There are many AppExchange tools for Salesforce Static code analysis, few of the market leaders are SonarQube, CheckMarx, CodeScan. PMD (Programming Mistake Detector) is also a popular option. These tools help the Release Manager in Salesforce Code Review Process.

I will not go through each tool’s capability rather highlight my opinion and comparison between two of my personal favorite CodeScan and PMD; Paid vs Open Source. And Lastly want to cover Salesforce CLI Scanner which can be a viable alternative.

1. PMD has a set of built-in rules available for both Apex and Visualforce pages. Static ruleset with define priority n PMD for Apex.

2. Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth

3. Supports Salesforce Apex & Visualforce

4. Plugin for VS Code, ANT build, Eclipse 

5. It is Open-source which doesn’t have any licensing cost

Major drawback – The scan doesn’t review Lightning and LWC Components.

https://pmd.github.io/latest/pmd_rules_apex.html

CodeScan Features

1. Codescan is an end to end code analysis solution to ensure quality and security of Salesforce orgs 2.
2. 350+ security and quality rules for Apex, Visualforce, Lightning and Metadata
3. IDE plugins helps developers to get the review on real time to address any issues with the code quality
4. 4.Integrates directly with Salesforce and all popular CI/CD pipelines, Integration with Jira
5. Covers Lightning Component and Javascript related issues and standards.
6. Easy to configure/modify a ruleset as needed
7. It is not open source. License cost is involved. Self-host or cloud plan

CODESCAN INTEGRATIONS
CodeScan SFDX Plugin
IDE Plugins
AutoRABIT
Copado
Flosum
Azure DevOps
GitLab
Bitbucket Pipelines
GitHub Actions
Jenkins
Webhooks

https://www.codescan.io/

Code Quality check with the Salesforce CLI Scanner

The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code. Developer can install the plug-in on a local developer machine or integrate it into a CI/CD process to scan the code.

It can be seamlessly integrated with Salesforce dx release management to automate the code review process.

Salesforce CLI Scanner plug-in uses PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5 at this moment. Salesforce is actively implementing new features to further improve Salesforce CLI Scanner.

PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. It’s built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

ESLint is a popular linting tool for JavaScript. It provides numerous static analysis rules that help developers write quality code.

RetireJS is an engine that analyzes a project’s third-party JavaScript dependencies and identifies those that have known security vulnerabilities

https://forcedotcom.github.io/sfdx-scanner/en/getting-started/prerequisites/

https://twirltech.in/architect-blogs/