Salesforce (Apex, LWC, Flow, metadata)

Vulkro Pro scans Salesforce projects across five surfaces: Apex code, Lightning Web Components, Aura components, Flow XML, Visualforce pages, and the org metadata (Profiles, Permission Sets, Named Credentials, Connected Apps). Powered by the vulkro-apex-grammar crate (a hand-written tree-sitter grammar that handles 99.7% of Apex constructs across the NPSP benchmark corpus).

Salesforce coverage requires a Pro license. The Free tier does not include the Apex extractor.

Apex

Per-file Apex checks plus inter-procedural taint flow within Apex.

• SOQL injection (APEX-SOQL-*): dynamic Database.query() with user-controlled fragments, missing String.escapeSingleQuotes() before bind, IN-list injection via EvalString.
• CRUD / FLS bypass (APEX-CRUD-*): DML or query without Schema.sObjectType.X.isAccessible() / isCreatable() / isUpdateable() checks; WITH SECURITY_ENFORCED missing; WITHOUT SHARING on classes that touch user-supplied IDs.
• IDOR in SObjects (APEX-IDOR-*): controllers that accept a record Id from the request and read or update without an owner check against the running user.
• Mass assignment via JSON.deserialize (APEX-MASS-*): JSON.deserialize(payload, MyObject.class) where MyObject mirrors an SObject and includes high-privilege fields the caller should not control.
• RunAs misuse (APEX-RUNAS-*): System.runAs(adminUser) outside @isTest paths; runAs on a request handler.
• Unsafe deserialization (APEX-DESER-*): JSON.deserialize, JSON.deserializeUntyped, and XMLStreamReader against untrusted input without a schema allowlist.
• Async DML in @future (APEX-FUT-*): @future methods that perform DML on user-provided IDs without authorization rechecks (the future context loses session sharing semantics).

LWC and Aura

DOM-level XSS and message-pump checks on the client tier.

• LWC DOM XSS (LWC-XSS-*): lwc:dom="manual" containers fed user-controlled HTML; innerHTML and outerHTML writes on template-rendered nodes.
• Aura DOM XSS (AURA-XSS-*): aura:unescapedHtml with bound user input.
• Message channel scope (LWC-MSG-*): pub-sub channels declared application scope when component scope would do (cross-tab leak).

Flow

Flow XML inspection.

• System-context DML (FLOW-SYS-*): Flows running in SystemMode that touch user-supplied IDs, bypassing org sharing rules.
• Untrusted resource interaction (FLOW-RES-*): Flows that POST to a URL stored in a record field the end user can edit.
• Action stacking (FLOW-STACK-*): unbounded recursion via Flow invoking itself through a process-builder loop.

Visualforce

• VF XSS (VF-XSS-*): apex:outputText with escape="false", <script> tags consuming {!param} merge fields without an allowlist.
• VF state leak (VF-STATE-*): server-side state put in <apex:inputHidden> without integrity protection.

Metadata

Org-wide policy checks against Profiles, Permission Sets, Named Credentials, Connected Apps.

• Metadata over-privilege (META-OVER-*): Profiles with ModifyAllData or ViewAllData on Permission Sets exposed to business users.
• Named Credential plaintext (META-NC-*): Named Credentials storing OAuth client secrets in plaintext metadata fields.
• Connected App OAuth scope (META-CONN-*): Connected Apps with full or refresh_token scope on an end-user audience.

Project layout

Vulkro auto-detects SFDX projects (sfdx-project.json) and legacy MDAPI projects (package.xml at the root) and walks the standard Salesforce directory layout (force-app/main/default/classes/, .../lwc/, .../aura/, .../flows/, .../objects/, etc.).

What's not covered yet

• Heap-allocation analysis for @future jobs
• Apex Limits modelling (CPU time, callout count) for DoS findings
• Salesforce CLI deploy-time policy (covered by SFDX itself)