Writing clean, efficient, and secure code is essential for maintaining a scalable and high-performing Salesforce org. But without the right tools, identifying vulnerabilities, enforcing best practices, and ensuring compliance can be time-consuming and error-prone.
Salesforce Code Analyzer (SFCA) helps developers catch issues early by scanning Apex, Visualforce, and Lightning Web Components (LWC) for security risks, performance bottlenecks, and code complexity issues. With the release of v5, Code Analyzer now offers a smoother CLI experience, improved reporting, and new analysis engines.
In this guide, we’ll explore how static code analysis improves code quality, what’s new in Code Analyzer v5 Beta, its limitations, and how Gearset’s Code reviews goes even further to help teams build more secure, reliable, and scalable Salesforce solutions.
What is Agentforce?
Agentforce is Salesforce’s advanced AI solution that enables autonomous, proactive agents across the whole platform, including customer service, sales, and marketing. It’s powered by the Atlas Reasoning Engine, as well as Einstein Generative AI, and represents a significant leap in conversational AI.
What is static code analysis?
Static code analysis for Salesforce involves scanning your Apex code for errors, security vulnerabilities, and bugs — without running it. It helps identify issues early, improves code quality, and ensures your org stays secure. By enforcing clean, consistent coding practices, it makes future changes easier for your team. Most static analysis tools let you customize rulesets covering best practices, coding styles, design, performance, and security reviews. Tailoring these rules helps strike the right balance between useful warnings and critical errors, so your team can write better code with confidence.
Sheraton Grand Chicago Riverwalk
DevOps Dreamin’ Chicago 2025
Why does code quality matter?
Poor code quality can lead to technical debt, security risks, failed deployments and higher maintenance costs. By prioritizing the quality of their code, teams can improve overall performance and protect their production environment against threats.
Here are just a few of the reasons why every team should be investing in code quality.
Better performance and efficiency
Poorly managed code slows processes down, leading to bottlenecks and unnecessary downtime. Maintaining high-quality code helps teams spot performance bottlenecks early, making it easier to resolve slow-running queries and inefficient feedback loops before they impact users. By decreasing response times, teams can improve reliability, and ensure a smoother experience for end users.
Stronger security
Security flaws in your Salesforce environments can put data at risk and lead to serious compliance breaches. By sticking to best practices, teams can detect vulnerabilities like SOQL injection, Cross-Site Scripting (XSS), CRUD and FLS bypass and Apex sharing violations before they cause real problems. They can also identify security misconfigurations early. Strengthening security in Apex and LWC reduces the risk of unauthorized access and helps teams stay ahead of potential threats.
Consistent and scalable code
Code inconsistencies can cause collaboration bottlenecks and slow down development. Focusing on the quality of your codebase and enforcing best practices across the team makes it easier to scale.
Less technical debt
Technical debt builds up when teams take shortcuts when releasing their code. This leads to a codebase that’s much harder to clean and sync. Reducing this debt allows developers to focus on creating code, rather than fixing it.
Smoother deployments
Low code quality can lead to more failed deployments and errors being introduced into production. Catching these errors earlier reduces deployment failures and ensures compliance with deployment best practices.
Cost and time savings
Fixing issues late in the development process, or after a release, can be very expensive, time-consuming, and stressful. By avoiding issues entirely, businesses can prevent costly fixes and downtime, protecting both their budget and reputation.
What is Salesforce Code Analyzer?
Salesforce Code Analyzer (SFCA) was first released in 2020 as a Salesforce CLI Scanner and has since evolved into an open-source static code analysis tool for the ecosystem. SFCA helps development teams write secure, high-performing code while shifting left — catching issues earlier in the development cycle. SFCA scans multiple languages, including Apex, Visualforce, JavaScript for LWC, and other Salesforce code to identify security vulnerabilities, performance issues, and best practice violations.
SFCA includes several engines (such as PMD, ESLint, and RetireJS) for static code analysis. Salesforce Graph Engine adds a unique layer of analysis by understanding code execution flows, making it a powerful complement to SFCA’s rule-based engines.
To get the most out of SFCA, developers can refer to the Code Analyzer Command Reference for a detailed breakdown of available commands, flags, and configuration options.
Enhancements released in Salesforce Code Analyzer v5
With the release of v5 Beta, SFCA has become a more unified tool, combining multiple static analysis engines under a single CLI command structure. Here’s why it’s better than version 4:
Improved CLI experience
- New CLI plugin
@salesforce/plugin-code-analyzerreplaces the old structure - Simplified commands, including a flexible
runcommand for precise rule selection
Streamlined configuration
- Default settings work out of the box, with easy customization via the new
code-analyzer.ymlconfiguration file - Modify rule properties, add new rules, and fine-tune engine behavior
- Support for tagging rules which makes grouping and selection easier
- Seamless integration into CI/CD pipelines for automated code quality checks
New analysis engines
- Regex Engine: Enables custom rules based on regular expressions
- Flowtest Engine: Analyzes Salesforce Flows to identify security vulnerabilities
Enhanced output and reporting
- More detailed real-time updates in the terminal
- Multiple output formats: CSV, XML, JSON
- New HTML report with improved navigation, search, grouping, and filtering for violations
Integrated AppExchange security rules
- AppExchange security checks are now available
Overall, v5 makes Salesforce Code Analyzer easier to use, more flexible, and more powerful than v4.
