New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

sf-code-scanner

Package Overview
Dependencies
Maintainers
1
Versions
6
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

sf-code-scanner

Salesforce Code Scanner CLI for Apex and LWC best practices

latest
npmnpm
Version
1.0.5
Version published
Maintainers
1
Created
Source

Salesforce Code Scanner CLI

A powerful Node.js CLI tool for scanning Salesforce Apex and LWC code for best practices and violations using PMD and custom rules.

Pre-requisites

1. Java

Install Java using Homebrew (macOS):

brew install openjdk@17

Check java path:


which java
/opt/homebrew/opt/openjdk@17/bin/java

2. PMD

Download PMD from: https://pmd.github.io/

For macOS:

cd $HOME
curl -OL https://github.com/pmd/pmd/releases/download/pmd_releases%2F7.18.0/pmd-dist-7.18.0-bin.zip
unzip pmd-dist-7.18.0-bin.zip
alias pmd="$HOME/pmd-bin-7.18.0/bin/pmd"
pmd check -d /usr/src -R rulesets/java/quickstart.xml -f text

Features

  • 🔍 Apex Code Analysis - Static code analysis using PMD
  • LWC Best Practices - Custom checks for Lightning Web Components
  • 📊 Beautiful HTML Reports - Interactive reports with dark/light theme
  • 📈 Data Visualization - Charts showing violations by priority and type
  • 🔄 Export to CSV - Download violation data for further analysis
  • 🎨 Modern UI - DataTables with search, sorting, and pagination
  • 📥 Download Charts - Export charts as PNG images

Prerequisites

  • Node.js >= 14.0.0

  • Salesforce CLI (sf) installed and authenticated

  • PMD (Download from https://pmd.github.io/)

  • Active Salesforce org connection

  • Demo-1

  • Demo-2

Installation

npm install -g sf-code-scanner

Usage

sf-scan -u <username> -p <pmd-path> -s <scan-types> [options]

Options

OptionAliasRequiredDescription
--username-uYesSalesforce org username or alias
--pmd-path-pYesPath to PMD binary directory
--scan-sYesTypes to scan: Apex, LWC, or both (comma-separated)
--ruleset-rFor ApexPath to PMD ruleset file
--output-oNoOutput directory for reports (default: ./reports)

Examples

Scan Apex code only:

sf-scan \
  -u myorg@example.com \
  -p /usr/local/pmd/bin \
  -s Apex \
  -r ./rulesets/apex-ruleset.xml

Scan LWC code only:

sf-scan \
  -u myorg@example.com \
  -p /usr/local/pmd/bin \
  -s LWC

Scan both Apex and LWC:

sf-scan \
  -u myorg@example.com \
  -p /usr/local/pmd/bin \
  -s Apex,LWC \
  -r ./rulesets/apex-ruleset.xml \
  -o ./my-reports

PMD Ruleset Configuration

Create a PMD ruleset XML file for Apex scanning. Example apex-ruleset.xml: Download it from here:

apex-ruleset.xml

<?xml version="1.0"?>
<ruleset name="Salesforce Apex Ruleset"
    xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0
    https://pmd.sourceforge.io/ruleset_2_0_0.xsd">

    <description>Custom PMD Ruleset for Salesforce Apex</description>

    <rule ref="category/apex/bestpractices.xml">
        <priority>3</priority>
    </rule>

    <rule ref="category/apex/codestyle.xml">
        <priority>4</priority>
    </rule>

    <rule ref="category/apex/design.xml">
        <priority>3</priority>
    </rule>

    <rule ref="category/apex/errorprone.xml">
        <priority>2</priority>
    </rule>

    <rule ref="category/apex/performance.xml">
        <priority>2</priority>
    </rule>

    <rule ref="category/apex/security.xml">
        <priority>1</priority>
    </rule>

</ruleset>

LWC Best Practices Checks

The tool automatically checks for:

  • ✅ Missing @api decorators on public properties
  • ✅ Deprecated @track usage
  • ✅ Direct DOM manipulation (document/window access)
  • ✅ Improper event handling

Report Features

The generated HTML report includes:

Summary Dashboard

  • Total violations count
  • Apex violations count
  • LWC violations count
  • Critical issues (Priority 1) count

Interactive Charts

  • Violations by Priority
  • Violations by Type
  • Download charts as PNG

Data Table

  • Search
  • Sort
  • Pagination
  • Export to CSV

Output Structure

reports/
├── scan-report-1234567890123.html
├── scan-report-1234567890456.html
└── ...

Troubleshooting

"PMD executable not found"

Ensure the PMD path points to the bin directory containing the pmd executable.

"Failed to fetch Salesforce credentials"

Authenticate using:

sf force auth web login -r <instance_url>
sf org display -o myorg --json

"No Apex classes found"

Verify org has Apex classes and user permissions.

"PMD scan failed"

Check ruleset XML validity and PMD compatibility.

Performance Tips

  • Use specific rulesets for faster scans
  • Run scans during off-peak hours
  • Use org aliases for quicker authentication

Happy Scanning! 🚀

Keywords

salesforce
apex
lwc
pmd
code-quality
static-analysis

FAQs

Package last updated on 09 Nov 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Security News

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

By Sarah Gooding  -  Apr 03, 2026