Salesforce Code Review Tools


Salesforce Code Review tools

Salesforce Application Development

PMD. SonarQube. CheckMarx. Code Scan

Salesforce Code check is a software development process which involves testing the source code to identify bugs at an early stage. It is an effective way to prevent bugs and errors at an early stage of software development process by improving the code quality.

Purpose and Importance of the Code check in Salesforce Application Development

Code quality is very important to the maintainability and longevity of the Salesforce application which ensures a consistent design and implementation. Below are few factors which effects the Salesforce Code quality.

Due to the lack of experience, some younger Salesforce AppExchange developers might be unaware of optimization techniques that could be applied on their code.

  • Cost of Repair in different development stages.
decor blue
decor blue
01. Lack of expertise

Due to the lack of experience, some young Salesforce AppExchange developers might be unaware of optimization techniques that could be applied on their code.

02. Distributed team

Team distributed over places having difference in agreement on the rules and techniques to be followed.

03. Company culture

Company focusing on quantity and pace over quality leading to be over-committing things and compromise on the quality.

04. Objective vs Subjective

There will always be the subjective factors differing from the facts and rules that may lead to compromise in the quality.

05. Pressing deadlines

The deadlines on cost and time will lead to the compromise.


The cost of Code quality improvement/repair increases with every next development stage. Below is the pictorial representation of the Cost of repair based in the different Salesforce development stages.

The above factors emphasize the importance of the code check process. Below are the main goals of the Code check process.

  • Defect free, well documented Salesforce application.
  • Application complying with Enterprise coding standards.
  • High Code quality increases the Market reputation.
  • Decreased cost of repair.

Review takes place during all stages of Salesforce development, except with small projects such as demos and experiments that are designed to be written quickly and probably thrown away. During the final stages of development, code reviews greatly reduces the number of regression bugs and ensure that company coding practices are not abandoned. Using best approaches of the review, the process can greatly mitigate the costlier QA defects that are found right before launch.

Better code check and code quality helps the Salesforce app in the below areas.

Better Salesforce apex check and code quality helps the Salesforce app in the below areas
Readability and Maintainability
Exception Handling

Why should you use Code review tools for Salesforce App Development?

Code check can be carried out in many ways. Review tools are helpful for Salesforce AppExchange App Development Below are few of the effective review techniques

decor blue
decor blue
01. Over-the-shoulder

Salesforce AppExchange developer looks over the author's shoulder as the latter walks through the code

02. Email pass-around

Source code management system emails code to reviewers automatically after check-in is made. The code will be merged only when it is approved by the reviewer

03. Pair Programming

Two authors develop code together at the same workstation. One Salesforce AppExchange developer is called the driver who writes the code while another called the observer, reviews each line of code as it is typed in. The two programmers switch their roles frequently

04. Using Salesforce App apex review tools

Authors and reviewers use specialized tools designed for peer code review


A Code Analysis tool automates the code audit process. They help in static code check which is essential to deliver a reliable software application. With a review tool, a team can:

  • Create templates and checklists for certain types of reviews
  • Conduct remote, real-time reviews at each member’s convenience

Capture metrics automatically on your review process and defects 


Available code check Salesforce App Development tools?

There are many code analysis tools available for Salesforce app development performing static check of Salesforce app apex, lightning and LWC codebase. Below are few things that can be considered while choosing a code check tool for the Salesforce AppExchange application.

Salesforce Application Code review available for Salesforce App Development?

There are many review tools for Salesforce Application Development performing static code analysis of Salesforce app apex, lightning and LWC codebase. Below are few things that can be considered while choosing a review code tool for the Salesforce AppExchange application development.

  • Code Review for Salesforce App
decor blue
decor blue
01. Prevent security vulnerabilities

The Cyber criminals have increasingly found ways to steal from businesses with applications—particularly web-based applications. So, it’s important to make sure the web applications hosted in Salesforce app store are secure. The Salesforce app apex review should be able to detect security issues such as cross site scripting, Prevent XSS in lightning applications, prevent SOQL/SOSL injections etc.

