
Research
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
@corekraft/flow-linter
Advanced tools
`flow-linter` brings the same rigor of linting and static code analysis—familiar to developers working with JavaScript or Apex—to Salesforce Flows.
Pinpoint deviations from Industry Best Practices in Salesforce Flows, ensuring standards of business automation excellence
*Also available as VS Code Extension
Install with SFDX:
sfdx plugins:install lightning-flow-scanner
Install with NPM:
npm install -g lightning-flow-scanner
sfdx flow:scan [options]
To learn more about the default rules and options, see the core documentation.
-c, --config <path> provide a path to the configuration file.
-f, --failon provide a threshold level for returning status 1
-p, --files <C:\..\flow1.flow, C:\..\flow2.flow> provide a space-separated list of flow paths to scan.
-u, --targetusername <username> retrieve the latest metadata from the target before the scan.
-d, --directory <C:\..\force-app\main\default\flows> provide a directory to scan.
--json set output format as json.
--loglevel=(trace|debug|info|warn|error|fatal) [default: warn] logging level.
You can test the scanner by simply opening an existing project that contains flows and running the scan without any configurations or parameters. This way all the default rules are autmatically included in the scan.
sfdx flow:scan
sfdx flow:scan --json
sfdx flow:scan --config path/to/.flow-scanner.json
Create a .flow-scanner.json file in order to configure:
{
"rules": {
...
},
"exceptions": {
...
}
}
Note: if you prefer YAML format, you can create a .flow-scanner.yml
file using the same format.
When the severity is not provided it will be error
by default. Other available values for severity are warning
and note
. Define the severity per rule as shown in the following example.
{
"rules": {
"FlowDescription": {
"severity": "warning"
},
"UnusedVariable": {
"severity": "error"
}
}
}
Specifying exceptions can be done by flow, rule and result(s), as shown in the following example.
{
"exceptions": {
"AssignTaskOwner": {
"UnusedVariable": [
"somecount"
]
},
"GetAccounts":{
"UnusedVariable": [
"incvar"
]
}
}
}
Some rules have additional attributes to configure, such as the expression, that will overwrite default values. These can be configured in the same way as severity as shown in the following example.
{
"rules": {
"APIVersion":
{
"severity": "error",
"expression": "===58"
},
"FlowName":
{
"severity": "error",
"expression": "[A-Za-z0-9]"
}
}
}
To load custom rules using the Lightning Flow Scanner Core, you can utilize the path
attribute within the rules section of your configurations. This attribute allows you to specify the path to your custom rule class, enabling seamless integration of organization-specific rule definitions into the scanner's ruleset.
{
"rules": {
"<RuleName>": {
"path": "<yourtypescriptfilepath>"
}
}
}
Custom Rules can either leverage our Flow compiler or be completely customized typescript functions. For more details and examples on custom rules, refer to our Custom Rule Creation Guide
npm install
or yarn install
in the terminal to install the necessary dependencies.npm update lightning-flow-scanner-core
npm run prepack
to build the plugin locally and prepare for packaging.sfdx plugins link .
.lightning-flow-scanner-core
locally to your project. This step is necessary if you're making changes to the core module and want those changes reflected in the plugin. You can link the core module by navigating to its directory and running:npm link
Then, navigate to the sfdx plugin directory and run:
npm link lightning-flow-scanner-core
NODE_OPTIONS=--inspect-brk /path/to/lightning-flow-scanner-sfdx/bin/run flow:scan
For more detailed information, you can refer to the wiki of the Salesforce CLI repository.
FAQs
`flow-linter` brings the same rigor of linting and static code analysis—familiar to developers working with JavaScript or Apex—to Salesforce Flows.
We found that @corekraft/flow-linter demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.