vulkro-sf org packages
Walks every installed package in the live org and reports risk along three axes: beta-package warnings (unstable contract), Connected App OAuth posture per package (the configuration shape behind the Salesloft Drift and Gainsight incidents), and license-expiration warnings (a soon-to-expire managed-package license is a forced-removal deadline most orgs schedule for at the last minute).
Unmanaged packages get a separate severity floor than managed packages because they are mutable post-install: a developer can edit any component, and the package no longer carries the original publisher's review provenance.
Synopsis
vulkro-sf org packages --target-org <alias> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--target-org <alias> | string | (required) | The sf CLI org alias to inspect. |
--format <fmt> | enum | text | Output format: text, json, sarif. |
--include-managed | bool | on | Include managed packages in the report. Default on. Pass --include-managed=false to omit. |
--unmanaged-only | bool | off | Report only unmanaged packages (skip managed). Useful when you trust managed publishers and only want to audit one-off installs. |
What gets reported
- Installed managed packages - each row carries the package name, namespace, publisher, installed version, the version's release state (Released or Beta), and the count of components the package introduces.
- Installed unmanaged packages - same shape, plus a Medium severity baseline because unmanaged packages are mutable post-install.
- Beta package warnings - any installed package whose installed version is in Beta. Beta versions can be uninstalled by the publisher, can be replaced with a non-backward-compatible release, and do not carry the same review guarantees as a Released version. Reported at Medium severity.
- Connected App OAuth posture per package - for every Connected
App owned by an installed package, the OAuth scope set is
inspected. The combination of
Fullscope plus a refresh-token grant is the configuration shape behind the published Drift and Gainsight incidents (an attacker who steals a single refresh token gets a long-livedFullaccess surface). Reported at High for any package whose Connected App carries that combination. - License expiration warnings - any installed managed-package license that expires within 60 days. Reported at Medium severity so the team has runway to renew, evaluate, or remove before the forced uninstall.
Examples
# Default: all installed packages, both managed and unmanaged.
vulkro-sf org packages --target-org my-prod
# Audit only one-off unmanaged installs (skip the trusted publishers).
vulkro-sf org packages --target-org my-prod --unmanaged-only
# Skip managed packages but keep unmanaged + beta warnings.
vulkro-sf org packages --target-org my-prod --include-managed=false
# JSON for ingestion into a third-party-risk tracker.
vulkro-sf org packages --target-org my-prod --format json -o packages.json
Exit codes
0- scan completed, no package-risk findings.1- scan completed, findings were reported.2- error:sfCLI not on PATH, alias not authenticated, network failure, or the org rejected the tooling API call.
Privacy
org packages reads InstalledSubscriberPackage,
InstalledSubscriberPackageVersion, PackageLicense,
ConnectedApplication, and the OAuth scope strings attached to each
Connected App. No business-record SOQL is issued: no Account, no
Opportunity, no Case row is fetched. Package metadata names the
publisher and the namespace; it does not name the data the package
operates on.
Where to go next
- vulkro-sf org perms - permission-set and profile over-privilege, dormant admins, guest-user posture.
- Connected Apps detector page - the source-side equivalent of the Connected App OAuth posture check this command runs against a live org.
- Detection deep-dive: breach class map - Drift, Gainsight, and the other published incidents this command's rules trace back to.