Salesforce compliance mapping
Vulkro maps every Salesforce-specific finding into the controls of the
nine compliance frameworks it ships with. The mapping is dynamic: when
you run vulkro compliance . --profile <name>, every finding's OWASP
category is fanned out across the controls that depend on it.
For state-government, ISV, and AppExchange Security Review buyers, the
two most relevant frameworks added in this release are NIST SP 800-53
(reused by StateRAMP) and a tightened SOC2 mapping that covers the
sharing-rule posture findings from apex_crud_fls.
NIST SP 800-53 Rev. 5 / StateRAMP
vulkro compliance . --profile nist-800-53
# StateRAMP alias resolves to the same control set:
vulkro compliance . --profile stateramp
| Control | Title | Salesforce findings that feed it |
|---|---|---|
| AC-2 | Account management | Hardcoded credentials in metadata; unauthenticated endpoints; Connected App secrets in source |
| AC-3 | Access enforcement | CRUD/FLS bypass; BOLA / BFLA on Apex REST + @AuraEnabled; without sharing on request-reachable classes |
| AC-4 | Information flow enforcement | Sharing-mode posture: with sharing vs without sharing, WITH SECURITY_ENFORCED, Security.stripInaccessible |
| AC-6 | Least privilege | Profile / Permission Set over-grants (ModifyAllData, AuthorApex, CustomizeApplication); Connected App Full OAuth scope |
| AU-2 | Audit events | Sensitive flows lacking rate / anti-automation controls |
| IA-5 | Authenticator management | Hardcoded passwords; Named Credential passwords in metadata; Connected App <consumerSecret> in metadata |
| SC-8 | Transmission confidentiality / integrity | Named Credentials with http:// endpoints; Connected Apps with http:// callback URLs |
| SC-13 | Cryptographic protection | Weak / deprecated crypto algorithms; MD5 / SHA1 on sensitive data |
| SI-7 | Software, firmware, and information integrity | CVE matches in dependencies |
| SI-10 | Information input validation | SOQL injection; mass-assignment; Visualforce XSS via escape="false" and merge-field-in-script |
| CM-7 | Least functionality | Dangerous OAuth scopes; debug endpoints exposed |
StateRAMP is structurally a NIST 800-53 profile (the same controls
catalog, scoped to state government). The aliases stateramp and
state-ramp both resolve to this mapping; the report header reads
"NIST SP 800-53 Rev. 5 (StateRAMP profile)" so an auditor sees the
underlying catalog.
SOC 2 (Trust Services Criteria)
vulkro compliance . --profile soc2
The Salesforce findings fold into the same CC6 / CC7 / CC8 rows that power the language-agnostic SOC2 mapping:
| Control | Salesforce findings that feed it |
|---|---|
| CC6.1 | Apex routes without auth; @AuraEnabled methods with no profile / FLS check; BOLA on path-id routes |
| CC6.6 | Profile over-grants on non-admin profiles (privileged access) |
| CC6.7 | Callouts to outbound URLs without an allow-list (SSRF shape, less common in Apex but flagged via taint.rs) |
| CC6.8 | Standard SObject PII fields exposed in Apex REST / Visualforce / LWC @wire returns (via sf_pii_map) |
| CC7.1 | Sensitive flows lacking rate / anti-automation controls |
| CC7.2 | CVE matches in package.xml or force-app/main/default/staticresources/* dependencies |
| CC9.1 | Hardcoded secrets in metadata; cleartext Named Credential endpoints; Connected App Full OAuth scope |
Mapping into the AppExchange Security Review
The AppExchange Security Review checklist (P8.6 readiness report, ships separately) leans on the same per-finding category lookup. The most relevant Vulkro detector classes:
- Code injection in Apex: SOQL injection, mass-assignment, JSON.deserialize without schema
- Object and field permissions: CRUD/FLS bypass per-method, sf_metadata permission set audit
- Callouts to external services: Named Credential cleartext + merge-body + hardcoded creds; callout-credential headers in Apex
- Cross-site scripting: Visualforce XSS (5 rules), LWC manual-DOM XSS
- Secrets management: hardcoded API keys / credentials in Apex; Named Credential metadata secrets; Connected App secrets
What is not covered yet
- FedRAMP-specific overlays beyond what the NIST 800-53 baseline covers.
- PCI-DSS-specific Salesforce mappings (the existing
pciprofile works on every finding regardless of platform, but does not yet carry SF-specific row prose). - StateRAMP "Significant Impact" tier-specific control overlays.