02. Pinpoint Performance bottlenecks

The performance bottlenecks like SOQL inside for loop, nested loops, heap limit issues etc needs to be addressed by the review tool for Salesforce Application.

03. Identify testing weaknesses

The tool checks on the test classes for the apex class as per the Salesforce app coding best practices such as assert statements, test data etc.

04. Enforce coding standards

Salesforce development documentation lists down the coding best practices and standards to be followed while writing code of Salesforce app. Tool should have the ruleset defining this standard of Salesforce Development.

05. Present bad coding practices

Identifying the bad coding practices and make sure the governor limits are adhered by the Salesforce App.

06. Find and remove complex unclean code.

A way to identify the commented line of code of Salesforce Application and unused methods in salesforce application apex method.


Below are few of the Salesforce app cool review tools that are tried and tested in Salesforce applications. Peeklogic – the Salesforce Development Company is more then happy to share our experience.

  • PMD
  • SonarQube
  • Check Marx
  • Code scan


Salesforce App Development

PMD stands for Programming Mistake Detector. It is an open source tool for static code analysis for Apex and Visualforce pages which finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It contributed to Java, Apex and many other programming languages.

PMD features many built-in rules which are well documented in the Rule references for each language. They also support an extensive API to write your own rules based on the Salesforce AppExchange or user defined best practices.

PMD is most effective when it to integrated into the build process. PMD can be basically run by different mediums like as a Maven goal, Ant task, VS Code plugin, Command line etc. It can be run within the IDE as code is being written to identify flaws before they’re even compiled or pushed to the server.

  • PMD tool overview

PMD has a set of built-in rules available for both Apex and visualforce pages. Below is the defined ruleset available in PMD for Apex. All the ruleset is given a priority which defines the seriousness of the issue.

Best Practices

These rules will generally enforce the best approaches followed as per the Salesforce app development guidelines.
• ApexUnitTestClassShouldHaveAsserts: Test class methods having an assert statement to verify the test results is as per the design.
• ApexUnitTestShouldNotUseSeeAllDataTrue: Test class shouldn’t use the data from the org, instead test data must be created.
• AvoidLogicInTrigger: Trigger logic must be written in the separate handler classes.
• UnusedLocalVariable: A variable if declared must be used in the code somewhere.

Code Style
Error Prone
  • It is an Open source which doesn’t have any licensing cost involved.
  • It can run static code analysis standalone.
  • It can be part of ANT build to generate error reports or used as an Eclipse or VS Code plugin.
  • It can then be used as a quality gate, to enforce a coding standard for your code-base.
  • The Copy/Paste Detector (CPD) is an add-on to PMD that uses the Rabin–Karp string search algorithm to find duplicated code.
  • PMD can review only Apex and visualforce pages. The code doesn’t review Lightning and LWC Components.
  • It is time consuming if conducted manually.
  • No capability to detect logical errors.
  • It cannot be used as a plus and play tool to list out all the issues in the org.

Checkmarx for Salesforce App Development

Salesforce Code Review checkmarx

Checkmarx is a highly accurate and flexible Source Code Analysis product for Salesforce Development that allows organizations to automatically scan pre-compiled code and identify hundreds of security vulnerabilities in the most prevalent coding languages.

Checkmarx offers two types of code analyzer tools for Salesforce app development. One is a free static code analyzer tool named scanner formed by a collaboration of Checkmarx with Salesforce AppExchange which runs for only 1 Project at a time with a restriction of 30000 lines of code and supporting Apex, Visualforce, Javascript and HTML


Second is a licensed version named Checkmarx CxSAST with the capacity of unlimited projects and unlimited lines of code providing instant on-demand scanning and supporting more than 20+ languages. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language. Below are the basic differences between the 2 versions available.

