@salesforce/sfdx-scanner
Static code scanner that applies quality and security rules to Apex code, and provides feedback.
Last updated 25 days ago by jbfeingold .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install @salesforce/sfdx-scanner 
SYNC missed versions from official npm registry.

CircleCI Codecov License

Salesforce CLI Scanner Plug-in

The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code, in multiple languages (including Apex), with a consistent command-line interface and report output. We currently support the PMD rule engine and ESLint. We may add support for more rule engines in the future.

The Salesforce CLI Scanner Plug-in creates "Rule Violations" when the scanner identifies issues. Developers use this information as feedback to fix their code.

You can integrate this plug-in into your CI/CD solution to enforce the rules and expect high-quality code.

Official Documentation

All the official documentation on the Salesforce CLI Scanner plug-in is hosted on GitHub Pages. These documents include instructions on how to install the plug-in, the command reference, writing and managing custom rules and an overview of the architecture of the plug-in.

Document Link

https://forcedotcom.github.io/sfdx-scanner/

Debugging your plugin

We recommend using the Visual Studio Code (VS Code) IDE for your plugin development. Included in the .vscode directory of this plugin is a launch.json config file, which allows you to attach a debugger to the node process when running your commands.

To debug the hello:org command:

  1. Start the inspector

If you linked your plugin to the sfdx cli, call your command with the dev-suspend switch:

$ sfdx hello:org -u myOrg@example.com --dev-suspend

Alternatively, to call your command using the bin/run script, set the NODE_OPTIONS environment variable to --inspect-brk when starting the debugger:

$ NODE_OPTIONS=--inspect-brk bin/run hello:org -u myOrg@example.com
  1. Set some breakpoints in your command code
  2. Click on the Debug icon in the Activity Bar on the side of VS Code to open up the Debug view.
  3. In the upper left hand corner of VS Code, verify that the "Attach to Remote" launch configuration has been chosen.
  4. Hit the green play button to the left of the "Attach to Remote" launch configuration window. The debugger should now be suspended on the first line of the program.
  5. Hit the green play button at the top middle of VS Code (this play button will be to the right of the play button that you clicked in step #5).

    Congrats, you are debugging! =======

Usage

$ npm install -g @salesforce/sfdx-scanner
$ sfdx COMMAND
running command...
$ sfdx (-v|--version|version)
@salesforce/sfdx-scanner/1.0.30 darwin-x64 node-v14.1.0
$ sfdx --help [COMMAND]
USAGE
  $ sfdx COMMAND
...

Commands

sfdx scanner:rule:add -l <string> -p <array> [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

add custom rules to the scanner's registry

USAGE
  $ sfdx scanner:rule:add -l <string> -p <array> [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -l, --language=language                                                           (required) language against which
                                                                                    the custom rules will evaluate

  -p, --path=path                                                                   (required) one or more paths to
                                                                                    custom rule definitions

  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

EXAMPLE
  PMD: Custom PMD rules should be in JARs. Adhere to PMD conventions, including defining rules in XMLs under a /category 
  directory.
  Refer to PMD's documentation for information on writing rules: 
  https://pmd.github.io/latest/pmd_userdocs_extending_writing_pmd_rules.html

  	You may specify one or more JARs directly.
  		E.g., $ sfdx scanner:rule:add --language apex --path "/Users/me/rules/Jar1.jar,/Users/me/rules/Jar2.jar"
  			Successfully added rules for apex.
  			2 path(s) added:
  			/Users/me/rules/SomeJar.jar,/Users/me/rules/AnotherJar.jar

  	You may also specify a directory containing one or more JARs, all of which will be added.
  		E.g., $ sfdx scanner:rule:add --language apex --path "/Users/me/rules"
  			Successfully added rules for apex.
  			2 path(s) added:
  			/Users/me/rules/SomeJar.jar,/Users/me/rules/AnotherJar.jar

See code: lib/commands/scanner/rule/add.js

sfdx scanner:rule:describe -n <string> [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

provide detailed information about a rule

USAGE
  $ sfdx scanner:rule:describe -n <string> [--verbose] [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -n, --rulename=rulename                                                           (required) the name of a rule
  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

  --verbose                                                                         emit additional command output to
                                                                                    stdout

EXAMPLE
  $ sfdx scanner:rule:describe --rulename ExampleRule
  	name:        AvoidWithStatement
  	categories:   Best Practices
  	rulesets:    Controversial Ecmascript
  	languages:   javascript
  	description: Avoid using with - it's bad news
  	message:     Avoid using with - it's bad news

See code: lib/commands/scanner/rule/describe.js

sfdx scanner:rule:list [-c <array>] [-r <array>] [-l <array>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

lists basic information about all rules matching provided criteria

USAGE
  $ sfdx scanner:rule:list [-c <array>] [-r <array>] [-l <array>] [--verbose] [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -c, --category=category                                                           categories to filter list by
  -l, --language=language                                                           language(s) to filter list by
  -r, --ruleset=ruleset                                                             ruleset(s) to filter list by
  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

  --verbose                                                                         emit additional command output to
                                                                                    stdout

EXAMPLE
  Invoking with no filter criteria returns all rules.
  	E.g., $ sfdx scanner:rule:list
  		Returns a table containing all rules.

