CommunityDevOps ExchangePartners
10 minutes

Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer

Written by
Abhishek Saxena
Table of contents

Salesforce Code Analyzer is Salesforce’s open source code quality, security and performance monitoring tool. It’s the one stop shop that aggregates different static code analysis tools, as well as multiple open-source static application security testing (SAST) tools to help you write secure and clean code. Salesforce Code Analyzer unifies all of them under a unified Salesforce CLI experience.

Code Analyzer currently supports the PMD rule engine, PMD Copy Paste Detector, ESLint, RetireJS, and Salesforce Graph Engine. Using these, it can identify a variety of security, quality, and performance issues early in the development lifecycle and help monitor code health. 

Having used the Code Analyzer in the past, I knew how powerful it is. Thus using Copado’s DevOps Platform and a Quality Tool extension I created an integration between Copado and Code Analyzer, and got it published on Copado’s DevOps Exchange

This quality gate 

  • Runs the SFDX Analyzer for the changed components between your branch and the target branch
  • Provides the user the ability to configure it to run in an automated manner or trigger it manually on every user story.
  • Fail or Pass the job, depending on the Acceptance Criteria chosen by the user.

Let’s take a look at how to install and configure it to use as a Quality Gate within a DevOps Pipeline.


  1. Copado v20.0 or higher
  2. Copado Quality Tools extension v1.14 or higher
  3. Copado DX Extension v3.3 or higher

This extension is currently only supported for Copado CI/CD for Salesforce 2nd Generation. Thus, you should have a working 2nd Generation Copado pipeline.

Install and configure the extension

  1. Navigate to the listing of SFDX Scanner Integration on Copado’s DevOps Exchange.
  2. Click on Get it now, and then install it in your org.
  3. Follow the installation instructions to create required picklist values, extension records and quality gates.

Reviewing the Extension’s configurable parameters

  1. Click on App Launcher, and navigate to Functions.
  2. Open the Run SFDX Code Analyzer QIF function, switch to the Parameters sub tab.
  3. There are two configurable parameters, that’re important to know.
  4. severityThreshold - This dictates when this extension should fail. When violations are found with equal or greater severity than the provided value it proceeds to fail the job. Normalized severity values are: 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. The default value set is 2. Feel free to edit it as per your project needs.
  5. engine - Specifies one or more engines to run. You can submit multiple values as a comma-separated list. Valid values need to be from either of these eslint,eslint-lwc,eslint-typescript,pmd,retire-js,cpd. The default OOB value is set to eslint-lwc,pmd,cpd,retire-js. Feel free to edit it as per your project needs.

Create Quality Gates and Quality Gate Rule Conditions

Now that we’ve reviewed the extension’s configurable parameters, let’s create two Quality Gate Rules. The different scanners are grouped as two separate Quality Gates:

  1. PMD, ESLint, RetireJS, PMD Copy Paste Detector can be run from the sfdx-scanner extension configuration.
  2. The Salesforce Graph Engine for Data Flow Analysis(DFA) can be run from the sfdx-scanner-dfa extension configuration.

If you followed the installation instructions, the Quality Gates should already be created, if not then let’s just take a quick recap on how to set up Quality Gates.

Creating Quality Gates

  1. Go to App Launcher > Quality Gate Rules, and click the New button.
  2. Quality Gate Rule Name: SFDX Scanner
  3. Tool: sfdx-scanner
  4. Status: Active
  5. Execution Sequence: After, Commit

Repeat the process, to create another Quality Gate for the sfdx-scanner-dfa tool.

Quality Gate Rule

What we’ve configured here, tells Copado when to invoke this Quality Gate, and we’ve chosen to invoke it After Commit. We could configure it to run at other different places like before a deployment or a merge(promotion) as well.

Now, we need to create a Quality Gate Rule Condition, so we can apply this Quality Gate to correct environments, stages and/or pipelines as well as trigger it based on a specific filter criteria.

