vulkro-sf scan
The primary scanning command. Walks an SFDX project (or a retrieved
metadata folder), runs every Vulkro Salesforce detector over the source,
and emits findings in the requested format. The optional
--target-org flag pulls live-org posture, identity, Connected App, and
Agentforce data in the same pass so a single invocation covers both
source and org-shape.
Synopsis
vulkro-sf scan [PATH] [flags]
PATH defaults to the current directory. The directory should contain
sfdx-project.json (SFDX) or package.xml (legacy MDAPI). Use
--metadata-only to scan a bare retrieved-metadata folder that has
neither.
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--format <fmt> | enum | text | Output format: text, sarif, json, html, junit. |
--output, -o <path> | path | stdout | Write the report to a file instead of stdout. |
--min-confidence <level> | enum | medium | Floor for emitted findings: high, medium, low. Filters before exit-code computation. |
--category <name> | enum (repeatable) | all | Limit detectors by category: code, posture, identity, third-party, agentforce. Pass the flag multiple times to combine. |
--include-pmd | bool | off | Shell out to PMD for the Salesforce-mandatory Apex ruleset and merge findings into the same report. PMD must be on PATH. |
--metadata-only | bool | off | Skip SFDX project detection; treat PATH as a retrieved metadata folder. No Apex compilation context is assumed. |
--baseline <path> | path | none | Load a baseline JSON file. Only net-new findings are reported and counted toward the exit code. |
--since <git-ref> | string | none | PR-style diff scan: only emit findings on lines changed versus the given git ref (e.g. main, HEAD~3, origin/main). |
--target-org <alias> | string | none | Also pull live-org posture (security settings, sharing rules), identity (profiles, permission sets), Connected Apps, and Agentforce actions via the sf CLI. Requires sf on PATH. |
--quiet | bool | off | Suppress progress output. Print only the final report (or nothing if the format writes to a file). |
--verbose | bool | off | Print per-file scan progress and detector timing. |
Examples
# Basic source scan over an SFDX project.
vulkro-sf scan .
# CI-friendly SARIF emitted to a file for GitHub Code Scanning upload.
vulkro-sf scan . --format sarif -o vulkro-sf.sarif
# Self-contained HTML report for hand-off to a reviewer.
vulkro-sf scan . --format html -o report.html
# PR-scoped diff scan: only flag what changed versus main.
vulkro-sf scan . --since origin/main --min-confidence high
# One-shot source + live-org pass with the org-shape posture included.
vulkro-sf scan . --target-org my-prod --format json -o full-scan.json
Exit codes
0- scan completed, no findings at or above--min-confidence.1- scan completed, findings were reported (or the install is on a Pro tier that has hit its hard-block boundary).2- error: bad arguments, IO failure, parse error, or internal crash. The error message names the cause and the next step.
Where to go next
- vulkro-sf antipatterns - run the Salesforce Well-Architected anti-pattern detector instead of the security pipeline.
- vulkro-sf appexchange-report - render the pre-submission readiness HTML report.
- Output: SARIF - the format reference for the CI / code-scanning lane.