Installing Salesforce Code Analyzer
To get started with SFCA, first install Salesforce CLI by running npm install -g @salesforce/cli in terminal.
You can then install Salesforce code analyzer by running sf plugins install code-analyzer in the Salesforce CLI.
Salesforce Code Analyzer drawbacks
Salesforce Code Analyzer v5 brings significant improvements over previous versions but there are some limitations to consider:
Pattern-based detection leaves gaps. SFCA relies on predefined patterns to identify issues, so it can miss security vulnerabilities that don’t match those patterns — leading to false negatives or missed edge cases.
Limited customization options. Some custom rules can be added, but the level of customization might not be enough for complex codebases with unique coding styles or certain project requirements.
False positives. SFCA can flag issues that aren’t actually problems, causing developers to waste time investigating warnings for issues that don’t exist.
Performance issues with large codebases. When dealing with very large codebases, performance can degrade, leading to slower scan times and potential issues with processing complex dependencies.
Reporting and tracking limitations. The reporting features might not be comprehensive enough to track code quality trends over time or provide detailed insights into specific issues.
Doesn’t support all Salesforce features. The analyzer might not cover the whole Salesforce platform, potentially missing issues related to newer features or specific configurations.
Code reviews: Smarter Salesforce code analysis
Gearset’s Code reviews is a powerful code analysis platform built specifically for Salesforce to make code scanning simple. It offers deeper metadata coverage and more advanced rule sets than other standard tools. With Code reviews, you’ll deliver high-quality, bug-free, and secure code at speed, right from Gearset’s UI.
Formerly known as Clayton, Code reviews is designed to catch issues that other code scanners might miss, including flagging problems in highly customized scenarios where different code types are embedded within specific file formats. By shifting left and identifying issues earlier in the development cycle, Code reviews helps teams maintain best practices and ship better code, faster.
Code reviews gives you the flexibility to scan your Salesforce code at a level that suits your team. Whether you need a full org scan, a branch-level review, or a PR check, you can run targeted scans without extra tools or custom scripts. This makes it easier to separate technical debt from new issues and focus on what matters most.
Code reviews goes beyond traditional code scanning. It helps teams grow by providing actionable insights not just into the codebase but also into developer performance and learning opportunities. With recommendations on Trailhead learning paths, focus areas for improvement, and estimated remediation times, it supports continuous improvement across your team.
What can Code reviews do that SFCA can’t?
Code reviews goes beyond basic checks to analyze your entire codebase, uncovering risks that might otherwise go unnoticed.
Traverse calls
A traditional scanner, like Code Analyzer highlights issues in individual files, but Code reviews takes things further by traversing calls across your codebase. That means it doesn’t just check a single function — it follows method calls and dependencies, making it easier to detect hidden bugs, security risks, and performance bottlenecks.
Scan isolated “islands of code”
Salesforce orgs often contain “islands of code” — isolated scripts, custom components, or legacy functions that aren’t actively referenced but still exist in your codebase. Standard scanners might skip these, but Code reviews includes them in the code scan, flagging any security risks or outdated practices before they become a problem. Another blind spot in other scanners arises when you have embedded code (such as JavaScript inside a Visualforce page) within a particular file extension, meaning one specific engine (PMD in the example above) will scan the entire file, instead of being context aware and including multiple languages in the analysis.
Catch hardcoded secrets
Security is always a top priority, and Code reviews helps protect your org by checking for hardcoded secrets. Whether it’s an API key, password, or token left behind in a commit, the scanner flags these risks so they can be removed before they pose a threat to your entire codebase.
We also go a step further by analyzing your third-party libraries, even if they’re embedded via a Content Delivery Network (CDN) or stored in static resource bundles. If a JavaScript framework or dependency has known vulnerabilities, Code reviews identifies it — ensuring your applications remain secure, no matter how they’re built.
Reporting and metrics
Code Analyzer gives you a snapshot of your code, but it’s up to you to store, analyze, and act on the data. Code reviews takes it further with centralized reporting that tracks trends over time. By keeping a historical record, you can measure improvements, compare technical debt against new development, and make more informed decisions to keep your codebase in shape.
Ship better code — with fewer bugs
Whatever solution you choose to scan and analyze your code, testing throughout the DevOps lifecycle is essential to maintain a healthy codebase and deliver successful releases.
Salesforce Code Analyzer is a great starting point for teams looking to improve code quality. With multiple analysis engines, it helps enforce coding standards and improves maintainability across Apex, Visualforce, and Lightning Web Components.
For teams that need deeper insights, Gearset’s Code reviews provides a more comprehensive and intelligent approach to code analysis. While SFCA primarily focuses on static code scanning, Code reviews offers broader metadata coverage, advanced rule sets, and built-in security checks tailored specifically for Salesforce development. It evaluates the full context of your codebase, identifying risks — such as hardcoded secrets, security misconfigurations, and hidden dependencies — that static analysis tools might miss. Start your free 30-day trial of Gearset to start shipping better code today.
