vulkro-sf sca
Runs the dependency and software-composition analysis pass over a Salesforce project. Inventories installed managed packages, JavaScript bundled inside static resources, and the dependency declarations in the project manifest, then matches each against the offline CVE bundle and the offline threat-intel catalog. Runs entirely on the local machine: no component name, version, or hash leaves the host.
Synopsis
vulkro-sf sca [PATH] [flags]
PATH defaults to the current directory. The directory should contain
sfdx-project.json (SFDX) or package.xml (legacy MDAPI), plus the
retrieved package and static-resource metadata to inventory.
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--format <fmt> | enum | table | Output format: table (human-readable summary), json (full machine-readable findings), or sarif (SARIF 2.1.0 for code-scanning dashboards). |
--metadata-only | bool | off | Skip SFDX project detection; treat PATH as a retrieved metadata folder with no sfdx-project.json. |
Environment variables
| Variable | Description |
|---|---|
VULKRO_SF_API_VERSION_FLOOR | Override the minimum acceptable apiVersion used by the SF-THREAT-API-EOL-001 check. When set, a component whose apiVersion is below this value is flagged. Defaults to the catalog floor. |
What it does
The pass emits the dependency and threat-intel findings documented on the Dependencies and SCA detector page, including:
SF-SCA-001vulnerable managed packageSF-SCA-002end-of-life or unsupported packageSF-SCA-003vulnerable JavaScript in a static resourceSF-SCA-004unpinned dependencySF-THREAT-API-EOL-001apiVersion below the supported floorSF-THREAT-CERT-EXPIRED-001expired self-signed certificateSF-THREAT-CERT-EXPIRED-002soon-to-expire self-signed certificate
Example
# Inventory dependencies and print a table summary.
vulkro-sf sca .
# Full JSON for a dependency dashboard.
vulkro-sf sca . --format json > vulkro-sf-sca.json
# SARIF for code-scanning upload.
vulkro-sf sca . --format sarif > vulkro-sf-sca.sarif
# Enforce a stricter apiVersion floor than the catalog default.
VULKRO_SF_API_VERSION_FLOOR=59.0 vulkro-sf sca .
# Scan a bare retrieved-metadata folder.
vulkro-sf sca ./retrieved-metadata --metadata-only
Exit codes
0- the pass completed and reported no findings.1- the pass completed and reported one or more findings.2- error: bad arguments, IO failure, parse error, or internal crash. The error message names the cause and the next step.