Creating a Quality Gate Rule Condition

  1. On the SFDX Scanner Quality Gate, go to the Conditions sub-tab and click New.
  2. Extension Configuration: SFDX Scanner Config
  3. Platform: SFDX
  4. Tests From: User Story
  5. Pipeline: CICD 2nd Gen Pipeline
  6. Environment and Stage: Let’s leave them blank for this example.
  7. Filter: 
  8. Type contains Apex
  9. Type contains LightningComponentBundle
  10. Type contains AuraDefinitionBundle

Quality Gate Rule Condition

We could make the rule condition even more restrictive or relaxed by configuring it to run for specific environments or stages.

Repeat the steps to create a QGRC for SFDX Scanner DFA Quality Gate.

Monitoring progress and checking execution results

We’re now ready to run our Quality Gate, let’s try to commit an Apex Class and a LWC that follow bad coding practices. If you have your own metadata, feel free to skip this step and run it through your actual metadata.

Creating Metadata to commit

1. Create an ApexClass called ContactUpdater with the following code:

ApexClass ContactUpdater Code

2. Create a LWC component called contactUpdateLWC and paste the following code in the contactUpdateLWC.js file

Contact Update LWC Code

Save and deploy both of them to your Dev environment. 

Committing the Metadata Changes

1. Create or open a User Story tied to an Environment and a Project that relate to a CICD 2nd Gen Pipeline since this is the pipeline where we’ve set our Quality Gate Rule Condition to trigger out of.

User Story

2. Click on Commit Changes, and select the appropriate date and time to show recent changes and commit them.

User Story Commit Grid

3. You should be redirected to the User Story Commit record, as soon as you click on Commit. Here on the right hand side, you should start to see the job steps that’d happen in this commit.

  • Commit
  • Create Test Records
  • SFDX Scanner

SFDX Scanner is here since we created the Quality Gate Rule to trigger after commits. You can expand any of the sections to see the process of a particular Job Step. Once all of them finish, you’d notice that the SFDX Scanner failed.

User Story Commit Record

Review Result

1. Let’s click on the SFDX Scanner Job Step.

User Story Commit Selected

2. After opening the Job Step, click on the result record tied to the failed Run SFDX Code Analyzer job step.

SFDX Scanner Job Step

3. On the result record, you can view the logs, by switching to the logs tab, as well as see the attached result.html file. 

4. Download and open the results.html file, it should look like this

Salesforce Code Analyzer Report - Result 1
Salesforce Code Analyzer - Result 2

Thus, we could see how SFDX Scanner is giving the Developers immediate feedback through its different engines as soon as they commit their changes. 


Salesforce Code Analyzer captures complex violations including those that’re caught only during the AppExchange Security Review process courtesy its Data Flow Analysis via the Graph Engine. Thus, it’s a perfect solution for ISV developers as well as Salesforce application developers to use this extension to prepare for a formal security review process. Using this extension, teams can identify a variety of security, quality, and performance issues early in development and ship better solutions and products.

Book a demo

About The Author

Technical Architect

Abhishek is a Salesforce DevOps Architect who’s passionate about improving the software development lifecycle. For the last several years he has been working with enterprise customers to help build, design, and customize scalable Salesforce DevOps solutions. He is 8x Salesforce Certified and holds several certifications on major Salesforce DevOps tools.

