vulkro-sf appexchange-report
Renders an offline, self-contained HTML report that mirrors the published AppExchange Security Review checklist. Each finding from the Vulkro Salesforce detectors is mapped to its corresponding checklist section so an ISV reviewer can walk the report top-to-bottom and see PASS / FAIL / NOT EVALUATED per section before submitting a managed package for review.
The report is the single deliverable an ISV hands to their internal security lead (or attaches to their submission package as evidence of a pre-review pass). It is self-contained: CSS and JS are inlined and no asset is fetched from a CDN, so the reviewer can open it on an air-gapped laptop.
Synopsis
vulkro-sf appexchange-report [PATH] -o <report.html> [flags]
PATH defaults to the current directory. The --output (or -o)
flag is required and must end in .html.
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--output, -o <path> | path | (required) | Where to write the HTML report. Must end in .html. |
--target-org <alias> | string | none | Also include live-org findings (security settings, profile / permission-set over-privilege, Connected App OAuth posture, Agentforce action review) in the report. Requires sf on PATH. |
--include-pmd | bool | off | Include findings from the PMD Salesforce-mandatory ruleset alongside Vulkro's. PMD must be on PATH. |
--executive-summary | bool | off | Prepend a one-page executive summary to the top of the HTML: total findings, section-pass rate, top 3 risk areas, and an action list. Intended for hand-off to a non-developer reviewer. |
Report sections
The report mirrors the published AppExchange Security Review checklist as of the date pinned in the header. Each section is rendered as its own row with a PASS / FAIL / NOT EVALUATED pill and, when FAIL, a table of the findings that caused the section to fail.
- Code Quality and Best Practices - SOQL injection, unsafe deserialization, open redirect, dynamic Visualforce iframe URLs.
- Object and Field Permissions (CRUD / FLS) - missing CRUD/FLS enforcement, IDOR, mass assignment, system-mode DML in Flows.
- External Sharing - sharing-rule bypass,
without sharingon classes that do DML, system-mode Flow execution. - Access Control and Sharing Settings - over-privileged profiles and permission sets, dormant admin assignments, guest-user license posture.
- OAuth and Connected Apps -
FullOAuth scope, cleartext callback URL, hardcodedconsumerSecretorconsumerKeyin metadata. - Sensitive Data Storage and Logging - hardcoded API keys, credentials in browser storage, named-credential merge fields in request bodies, debug statements emitting PII.
- Cryptography - weak crypto primitives (MD5, SHA-1, DES, RC4), ECB-mode block cipher usage.
- Lightning Component Security (LWC + Aura) - XSS surface, dangerous JS primitives, credential-shape identifiers.
- Visualforce Security -
escape="false", dynamic script load, controller-exposed request parameters. - Named Credentials and External Integrations - hardcoded passwords, cleartext endpoints, anonymous principals carrying secrets.
- Flow Security - hardcoded IDs, system-mode DML, SystemMode context.
The checklist label in the rendered report always matches the public Partner Community section name verbatim. The header pins the checklist version date so the result is reproducible: a report generated today will look the same a year from now, even if the public checklist changes in between.
Examples
# Source-only report for a pre-submission review.
vulkro-sf appexchange-report . -o appexchange.html
# Source + live-org for full coverage (recommended before final submission).
vulkro-sf appexchange-report . --target-org my-prod -o appexchange-full.html
# Hand-off to a non-developer reviewer: exec summary on the first page.
vulkro-sf appexchange-report . --target-org my-prod --executive-summary -o exec-report.html
# Include the PMD Salesforce-mandatory ruleset findings.
vulkro-sf appexchange-report . --include-pmd -o appexchange-pmd.html
Exit codes
0- every covered checklist section passed (zero findings on every section, and at least one section had detector coverage).1- at least one section is FAIL (or the install is on a Pro tier that has hit its hard-block boundary).2- error: bad arguments (e.g. missing-o), IO failure, parse error, or internal crash.
Where to go next
- Output: AppExchange HTML report - the format reference, section layout, and reading guide.
- AppExchange readiness - background on the published Security Review checklist and how Vulkro maps to it.
- vulkro-sf scan - run the full detector pipeline without the AppExchange-section grouping.