With Salesforce AppExchange having 2500+ applications providing different services using the Apex code base, application security in a major concern. It mainly faces threats like cross site scripting (XSS), SOQL and SOSL injections, frame spoofing and more. Few of the main vulnerabilities Checkmarx has been able to detect are.

  • Cross Site Scripting
  • SOQL Injections
  • SOSL Injections
  • Frame Spoofing
  • Access Control Issues
  • Salesforce AppExchange App Development
Checkmarx suite during the static code check looks for data flows from Source to sinks

Examples of a vulnerable SOQL queries are below.

  • query1 = “Select Name, Status From Opportunity Where ID = ‘ ” +test+” ’ ”
  • query2 = “Select Id, Name, From Account LIMIT 5”

This approach will also lead to some false positives and false negatives. The trade between false positives and negatives must be defined. The code scan in the checkmarx can be done in an incremental way or load the whole source code together. The results after the full scan is provided as below.

There is a priority of the vulnerability already in place and so it is differentiated as High, medium and low risk vulnerabilities. Evaluating the whole source code, a risk level is also given in percentage.

  • Checkmarx tool review
  • It is a web app where team can raise a request for the code scan and post processing results report will be shared on mail.
  • Checkmarx delivers a platform for DevOps and CI environments by redefining security’s role in the SDLC while operating at the speed of DevOps.
  • Solution enables engagement teams to analyze both live and in-development software source code
  • Reduces costs and eliminates the problem of having to deal with many security vulnerabilities close to release.
  • It does not offer an in-house dynamic application security testing solution.
  • Engagement teams may not share the software or license keys with others.
  • Lacks report designer for creating custom reports.
  • Some rigid rule-sets result in false positives and false negatives.

SonarQube in Salesforce App Development

Salesforce Development Company

SonarQube is an automatic review code tool to detect bugs, vulnerabilities and code smells in the code. It can integrate with the existing workflow to enable continuous code inspection across the project branches.

It has a Community edition which is a free version, having features like static code analysis for about 15 languages. It also detects bugs and vulnerabilities, reviews security hotspots, generates code quality metrics etc. It also has the Developer and Enterprise edition with additional functionalities. We can visit the SonarQube documentation to know more on the additional features in the process of Salesforce Development.

The Apex analysis here has a great coverage of well-established quality standards. This capability is available throughout the development chain for automated check with self-hosted SonarQube or cloud-based SonarCloud. The rules here are mainly grouped under 4 buckets for Salesforce Apex.


- URLs of Salesforce pages should be relative and not absolute
- DML statements should not be used inside loops.
- Record IDs should be hardcoded.
- Triggers should process records in bulk.
- Variables should not be self-assigned.

Code Smells
Security Hotspot
  • It scans code based on predefined compliance rules for a project
  • SonarQube supports the Enterprise Value Delivery (EVD) methods for consistent delivery approach across projects.
  • Tracks historic data for the project.
  • Provides web browser enabled access for greater visibility for quality metrics.
  • Identifies issues prior to the code check ins
  • It doesn’t support SAP ABAP.
  • SonarQube can only be used in conjunction with a current engagement.
  • Lacks compatibility information around tool integration versions and performance of some plugins.

CodeScan for Salesforce Application Development

Develop App for Salesforce Appexchange

Codescan is an end to end code analysis solution to ensure quality and security of orgs on the Salesforce AppExchange platform. It is lightning ready and exclusively available for Salesforce. They don’t have a free version to run the code base. Their mission is to empower Salesforce AppExchange developer teams in all levels to develop faster, better, cleaner and more efficient.

Codescan has around 500+ security and quality rules for Apex, Visualforce, Lightning and Metadata. It integrates directly with Salesforce and all popular CI/CD Pipelines. It mainly focuses on the below metrics.

Control Quality

CodeScan maintains the quality of the code throughout development while allowing you to customize own metrics of quality gates.

Track technical Debt
Save time on Code analysis
Boost Security
Enforce standards

CodeScan supports both cloud based and self hosted options, the IDE plugins helps AppExchange developers to get the review on real time to address any issues with the code quality. It includes rich and intuitive dashboard with mission critical metrics. It has shown to reduce the production issues to be reduced by 60%.

