Skip to content

Latest commit

 

History

History
171 lines (124 loc) · 9.67 KB

README.md

File metadata and controls

171 lines (124 loc) · 9.67 KB

sfdx-source-scanner

This product is in beta, please use with caution. Any feedback on the functionality or contributions are welcomed.

The source scanner will run static analysis on Salesforce source to ensure both best practices and potential errors are avoided. The scanner is configurable, this will allow you to define the rules that are executed, any files that you wish to ignore rules on, the severity of each rule and any specific error messages that should be output when a rule is violated.

Version CircleCI Known Vulnerabilities Downloads/week License: MIT

Installation

To install the source scanner you can either use NPM or the sfdx plugins command to install as shown below.

$ npm install -g sfdx-source-scanner
$ sfdx plugins:install sfdx-source-scanner

Usage

Once the plugin is installed it can be executed using the below Commands section, the plugin expects a rule refrence to be passed in this allows you to configure the rule refrence, there will be more detail below at Rule Sets.

{
    "name": "Example Rule Set (All)",
    "description": "This rule set shows all the scanners as enabled",
    "scanners": [
        { "name": "any-file-scanner" },
        { "name": "approval-process-scanner" },
        { "name": "duplicate-rule-scanner" },
        { "name": "flow-scanner" },
        { "name": "field-scanner" },
        { "name": "object-scanner" },
        { "name": "permission-set-scanner" },
        { "name": "quick-action-scanner" },
        { "name": "validation-rule-scanner" },
        { "name": "workflow-scanner" }
    ]
}

Additional example rulesets can be found at examples

Commands

sfdx scanner:source:scan -s <string> [-r <string>] [-d <string>] [-e <number>] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

This utility will scan salesforce metadata (in source format) to identify any potential issues, this can be built into CI pipelines to ensure work admins are checking in is up to standard

USAGE
  $ sfdx scanner:source:scan -s <string> [-r <string>] [-d <string>] [-e <number>] [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -d, --targetdir=targetdir                                                         [default: force-app] The directory
                                                                                    that should be targeted whilst
                                                                                    scanning the files

  -e, --errorlevel=errorlevel                                                       [default: 3] The level at which the
                                                                                    severty should raise an error,
                                                                                    otherwise the results will be logged
                                                                                    silently. Numbers range between 1-5,
                                                                                    where 1 is Minor and 5 is Extreme

  -r, --resultsfile=resultsfile                                                     The path to the file that the
                                                                                    results should be written to, if
                                                                                    this is not provided this will be
                                                                                    output to the terminal

  -s, --rulesetfile=rulesetfile                                                     (required) The file path for the
                                                                                    rule set that should be applied

  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

EXAMPLE
  $ sfdx config:scan --rulesetfile sfdx-config-rule-set.json --targetdir force-app --errorlevel 2
       Errors in the files have been identified

See code: lib/commands/scanner/source/scan.js

Rule Sets

A ruleset will be required to be specified for any project that plans to use the source scanner, this can be provided into the CLI using the --rulesetfile argument. An example of all the various parameters that can be provided into the scanner can be found at example rule set.

The ruleset is defined as a json file, where the top level elements define,

  1. name - this specifies the name assigned to the ruleset.
  2. description - This can be used for documentation on the ruleset that is defined
  3. scanners - this provdes a list of objects for each scanner that can be included, more details on the object and the fields that can be provided is described below.

Scanner objects, the scanner objects define the scanners that should be running when the scanner is executed. Anything that is not included in the list will not be executed. The scanner consists of 4 fields, name, include, exclude and ignore.

name

The name describes the name of the scanner to be included, this can be found below (it is the name of the js module), the list is provided below in the Rule Refrence.

include

The include accepts an array of objects that describes the rules that should be included and how they should be configured, details of what should be provided in here is described below. Any rules that are not in the include will still be included, unless specifically called out in the exclude attribute. The fields under include are name, severity, errorMessage, ignore and properties

name

The name is provided as a string which contains the rule refrence (ie the class name of the rule being applied).

severity

The severity argument will override the severity defined at the class level. This can work in conjunction with the errorlevel argument that gets passed into the CLI to determine what will throw an error when the command is executing.

errorMessage

The errorMessage argument will override the error message that is provided in the default class implementaton.

ignore

The ignore parameter will accept a list of file paths which are to be ignored for the current rule execution. Only the full path will be accepted.

properties

The properties parameter will accept an object to allow for overriding of other parameters in the specific rule. This will accept a name, which is the parameter name in the class, the value will provide the value that should be accepted in this parameter.

exclude

This parameter accepts an array of rule names (as strings) to exclude from the scanning execution. The name of the rule is defined as the class name that is used in the execution. These are specified below.

ignore

This parameter accepts an array of file path strings, the file path provided will then be ignored in the scanning execution for the scanner it sits within. This applies for the full scanner level, an additional ignore level can be provided at the rule level. The full path must be provided here, no wildcard paths or partial paths can be entered.

Rule Refrence

The rules are executed by a number of scanners, each scanner is defined for a set of files (based of a file name pattern, mostly the extension for that file), within each scanner a number of rules are defined. A few of the rules are reused across a number of scanners. Below we will go into the detail for each of the scanners and the rules that are available for each.

Any File Scanner

Approval Process Scanner

Duplicate Rule Scanner

Filed Scanner

Flow Scanner

Object Scanner

Permission Set Scanner

Quick Action Scanner

Validation Rule Scanner

Workflow Rule Scanner

The workflow rule scanner is slightly unique as this actually splits the file up to scan for the components that make up the workflow rule, that is the rule itself, field updates and email alerts

Workflow Rule

Field Update Rule

Email Alert Rule

Contributing