Ensuring Code Quality and Security Compliance with Salesforce Code Analyzer - Salesforce apex Tutorial | Phenoble Software | Phenoble Software

banner

What is Salesforce Code Analyzer?

Salesforce Code Analyzer is a command-line tool (built on Node.js) that helps analyze, detect, and fix code quality issues in your Apex, LWC (Lightning Web Components), Aura, and Visualforce codebases.

Think of it like a “code reviewer” that checks for:

Security vulnerabilities
Performance issues
Code style and best practice violations
Common errors that might cause AppExchange security review failure

Prerequisites

Code Analyzer is a Salesforce CLI plugin, so you must install Salesforce CLI on your computer. See Install Salesforce CLI for details.
The PMD, CPD, and Salesforce Graph engines depend on the Java Platform, Standard Edition Java Development Kit (JDK). Install JDK version 11 or later.
The Flow Scanner engine requires Python. If you plan to use the Flow Scanner engine, install Python version 3.10.0 or later.

Install Code Analyzer

Open a terminal (macOS and Linux) or a command prompt (Windows) and then run this command.

   sf plugins install code-analyzer

To verify that you’ve installed it correctly, run this command:

   sf plugins --core

If Code Analyzer is installed, you see an entry like this in the output; you might see a different version in your environment

    code-analyzer 5.2.2 (5.2.2)

Update and Uninstall the Plugin

To update Code Analyzer, rerun the installation command.

    sf plugins install code-analyzer

To uninstall Code Analyzer, run this command.

    sf plugins uninstall code-analyzer

Extension Install in VS Code

Install Code Analyzer like below screenshot.

PMD Commands

The following commands are used to scan Apex and LWC code using Salesforce Code Analyzer.

To scan Apex code (AppExchange-specific rules):

sf scanner run --engine="pmd-appexchange" --format=csv --outfile=CodeAnalyzerPmdAppExchange.csv --target="./force-app/main/default/classes"

To scan Apex code (standard PMD rules):

sf scanner run --engine="pmd" --format=csv --outfile=CodeAnalyzerPmd.csv --target="./force-app/main/default/classes"```

To scan Lightning Web Components (LWC) code:

sf scanner run --engine="eslint" --format=csv --outfile=eslint.csv --target="./force-app/main/default/```

To scan Flow Code:

sf scanner run --engine="flow" --format=csv --outfile=flow.csv --target="./flows"

Code Analyzer Commands:

To scan Apex classes or Apex code files:

sf code-analyzer run --target path/to/apex/classes --rule-selector apex

To scan LWC code (JavaScript, HTML, XML files inside LWC folders):

sf code-analyzer run --target force-app/main/default --rule-selector apex,lwc

Final Thoughts

Once you’ve scanned your code using the commands above, review the generated CSV reports and fix all high- and medium-severity issues.

After resolving them, rerun the Code Analyzer to confirm a clean scan.