Salesforce Code Analyzer is Salesforce’s open source code quality, security and performance monitoring tool. It’s the one stop shop that aggregates different static code analysis tools, as well as multiple open-source static application security testing (SAST) tools to help you write secure and clean code. Salesforce Code Analyzer unifies all of them under a unified Salesforce CLI experience.
Code Analyzer currently supports the PMD rule engine, PMD Copy Paste Detector, ESLint, RetireJS, and Salesforce Graph Engine. Using these, it can identify a variety of security, quality, and performance issues early in the development lifecycle and help monitor code health.
Having used the Code Analyzer in the past, I knew how powerful it is. Thus using Copado’s DevOps Platform and a Quality Tool extension I created an integration between Copado and Code Analyzer, and got it published on Copado’s DevOps Exchange.
This quality gate
Let’s take a look at how to install and configure it to use as a Quality Gate within a DevOps Pipeline.
This extension is currently only supported for Copado CI/CD for Salesforce 2nd Generation. Thus, you should have a working 2nd Generation Copado pipeline.
Now that we’ve reviewed the extension’s configurable parameters, let’s create two Quality Gate Rules. The different scanners are grouped as two separate Quality Gates:
If you followed the installation instructions, the Quality Gates should already be created, if not then let’s just take a quick recap on how to set up Quality Gates.
Repeat the process, to create another Quality Gate for the sfdx-scanner-dfa tool.
What we’ve configured here, tells Copado when to invoke this Quality Gate, and we’ve chosen to invoke it After Commit. We could configure it to run at other different places like before a deployment or a merge(promotion) as well.
Now, we need to create a Quality Gate Rule Condition, so we can apply this Quality Gate to correct environments, stages and/or pipelines as well as trigger it based on a specific filter criteria.
We could make the rule condition even more restrictive or relaxed by configuring it to run for specific environments or stages.
Repeat the steps to create a QGRC for SFDX Scanner DFA Quality Gate.
We’re now ready to run our Quality Gate, let’s try to commit an Apex Class and a LWC that follow bad coding practices. If you have your own metadata, feel free to skip this step and run it through your actual metadata.
1. Create an ApexClass called ContactUpdater with the following code:
2. Create a LWC component called contactUpdateLWC and paste the following code in the contactUpdateLWC.js file
Save and deploy both of them to your Dev environment.
1. Create or open a User Story tied to an Environment and a Project that relate to a CICD 2nd Gen Pipeline since this is the pipeline where we’ve set our Quality Gate Rule Condition to trigger out of.
2. Click on Commit Changes, and select the appropriate date and time to show recent changes and commit them.
3. You should be redirected to the User Story Commit record, as soon as you click on Commit. Here on the right hand side, you should start to see the job steps that’d happen in this commit.
SFDX Scanner is here since we created the Quality Gate Rule to trigger after commits. You can expand any of the sections to see the process of a particular Job Step. Once all of them finish, you’d notice that the SFDX Scanner failed.
1. Let’s click on the SFDX Scanner Job Step.
2. After opening the Job Step, click on the result record tied to the failed Run SFDX Code Analyzer job step.
3. On the result record, you can view the logs, by switching to the logs tab, as well as see the attached result.html file.
4. Download and open the results.html file, it should look like this
Thus, we could see how SFDX Scanner is giving the Developers immediate feedback through its different engines as soon as they commit their changes.
Salesforce Code Analyzer captures complex violations including those that’re caught only during the AppExchange Security Review process courtesy its Data Flow Analysis via the Graph Engine. Thus, it’s a perfect solution for ISV developers as well as Salesforce application developers to use this extension to prepare for a formal security review process. Using this extension, teams can identify a variety of security, quality, and performance issues early in development and ship better solutions and products.