript N N
no-shadow-restricted-names typescript suggestion suggestion eslint-typescript N N
no-sparse-arrays typescript problem problem eslint-typescript N N
no-unexpected-multiline typescript problem problem eslint-typescript N N
no-unsafe-finally typescript problem problem eslint-typescript N N
no-unsafe-optional-chaining typescript problem problem eslint-typescript N N
no-unused-labels typescript suggestion suggestion eslint-typescript N N
no-useless-backreference typescript problem problem eslint-typescript N N
no-useless-catch typescript suggestion suggestion eslint-typescript N N
no-useless-escape typescript suggestion suggestion eslint-typescript N N
no-var typescript suggestion suggestion eslint-typescript N N
no-with typescript suggestion suggestion eslint-typescript N N
prefer-const typescript suggestion suggestion eslint-typescript N N
prefer-rest-params typescript suggestion suggestion eslint-typescript N N
prefer-spread typescript suggestion suggestion eslint-typescript N N
require-yield typescript suggestion suggestion eslint-typescript N N
use-isnan typescript problem problem eslint-typescript N N
valid-typeof typescript problem problem eslint-typescript N N
@typescript-eslint/await-thenable typescript problem problem eslint-typescript N N
@typescript-eslint/ban-ts-comment typescript problem problem eslint-typescript N N
@typescript-eslint/ban-types typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-array-constructor typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-base-to-string typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-duplicate-enum-values typescript problem problem eslint-typescript N N
@typescript-eslint/no-duplicate-type-constituents typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-explicit-any typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-extra-non-null-assertion typescript problem problem eslint-typescript N N
@typescript-eslint/no-floating-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-for-in-array typescript problem problem eslint-typescript N N
@typescript-eslint/no-implied-eval typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-loss-of-precision typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-new typescript problem problem eslint-typescript N N
@typescript-eslint/no-misused-promises typescript problem problem eslint-typescript N N
@typescript-eslint/no-namespace typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-non-null-asserted-optional-chain typescript problem problem eslint-typescript N N
@typescript-eslint/no-redundant-type-constituents typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-this-alias typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-assertion typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unnecessary-type-constraint typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-argument typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-assignment typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-call typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-declaration-merging typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-enum-comparison typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/no-unsafe-member-access typescript problem problem eslint-typescript N N
@typescript-eslint/no-unsafe-return typescript problem problem eslint-typescript N N
@typescript-eslint/no-unused-vars typescript problem problem eslint-typescript N N
@typescript-eslint/no-var-requires typescript problem problem eslint-typescript N N
@typescript-eslint/prefer-as-const typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/require-await typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/restrict-plus-operands typescript problem problem eslint-typescript N N
@typescript-eslint/restrict-template-expressions typescript problem problem eslint-typescript N N
@typescript-eslint/triple-slash-reference typescript suggestion suggestion eslint-typescript N N
@typescript-eslint/unbound-method typescript problem problem eslint-typescript N N
insecure-bundled-dependencies javascript Insecure Dependencies retire-js N N
AvoidDatabaseOperationInLoop apex Performance sfge Y N
AvoidMultipleMassSchemaLookups apex Performance sfge Y N
ApexFlsViolationRule apex Security sfge Y N
RemoveUnusedMethod apex Performance sfge Y Y
PerformNullCheckOnSoqlVariables apex Performance sfge Y N
UseWithSharingOnDatabaseOperation apex Security sfge Y N
ApexNullPointerExceptionRule apex Error Prone sfge Y N
UnimplementedTypeRule apex Performance sfge N N
Installation on mega-linter Docker image
- Dockerfile commands :
# Parent descriptor install
# renovate: datasource=npm depName=@salesforce/cli
ARG SALESFORCE_CLI_VERSION=2.60.13
# renovate: datasource=npm depName=@salesforce/plugin-packaging
ARG SALESFORCE_PLUGIN_PACKAGING_VERSION=2.8.11
# renovate: datasource=npm depName=sfdx-hardis
ARG SFDX_HARDIS_VERSION=5.0.10
ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
ENV PATH="$JAVA_HOME/bin:${PATH}"
RUN sf plugins install @salesforce/plugin-packaging@${SALESFORCE_PLUGIN_PACKAGING_VERSION} \
&& echo y|sf plugins install sfdx-hardis@${SFDX_HARDIS_VERSION} \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache
ENV SF_AUTOUPDATE_DISABLE=true
# Linter install
# renovate: datasource=npm depName=@salesforce/sfdx-scanner
ARG SALESFORCE_SFDX_SCANNER_VERSION=4.6.0
RUN sf plugins install @salesforce/sfdx-scanner@${SALESFORCE_SFDX_SCANNER_VERSION} \
&& npm cache clean --force || true \
&& rm -rf /root/.npm/_cacache