  The values supplied to a single filter are handled with a logical OR.
  	E.g., $ sfdx scanner:rule:list --language apex,javascript
  		Returns all rules for Apex OR Javascript.

  Different filters are combined with a logical AND.
  	E.g., $ sfdx scanner:rule:list --language apex,javascript --ruleset Braces,Security
  		Returns all rules that:
  		1) Target Apex OR Javascript,
  		AND...
  		2) Are members of the Braces OR Security rulesets.

See code: lib/commands/scanner/rule/list.js

sfdx scanner:rule:remove [-f] [-p <array>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

removes custom rules from the registry of available rules

USAGE
  $ sfdx scanner:rule:remove [-f] [-p <array>] [--verbose] [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -f, --force                                                                       bypass the confirmation prompt and
                                                                                    immediately unregister the rules

  -p, --path=path                                                                   one or more paths to deregister

  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

  --verbose                                                                         emit additional command output to
                                                                                    stdout

EXAMPLE
  Run the command with no arguments to see a list of all currently registered custom paths.
  	E.g., $ sfdx scanner:rule:remove
  		Returns all registered custom paths.

  You may use the --path parameter to specify one or more paths to remove.
  	E.g., $ sfdx scanner:rule:remove --path "~/path/to/somerules.jar,~/path/to/folder/containing/rules"
  		Deregisters the rules defined in somerules.jar and any JARs contained in the rules folder.

  By default, a list of all the rules that will be deregistered is displayed, and the action must be confirmed.
  The --force flag may be used to bypass that confirmation.
  	E.g., $ sfdx scanner:rule:remove --force --path "~/path/to/somerules.jar"
  		Deregisters somerules.jar without requiring confirmation.

See code: lib/commands/scanner/rule/remove.js

sfdx scanner:run [-c <array>] [-r <array>] [-t <array> | undefined] [-f json|xml|junit|csv|table] [-o <string>] [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

evaluate a selection of rules against a codebase

USAGE
  $ sfdx scanner:run [-c <array>] [-r <array>] [-t <array> | undefined] [-f json|xml|junit|csv|table] [-o <string>] 
  [--verbose] [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  -c, --category=category                                                           categor(ies) of rules to run
  -f, --format=(json|xml|junit|csv|table)                                           format of results
  -o, --outfile=outfile                                                             location of output file
  -r, --ruleset=ruleset                                                             ruleset(s) of rules to run
  -t, --target=target                                                               location of source code
  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

  --verbose                                                                         emit additional command output to
                                                                                    stdout

EXAMPLE
  Invoking without specifying any rules causes all rules to be run.
  	E.g., $ sfdx scanner:run --format xml --target "somefile.js"
  		Evaluates all rules against somefile.js.

  Specifying multiple categories or rulesets is treated as a logical OR.
  	E.g., $ sfdx scanner:run --format xml --target "somefile.js" --category "Design,Best Practices" --ruleset "Braces"
  		Evaluates all rules in the Design and Best Practices categories, and all rules in the Braces ruleset.

  Wrap globs in quotes.
  	Unix example:    $ sfdx scanner:run --target './**/*.js,!./**/IgnoreMe.js' ...
  	Windows example: > sfdx scanner:run --target ".\**\*.js,!.\**\IgnoreMe.js" ...
  		Evaluate rules against all .js files below the current directory, except for IgnoreMe.js.

See code: lib/commands/scanner/run.js

sfdx scanner:scannerCommand [--json] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

USAGE
  $ sfdx scanner:scannerCommand [--json] [--loglevel 
  trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]

OPTIONS
  --json                                                                            format output as json

  --loglevel=(trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL)  [default: warn] logging level for
                                                                                    this command invocation

See code: lib/commands/scanner/scannerCommand.js

Current Tags

  • 2.0.0                                ...           latest (25 days ago)

30 Versions

  • 2.0.0                                ...           25 days ago
  • 1.0.30                                ...           4 months ago
  • 1.0.29                                ...           4 months ago
  • 1.0.28                                ...           4 months ago
  • 1.0.27                                ...           4 months ago
  • 1.0.26                                ...           4 months ago
  • 1.0.24                                ...           4 months ago
  • 1.0.23                                ...           4 months ago
  • 1.0.21                                ...           4 months ago
  • 1.0.20                                ...           4 months ago
  • 1.0.19                                ...           4 months ago
  • 1.0.18                                ...           4 months ago
  • 1.0.17                                ...           4 months ago
  • 1.0.16                                ...           4 months ago
  • 1.0.15                                ...           4 months ago
  • 1.0.14                                ...           5 months ago
  • 1.0.13                                ...           5 months ago
  • 1.0.12                                ...           5 months ago
  • 1.0.11                                ...           5 months ago
  • 1.0.10                                ...           5 months ago
  • 1.0.9                                ...           5 months ago
  • 1.0.8                                ...           5 months ago
  • 1.0.7                                ...           5 months ago
  • 1.0.6                                ...           5 months ago
  • 1.0.5                                ...           5 months ago
  • 1.0.4                                ...           5 months ago
  • 1.0.3                                ...           5 months ago
  • 1.0.2                                ...           5 months ago
  • 1.0.1                                ...           5 months ago
  • 1.0.0                                ...           5 months ago

Copyright 2014 - 2017 © taobao.org |