CodeScan differentiates from the other Open source Salesforce Development review tools, with its capacity to check not only Apex and Visualforce issues, but also Lightning Component and Javascript related issues and standards. Compared to around 35 checks in PMD, codescan offers 500 ruleset.

  • It increases product quality with best practice standards and effective governance.
  • Integration with JIRA and a host of other tools are available through SonarQube.
  • CodeScan IDE Plugins provide real-time automated feedback “as you type”.
  • Apart from Apex and Visualforce, it also has rules for lightning aura and web components.
  • It is not open source. License cost is involved.
  • Possibility of false positive alarm on correct code.
  • No capability to detect logical errors.

S4 - SaaS Security Scanner for Salesforce

DigitSec’s flagship product, S4, is a one-of-a-kind product designed to rapidly identify insecurities in SaaS environments. S4 identifies vulnerabilities in Apex code developed using the development environment. It is a cloud-based application and uses a combination of static code analysis and runtime testing.


Below is the 4-step process implemented by S4:

Review Environment Configuration

S4 for Salesforce reviews the configurations of a Salesforce org and identifies flaws

Scan Source Code
Generate Custom Fuzzer
Fuzz Live Salesforce Run-time Instance

S4 Design

S4 can be run in both production and in a staging or test environment such as Salesforce Sandbox. The following design represents S4’s system architecture:


S4 Design Salesforce Code Review tool
  • Salesforce Metadata API
    Used to retrieve, deploy, create, update or delete customizafion informafion such as custom object definifions and page layouts.
  • Salesforce Tooling API
    Helps you build custom development tools or apps for Lightning Platform applicafions.
  • Salesforce Database
    A powerful and intuifive data persistence layer.
  • Static Engine
    Parses your code and converts it into runnable commands.
  • Runtime Engine
    Provides objects to Javascript so it can interact with the outside world.
decor blue
decor blue

S4 Key Features

Salesforce Static Code Analysis Static Code Analysis

S4 uses a robust client-side static code analysis engine to create call flows to identify CRUD/FLS flaws. It uses data flow analysis to associate Visualforce components to their assoc. controllers.

Salesforce Apex Fuzz Testing White-box Fuzz Testing

S4 uses white-box fuzzing to rapidly identify injection flaws within cloud services. All vulnerabilities identified during runtime testing contain Proof of Concept (PoC) exploits. This ensures there are no false positives.

Salesforce code signature based testing Signature Based Testing

S4 comes with various signatures, or patterns known to cause common vulnerabilities in code. Based on these different signature, S4 can uncover flaws other security scanners might miss.

Salesforce lightning components test Lightning Components

S4 analyzes the security elements and flaws associated with Lightning components.

Salesforce Code Unlimited Scale out Unlimited Scale Out

S4 is installed per organization and can be scaled out to as many organizations as needed. All code analyzed remains within the organization preserving intellectual property of the code base.

Salesforce apex unlimited code scanning No Code Limits

With S4, there are no limitations on the size the code base being scanned. This is to ensure your Salesforce instance will recieve an accurate and complete security review.

Scan salesforce code without limits Unlimited Scans

There is no limit in regards to the number of scans you can run on a single Salesforce instance. With unlimited scans, S4 can become a part of your organiztations regular security testing.

Salesforce Apex Code Vulnarability tracking Vulnerability Tracking

S4 saves the different vulnerabilities it finds in cases. These cases can then be tracked in Salesforce to allow for easier analysis and remediation.


S4 Results

With one click, users can pull up an Application Security Report comprised of detailed findings from S4’s scan. Each finding is prioritized based on the level of risk and impact to the organization’s data. From there, S4 provides remediation recommendations and clear guidance on how to effectively fix findings

Salesforce Health Check
Need Help with Salesforce App Development?
Send Message
Follow Us

Austin, TX 78759, USA