Skip to main content

Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer

SFDX Banner

Salesforce Code Analyzer is Salesforce’s open source code quality, security and performance monitoring tool. It’s the one stop shop that aggregates different static code analysis tools, as well as multiple open-source static application security testing (SAST) tools to help you write secure and clean code. Salesforce Code Analyzer unifies all of them under a unified Salesforce CLI experience.

Code Analyzer currently supports the PMD rule engine, PMD Copy Paste Detector, ESLint, RetireJS, and Salesforce Graph Engine. Using these, it can identify a variety of security, quality, and performance issues early in the development lifecycle and help monitor code health. 

Having used the Code Analyzer in the past, I knew how powerful it is. Thus using Copado’s DevOps Platform and a Quality Tool extension I created an integration between Copado and Code Analyzer, and got it published on Copado’s DevOps Exchange

This quality gate 

  • Runs the SFDX Analyzer for the changed components between your branch and the target branch
  • Provides the user the ability to configure it to run in an automated manner or trigger it manually on every user story.
  • Fail or Pass the job, depending on the Acceptance Criteria chosen by the user.

Let’s take a look at how to install and configure it to use as a Quality Gate within a DevOps Pipeline.


  1. Copado v20.0 or higher
  2. Copado Quality Tools extension v1.14 or higher
  3. Copado DX Extension v3.3 or higher

This extension is currently only supported for Copado CI/CD for Salesforce 2nd Generation. Thus, you should have a working 2nd Generation Copado pipeline.

Install and configure the extension

  1. Navigate to the listing of SFDX Scanner Integration on Copado’s DevOps Exchange.
  2. Click on Get it now, and then install it in your org.
  3. Follow the installation instructions to create required picklist values, extension records and quality gates.

Reviewing the Extension’s configurable parameters

  1. Click on App Launcher, and navigate to Functions.
  2. Open the Run SFDX Code Analyzer QIF function, switch to the Parameters sub tab.
  3. There are two configurable parameters, that’re important to know.
    • severityThreshold - This dictates when this extension should fail. When violations are found with equal or greater severity than the provided value it proceeds to fail the job. Normalized severity values are: 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. The default value set is 2. Feel free to edit it as per your project needs.
    • engine - Specifies one or more engines to run. You can submit multiple values as a comma-separated list. Valid values need to be from either of these eslint,eslint-lwc,eslint-typescript,pmd,retire-js,cpd. The default OOB value is set to eslint-lwc,pmd,cpd,retire-js. Feel free to edit it as per your project needs.

Create Quality Gates and Quality Gate Rule Conditions

Now that we’ve reviewed the extension’s configurable parameters, let’s create two Quality Gate Rules. The different scanners are grouped as two separate Quality Gates:

  1. PMD, ESLint, RetireJS, PMD Copy Paste Detector can be run from the sfdx-scanner extension configuration.
  2. The Salesforce Graph Engine for Data Flow Analysis(DFA) can be run from the sfdx-scanner-dfa extension configuration.

If you followed the installation instructions, the Quality Gates should already be created, if not then let’s just take a quick recap on how to set up Quality Gates.

Creating Quality Gates

  1. Go to App Launcher > Quality Gate Rules, and click the New button.
  2. Quality Gate Rule Name: SFDX Scanner
  3. Tool: sfdx-scanner
  4. Status: Active
  5. Execution Sequence: After, Commit

Repeat the process, to create another Quality Gate for the sfdx-scanner-dfa tool.

Quality Gate Rule

What we’ve configured here, tells Copado when to invoke this Quality Gate, and we’ve chosen to invoke it After Commit. We could configure it to run at other different places like before a deployment or a merge(promotion) as well.

Now, we need to create a Quality Gate Rule Condition, so we can apply this Quality Gate to correct environments, stages and/or pipelines as well as trigger it based on a specific filter criteria.

Creating a Quality Gate Rule Condition

  1. On the SFDX Scanner Quality Gate, go to the Conditions sub-tab and click New.
  2. Extension Configuration: SFDX Scanner Config
  3. Platform: SFDX
  4. Tests From: User Story
  5. Pipeline: CICD 2nd Gen Pipeline
  6. Environment and Stage: Let’s leave them blank for this example.
  7. Filter: 
    • Type contains Apex
    • Type contains LightningComponentBundle
    • Type contains AuraDefinitionBundle

Quality Gate Rule Condition

We could make the rule condition even more restrictive or relaxed by configuring it to run for specific environments or stages.

Repeat the steps to create a QGRC for SFDX Scanner DFA Quality Gate.

Monitoring progress and checking execution results

We’re now ready to run our Quality Gate, let’s try to commit an Apex Class and a LWC that follow bad coding practices. If you have your own metadata, feel free to skip this step and run it through your actual metadata.

Creating Metadata to commit

1. Create an ApexClass called ContactUpdater with the following code:

ApexClass ContactUpdater Code

2. Create a LWC component called contactUpdateLWC and paste the following code in the contactUpdateLWC.js file

Contact Update LWC Code

Save and deploy both of them to your Dev environment. 

Committing the Metadata Changes

1. Create or open a User Story tied to an Environment and a Project that relate to a CICD 2nd Gen Pipeline since this is the pipeline where we’ve set our Quality Gate Rule Condition to trigger out of.

User Story

2. Click on Commit Changes, and select the appropriate date and time to show recent changes and commit them.

User Story Commit Grid

3. You should be redirected to the User Story Commit record, as soon as you click on Commit. Here on the right hand side, you should start to see the job steps that’d happen in this commit.

  • Commit
  • Create Test Records
  • SFDX Scanner

SFDX Scanner is here since we created the Quality Gate Rule to trigger after commits. You can expand any of the sections to see the process of a particular Job Step. Once all of them finish, you’d notice that the SFDX Scanner failed.

User Story Commit Record

Review Result

1. Let’s click on the SFDX Scanner Job Step.

User Story Commit Selected

2. After opening the Job Step, click on the result record tied to the failed Run SFDX Code Analyzer job step.

SFDX Scanner Job Step

3. On the result record, you can view the logs, by switching to the logs tab, as well as see the attached result.html file. 

4. Download and open the results.html file, it should look like this

Salesforce Code Analyzer Report - Result 1

Salesforce Code Analyzer - Result 2

Thus, we could see how SFDX Scanner is giving the Developers immediate feedback through its different engines as soon as they commit their changes. 


Salesforce Code Analyzer captures complex violations including those that’re caught only during the AppExchange Security Review process courtesy its Data Flow Analysis via the Graph Engine. Thus, it’s a perfect solution for ISV developers as well as Salesforce application developers to use this extension to prepare for a formal security review process. Using this extension, teams can identify a variety of security, quality, and performance issues early in development and ship better solutions and products.

About the Author

Abhishek is a Salesforce DevOps Architect who’s passionate about improving the software development lifecycle. For the last several years he has been working with enterprise customers to help build, design, and customize scalable Salesforce DevOps solutions. He is 8x Salesforce Certified and holds several certifications on major Salesforce DevOps tools.