@salesforce/sfdx-scanner
Advanced tools
Static code scanner that applies quality and security rules to Apex code, and provides feedback.
Static code scanner that applies quality and security rules to Apex code, and provides feedback.
$ npm install -g @salesforce/sfdx-scanner
$ sfdx COMMAND
running command...
$ sfdx (-v|--version|version)
@salesforce/sfdx-scanner/1.0.28 linux-x64 node-v10.15.3
$ sfdx --help [COMMAND]
USAGE
$ sfdx COMMAND
...
sfdx scanner:rule:add -l <string> -p <array> [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx scanner:rule:describe -n <string> [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx scanner:rule:list [-c <array>] [-r <array>] [-l <array>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx scanner:run [-c <array>] [-r <array>] [-t <array> | undefined] [-f xml|junit|csv|table] [-o <string>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx scanner:scannerCommand [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]sfdx scanner:rule:add -l <string> -p <array> [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]Add custom rules to the scanner's registry.
USAGE
$ sfdx scanner:rule:add -l <string> -p <array> [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-l, --language=language (required) Language against which
the custom rules will evaluate.
-p, --path=path (required) One or more paths to
custom rule definitions. Specify
multiple values with a
comma-separated list.
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
EXAMPLE
PMD: Custom PMD rules should be in JARs. Adhere to PMD conventions, including defining rules in XMLs under a /category
directory.
Refer to PMD's documentation for information on writing rules:
https://pmd.github.io/latest/pmd_userdocs_extending_writing_pmd_rules.html
You may specify one or more JARs directly.
E.g., $ sfdx scanner:rule:add --language apex --path "/Users/me/rules/Jar1.jar,/Users/me/rules/Jar2.jar"
Successfully added rules for apex.
2 path(s) added:
/Users/me/rules/SomeJar.jar,/Users/me/rules/AnotherJar.jar
You may also specify a directory containing one or more JARs, all of which will be added.
E.g., $ sfdx scanner:rule:add --language apex --path "/Users/me/rules"
Successfully added rules for apex.
2 path(s) added:
/Users/me/rules/SomeJar.jar,/Users/me/rules/AnotherJar.jar
See code: lib/commands/scanner/rule/add.js
sfdx scanner:rule:describe -n <string> [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]Provide detailed information about a rule.
USAGE
$ sfdx scanner:rule:describe -n <string> [--verbose] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-n, --rulename=rulename (required) The name of a rule.
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
--verbose emit additional command output to
stdout
EXAMPLE
$ sfdx scanner:rule:describe --rulename ExampleRule
name: ExampleRule
categories: ExampleCategory
rulesets: Ruleset1
Ruleset2
Ruleset3
languages: apex
description: Short description of rule
message: ExampleRule Violated.
See code: lib/commands/scanner/rule/describe.js
sfdx scanner:rule:list [-c <array>] [-r <array>] [-l <array>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]Lists basic information about all rules matching provided criteria
USAGE
$ sfdx scanner:rule:list [-c <array>] [-r <array>] [-l <array>] [--verbose] [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-c, --category=category Select rules by category. Enter
multiple values as a comma-separated
list.
-l, --language=language Select rules by language. Enter
multiple values as a comma-separated
list.
-r, --ruleset=ruleset Select rules by ruleset. Enter
multiple values as a comma-separated
list.
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
--verbose emit additional command output to
stdout
EXAMPLE
Invoking with no filter criteria returns all rules.
E.g., $ sfdx scanner:rule:list
Returns a table containing all rules.
The values supplied to a single filter are handled with a logical OR.
E.g., $ sfdx scanner:rule:list --language apex,javascript
Returns all rules for Apex OR Javascript.
Different filters are combined with a logical AND.
E.g., $ sfdx scanner:rule:list --language apex,javascript --ruleset Braces,Security
Returns all rules that:
1) Target Apex OR Javascript,
AND...
2) Are members of the Braces OR Security rulesets.
See code: lib/commands/scanner/rule/list.js
sfdx scanner:run [-c <array>] [-r <array>] [-t <array> | undefined] [-f xml|junit|csv|table] [-o <string>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]Evaluate a selection of rules against a codebase.
USAGE
$ sfdx scanner:run [-c <array>] [-r <array>] [-t <array> | undefined] [-f xml|junit|csv|table] [-o <string>]
[--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
-c, --category=category One or more categories of rules to
run. Multiple values can be
specified as a comma-separated list.
-f, --format=(xml|junit|csv|table) Specifies output format with results
written directly to the console.
-o, --outfile=outfile Write output to a file.
-r, --ruleset=ruleset One or more rulesets to run.
Multiple values can be specified as
a comma-separated list.
-t, --target=target Source code location. May use glob
patterns. Multiple values can be
specified as a comma-separated list
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
--verbose emit additional command output to
stdout
EXAMPLE
Invoking without specifying any rules causes all rules to be run.
E.g., $ sfdx scanner:run --format xml --target "somefile.js"
Evaluates all rules against somefile.js.
Specifying multiple categories or rulesets is treated as a logical OR.
E.g., $ sfdx scanner:run --format xml --target "somefile.js" --category "Design,Best Practices" --ruleset "Braces"
Evaluates all rules in the Design and Best Practices categories, and all rules in the Braces ruleset.
Wrap globs in quotes.
Unix example: $ sfdx scanner:run --target './**/*.js,!./**/IgnoreMe.js' ...
Windows example: > sfdx scanner:run --target ".\**\*.js,!.\**\IgnoreMe.js" ...
Evaluate rules against all .js files below the current directory, except for IgnoreMe.js.
See code: lib/commands/scanner/run.js
sfdx scanner:scannerCommand [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]USAGE
$ sfdx scanner:scannerCommand [--json] [--loglevel
trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]
OPTIONS
--json format output as json
--loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL) [default: warn] logging level for
this command invocation
See code: lib/commands/scanner/scannerCommand.js
We recommend using the Visual Studio Code (VS Code) IDE for your plugin development. Included in the .vscode directory of this plugin is a launch.json config file, which allows you to attach a debugger to the node process when running your commands.
To debug the hello:org command:
If you linked your plugin to the sfdx cli, call your command with the dev-suspend switch:
$ sfdx hello:org -u myOrg@example.com --dev-suspend
Alternatively, to call your command using the bin/run script, set the NODE_OPTIONS environment variable to --inspect-brk when starting the debugger:
$ NODE_OPTIONS=--inspect-brk bin/run hello:org -u myOrg@example.com
FAQs
Static code scanner that applies quality and security rules to Apex code, and provides feedback.
We found that @salesforce/sfdx-scanner demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI package ‘set-utils’ steals Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC.
Research
Security News
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.