There are many AppExchange tools for Salesforce Static code analysis, few of the market leaders are SonarQube, CheckMarx, CodeScan. PMD (Programming Mistake Detector) is also a popular option. These tools help the Release Manager in Salesforce Code Review Process.
I will not go through each tool’s capability rather highlight my opinion and comparison between two of my personal favorite CodeScan and PMD; Paid vs Open Source. And Lastly want to cover Salesforce CLI Scanner which can be a viable alternative.
- PMD has a set of built-in rules available for both Apex and Visualforce pages. Static ruleset with define priority n PMD for Apex.
2. Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth
3. Supports Salesforce Apex & Visualforce
4. Plugin for VS Code, ANT build, Eclipse
5. It is Open-source which doesn’t have any licensing cost
Major drawback – The scan doesn’t review Lightning and LWC Components.
- Codescan is an end to end code analysis solution to ensure quality and security of Salesforce orgs 2.
- 350+ security and quality rules for Apex, Visualforce, Lightning and Metadata
- IDE plugins helps developers to get the review on real time to address any issues with the code quality
- 4.Integrates directly with Salesforce and all popular CI/CD pipelines, Integration with Jira
- Easy to configure/modify a ruleset as needed
- It is not open source. License cost is involved. Self-host or cloud plan
CodeScan SFDX Plugin
Code Quality check with the Salesforce CLI Scanner
The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code. Developer can install the plug-in on a local developer machine or integrate it into a CI/CD process to scan the code.
It can be seamlessly integrated with Salesforce dx release management to automate the code review process.
Salesforce CLI Scanner plug-in uses PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5 at this moment. Salesforce is actively implementing new features to further improve Salesforce CLI Scanner.
PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. It’s built-in rules detect common flaws in code, such as empty catch blocks or unused variables.