Skip to main content

vulkro-sf appexchange-report

Renders an offline, self-contained HTML report that mirrors the published AppExchange Security Review checklist. Each finding from the Vulkro Salesforce detectors is mapped to its corresponding checklist section so an ISV reviewer can walk the report top-to-bottom and see PASS / FAIL / NOT EVALUATED per section before submitting a managed package for review.

The report is the single deliverable an ISV hands to their internal security lead (or attaches to their submission package as evidence of a pre-review pass). It is self-contained: CSS and JS are inlined and no asset is fetched from a CDN, so the reviewer can open it on an air-gapped laptop.

Synopsis

vulkro-sf appexchange-report [PATH] -o <report.html> [flags]

PATH defaults to the current directory. The --output (or -o) flag is recommended (without it, the HTML is written to stdout, which is fine for piping but rarely what you want for a 200 KB report).

Flags

FlagTypeDefaultDescription
--output, -o <path>pathstdoutWhere to write the HTML report. Recommended; use a .html extension so your browser opens it directly.

Report sections

The report mirrors the published AppExchange Security Review checklist as of the date pinned in the header. Each section is rendered as its own row with a PASS / FAIL / NOT EVALUATED pill and, when FAIL, a table of the findings that caused the section to fail.

  • Code Quality and Best Practices - SOQL injection, unsafe deserialization, open redirect, dynamic Visualforce iframe URLs.
  • Object and Field Permissions (CRUD / FLS) - missing CRUD/FLS enforcement, IDOR, mass assignment, system-mode DML in Flows.
  • External Sharing - sharing-rule bypass, without sharing on classes that do DML, system-mode Flow execution.
  • Access Control and Sharing Settings - over-privileged profiles and permission sets, dormant admin assignments, guest-user license posture.
  • OAuth and Connected Apps - Full OAuth scope, cleartext callback URL, hardcoded consumerSecret or consumerKey in metadata.
  • Sensitive Data Storage and Logging - hardcoded API keys, credentials in browser storage, named-credential merge fields in request bodies, debug statements emitting PII.
  • Cryptography - weak crypto primitives (MD5, SHA-1, DES, RC4), ECB-mode block cipher usage.
  • Lightning Component Security (LWC + Aura) - XSS surface, dangerous JS primitives, credential-shape identifiers.
  • Visualforce Security - escape="false", dynamic script load, controller-exposed request parameters.
  • Named Credentials and External Integrations - hardcoded passwords, cleartext endpoints, anonymous principals carrying secrets.
  • Flow Security - hardcoded IDs, system-mode DML, SystemMode context.

The checklist label in the rendered report always matches the public Partner Community section name verbatim. The header pins the checklist version date so the result is reproducible: a report generated today will look the same a year from now, even if the public checklist changes in between.

Examples

# Source-only report for a pre-submission review, written to a file.
vulkro-sf appexchange-report . -o appexchange.html

# Same, with the long-form flag.
vulkro-sf appexchange-report . --output appexchange.html

# Pipe the HTML to stdout (rare, but useful for shipping the report
# through a CI artefact pipeline that takes its input from stdin).
vulkro-sf appexchange-report . > appexchange.html

For org-shape coverage in the same readiness conversation, run the vulkro-sf org subcommands against the target org and attach their findings alongside the AppExchange report.

Exit codes

  • 0 - every covered checklist section passed (zero findings on every section, and at least one section had detector coverage).
  • 1 - at least one section is FAIL (or the install is on a Pro tier that has hit its hard-block boundary).
  • 2 - error: bad arguments, IO failure, parse error, or internal crash.

Where to go next

Last updated on