Copado Launches Copado Explorer to Simplify and Streamline Testing on Salesforce
Exploring Top Cloud Automation Testing Tools
Master Salesforce DevOps with Copado Robotic Testing
Exploratory Testing vs. Automated Testing: Finding the Right Balance
A Guide to Salesforce Source Control
A Guide to DevOps Branching Strategies
Family Time vs. Mobile App Release Days: Can Test Automation Help Us Have Both?
How to Resolve Salesforce Merge Conflicts: A Guide
Copado Expands Beta Access to CopadoGPT for All Customers, Revolutionizing SaaS DevOps with AI
Is Mobile Test Automation Unnecessarily Hard? A Guide to Simplify Mobile Test Automation
From Silos to Streamlined Development: Tarun’s Tale of DevOps Success
Simplified Scaling: 10 Ways to Grow Your Salesforce Development Practice
What is Salesforce Incident Management?
What Is Automated Salesforce Testing? Choosing the Right Automation Tool for Salesforce
Copado Appoints Seasoned Sales Executive Bob Grewal to Chief Revenue Officer
Business Benefits of DevOps: A Guide
Copado Brings Generative AI to Its DevOps Platform to Improve Software Development for Enterprise SaaS
Celebrating 10 Years of Copado: A Decade of DevOps Evolution and Growth
Copado Celebrates 10 Years of DevOps for Enterprise SaaS Solutions
5 Reasons Why Copado = Less Divorces for Developers
What is DevOps? Build a Successful DevOps Ecosystem with Copado’s Best Practices
Scaling App Development While Meeting Security Standards
5 Data Deploy Features You Don’t Want to Miss
Top 5 Reasons I Choose Copado for Salesforce Development
How to Elevate Customer Experiences with Automated Testing
Getting Started With Value Stream Maps
Copado and nCino Partner to Provide Proven DevOps Tools for Financial Institutions
Unlocking Success with Copado: Mission-Critical Tools for Developers
How Automated Testing Enables DevOps Efficiency
How to Keep Salesforce Sandboxes in Sync
How to Switch from Manual to Automated Testing with Robotic Testing
Best Practices to Prevent Merge Conflicts with Copado 1 Platform
Software Bugs: The Three Causes of Programming Errors
How Does Copado Solve Release Readiness Roadblocks?
Why I Choose Copado Robotic Testing for my Test Automation
How to schedule a Function and Job Template in DevOps: A Step-by-Step Guide
Delivering Quality nCino Experiences with Automated Deployments and Testing
Best Practices Matter for Accelerated Salesforce Release Management
Maximize Your Code Quality, Security and performance with Copado Salesforce Code Analyzer
Upgrade Your Test Automation Game: The Benefits of Switching from Selenium to a More Advanced Platform
Three Takeaways From Copa Community Day
Cloud Native Applications: 5 Characteristics to Look for in the Right Tools
Using Salesforce nCino Architecture for Best Testing Results
How To Develop A Salesforce Testing Strategy For Your Enterprise
What Is Multi Cloud: Key Use Cases and Benefits for Enterprise Settings
5 Steps to Building a Salesforce Center of Excellence for Government Agencies
Salesforce UI testing: Benefits to Staying on Top of Updates
Benefits of UI Test Automation and Why You Should Care
Types of Salesforce Testing and When To Use Them
Copado + DataColada: Enabling CI/CD for Developers Across APAC
What is Salesforce API Testing and It Why Should Be Automated
Machine Learning Models: Adapting Data Patterns With Copado For AI Test Automation
Automated Testing Benefits: The Case For As Little Manual Testing As Possible
Beyond Selenium: Low Code Testing To Maximize Speed and Quality
UI Testing Best Practices: From Implementation to Automation
How Agile Test Automation Helps You Develop Better and Faster
Salesforce Test Cases: Knowing When to Test
DevOps Quality Assurance: Major Pitfalls and Challenges
11 Characteristics of Advanced Persistent Threats (APTs) That Set Them Apart
7 Key Compliance Regulations Relating to Data Storage
7 Ways Digital Transformation Consulting Revolutionizes Your Business
6 Top Cloud Security Trends
API Management Best Practices
Applying a Zero Trust Infrastructure in Kubernetes
Building a Data Pipeline Architecture Based on Best Practices Brings the Biggest Rewards
CI/CD Methodology vs. CI/CD Mentality: How to Meet Your Workflow Goals
DevOps to DevSecOps: How to Build Security into the Development Lifecycle
DevSecOps vs Agile: It’s Not Either/Or
How to Create a Digital Transformation Roadmap to Success
Infrastructure As Code: Overcome the Barriers to Effective Network Automation
Leveraging Compliance Automation Tools to Mitigate Risk
Moving Forward with These CI/CD Best Practices
Top 3 Data Compliance Challenges of Tomorrow and the Solutions You Need Today
Top 6 Cloud Security Management Policies and Procedures to Protect Your Business
What are the Benefits of Principle of Least Privilege (POLP) for My Organization?
You Can’t Measure What You Can’t See: Getting to know the 4 Metrics of Software Delivery Performance
How the Public Sector Can Continue to Accelerate Modernization
Building an Automated Test Framework to Streamline Deployments
How To Implement a Compliance Testing Methodology To Exceed Your Objectives
Cloud Security: Advantages and Disadvantages to Accessibility
Copado Collaborates with IBM to Accelerate Digital Transformation Projects on the Salesforce Platform