Skip to main content

vulkro-sf scan

The primary scanning command. Walks an SFDX project (or a retrieved metadata folder), runs every Vulkro Salesforce detector over the source, and emits findings in the requested format. Runs entirely on the local machine: no network calls, no telemetry, no upload.

Live-org posture, identity, Connected Apps, and Agentforce actions are not pulled by scan itself. Reach those through the dedicated vulkro-sf org subcommands, which talk to the live org via your sf CLI login.

Synopsis

vulkro-sf scan [PATH] [flags]

PATH defaults to the current directory. The directory should contain sfdx-project.json (SFDX) or package.xml (legacy MDAPI). Use --metadata-only to scan a bare retrieved-metadata folder that has neither.

Flags

FlagTypeDefaultDescription
--format <fmt>enumtableOutput format: table (human-readable summary on the terminal), json (full machine-readable findings), or sarif (the SARIF 2.1.0 format consumed by GitHub Code Scanning and most SAST dashboards).
--metadata-onlybooloffSkip SFDX project detection; treat PATH as a retrieved metadata folder. Use this when scanning a folder that holds only metadata (no Apex source, no sfdx-project.json), for example a console-only org snapshot.

Examples

# Basic source scan over an SFDX project. Prints a one-line table summary.
vulkro-sf scan .

# Full JSON output, piped to a file.
vulkro-sf scan . --format json > vulkro-sf.json

# CI-friendly SARIF for GitHub Code Scanning upload.
vulkro-sf scan . --format sarif > vulkro-sf.sarif

# Metadata-only folder (no Apex, no sfdx-project.json - just a retrieved
# org snapshot).
vulkro-sf scan ./retrieved-metadata --metadata-only

Exit codes

  • 0 - scan completed, no findings.
  • 1 - scan completed, findings were reported (or the install is on a Pro tier that has hit its hard-block boundary).
  • 2 - error: bad arguments, IO failure, parse error, or internal crash. The error message names the cause and the next step.

Where to go next

Last updated on