Salesforce Code Analyzer Command Reference

Salesforce Code Analyzer Command Reference

sf scanner run

Scans a codebase with a selection of rules. Scan the codebase with all the rules in the registry, or use parameters to filter the rules based on rulename, category, or ruleset. Specify the format of the output, such as XML or JUnit. Print the output to the console (default) or to a file using the --outfile parameter.

Note: To run Salesforce Graph Engine, you must run a separate command: scanner run dfa. Learn more in Introduction to Salesforce Graph Engine.


sf scanner run -t <array> [-c <array>] [-r <array>] [-e <array>] [-f 
 csv|html|json|junit|sarif|table|xml] [-o <string>] [--tsconfig <string>] [--eslintconfig <string>] [--pmdconfig <string>] [--env <string>] [-s <integer> | undefined | [-v | --json]] [--normalize-severity] [--verbose] [--loglevel trace|debug|info|warn|error|fatal|TRACE|DEBUG|INFO|WARN|ERROR|FATAL]


-c, --category=_category_
One or more categories of rules to run. Specify multiple values as a comma-separated list.

 -e, --engine=_engine_
Specifies one or more engines to run. Submit multiple values as a comma-separated list.

 Overrides ESLint’s default environment variables, in JSON-formatted string.

 Specifies the location of eslintrc config to customize eslint engine.

 -f, --format=(csv|html|json|junit|sarif|table|xml)
 Specifies output format with results written directly to the console.

 Formats output as JSON.

 [default: warn] Logging level for this command invocation.

 Returns normalized severity 1 (high), 2 (moderate), and 3 (low) and the engine-specific severity. For the html option, the normalized severity is displayed instead of the engine severity.

 -o, --outfile=_outfile_
 Writes output to a file.

 Specifies the location of PMD rule reference XML file to customize rule selection.

 Provides the relative or absolute root project directory used to set the context for Graph Engine's analysis. Project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.

 -r, --ruleset=_ruleset_
 [deprecated] One or more rulesets to run. Specify multiple values as a comma-separated list.

 -s, --severity-threshold=_severity-threshold_
 Throws an error when violations are found with equal or greater severity than the provided value. –normalize-severity is invoked and severity levels are reset to the baseline. Normalized severity values are: 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation.

 -t, --target=_target_
 Specifies the source code location. May use glob patterns. Specify multiple values as a comma-separated list. Default is ".".

 Location of tsconfig.json file used by eslint-typescript engine.

 Emits additional command output to stdout.

Returns retire-js violation messages details about each vulnerability, including summary, Common Vulnerabilities and Exposures (CVE), and URLs.

Additional Notes

  • The --ruleset command parameter is deprecated. Use category instead.


This example evaluates all rules against somefile.js. Invoking code analyzer without specifying any rules causes all rules to be run.

$ sf scanner run --format xml --target "somefile.js"

This example evaluates all rules in the Design and Best Practices categories. When you specify multiple categories or rulesets, the results are combined with a logical OR.

$ sf scanner run --format xml --target "somefile.js" --category "Design,Best Practices"

This example evaluates all rules except those in the Design or Best Practices categories. Exclude categories by specifying the negation operator and enclosing the values in single quotes.

$ sf scanner run --format xml --target "somefile.js" --category '!Design,!Best Practices'

These examples evaluate rules against all .js files in the current directory, except for IgnoreMe.js. Wrap globs in quotes.

Unix example:

$ sf scanner run --target './**/*.js,!./**/IgnoreMe.js' ...

Windows example:

> sf scanner run --target ".\**\*.js,!.\**\IgnoreMe.js" ...

This example scans the project contained in ‘/my-project’ if the current working directory is another directory. Specify tsconfig.json if the current working directory does not contain the tsconfig.json that corresponds to the TypeScript files being scanned.

$ cd /my-home-directory
$ sf scanner run --target "/my-project/**/*.ts" --tsconfig "/my-project/tsconfig.json"

This example evaluates rules against somefile.js, including Jasmine in the environment variables. Uses –env to override the default ESLint environment variables to add frameworks.

$ sf scanner run --target "somefile.js" --env '{"jasmine": true}'

This example evaluates rules aginst somefile.js using eslint-lwc and pmd engines. Use –engine to include or exclude engines. Any engine listed will be run, regardless of its current ‘disabled’ attribute.

$ sf scanner run --target "somefile.js" --engine "eslint-lwc,pmd"

In this example, ESLint and RetireJS will run even if they’re disabled, and no other engines will run. Use –engine to include or exclude engines. Regardless of their current ‘disabled’ attribute, any specified engine will run, and all others will not.

$ sf scanner run --target "somedirectory" --engine "eslint,retire-js"

Use –engine to invoke engines that are not enabled by default. This example executes CPD engine against known file extensions in “/some/dir”. CPD helps detect blocks of code duplication in selected languages.

$ sf scanner run --target "/some/dir" --engine cpd

This example executes rules defined in pmd_rule_ref.xml against the files in ‘src’. To use PMD with your own rule reference file, use –pmdconfig. Note that rule filters are not applied.

$ sf scanner run --target "src" --pmdconfig "pmd_rule_ref.xml"

This example uses a custom config to scan the files in ‘src’. To use ESLint with your own .eslintrc.json file, use –eslintconfig. Make sure that the directory you run the command from has all the NPM dependencies installed.

$ sf scanner run --target "src" --eslintconfig "/home/my/setup/.eslintrc.json"

This example uses –normalize-severity to output normalized severity and engine-specific severity across all engines. Normalized severity is: 1 (high), 2 (moderate), and 3 (low).

$ sf scanner run --target "/some-project/" --format csv --normalize-severity

This example uses –severity-threshold to throw a non-zero exit code when rule violations of normalized severity 2 or greater are found. If any violations with the specified severity (or greater) are found, the exit code equals the severity of the most severe violation.

$ sf scanner run --target "/some-project/" --severity-threshold 2

Feedback or Bugs | Edit this Article