Running Code Analyzer

Name: Running Code Analyzer
Author: forcedotcom

forcedotcom/sf-skills

Run Salesforce Code Analyzer across Apex and LWC to get engine-scored violations before promoting to production.

Install

npx skills add https://github.com/forcedotcom/sf-skills --skill running-code-analyzer

What is this skill?

Aggregates Recommended engine runs with filesAnalyzed and violationCount metadata
Surfaces PMD rules such as ApexCRUDViolation and ApexDoc on Apex classes
Includes ESLint findings for LWC (no-var, prefer-const, @lwc/lwc/no-inner-html)
JSON violations with file, line, column, severity, and fix objects when engines supply them
Supports prioritization by severity levels on security-sensitive rules

Adoption & trust: 331 installs on skills.sh; 513 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Recommended Skills

Improve Codebase Architecturemattpocock/skills

Improve Codebase Architecture is an agent skill that teaches how to deepen a cluster of shallow modules without breaking…226k installs·121k stars

Zoom Outmattpocock/skills

Lightweight meta-prompt skill that tells the agent to zoom out and deliver a domain-aligned overview of modules and call…181k installs·121k stars

Caveman Reviewjuliusbrussee/caveman

Formats code review as single actionable lines: location, problem, fix, with minimal noise.139k installs·70k stars

Requesting Code Reviewobra/superpowers

Requesting Code Review is an agent skill from the Superpowers collection that gives solo and indie builders a copy-ready…119k installs·221k stars

Receiving Code Reviewobra/superpowers

Superpowers methodology for agents receiving code review: prioritize technical correctness over social comfort, verify e…96.2k installs·221k stars

Request Refactor Planmattpocock/skills

request-refactor-plan is a structured agent workflow for solo and small-team maintainers who want refactors filed as act…30.5k installs·121k stars

Journey fit

Primary fit

Ship phase is when static analysis gates quality on force-app metadata heading to release. Review subphase matches PMD and ESLint violation triage on classes and LWC bundles with severities and optional fixes.

Common Questions / FAQ

Is Running Code Analyzer safe to install?

skills.sh reports 1 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Running Code Analyzer

{
  "metadata": {
    "engine": "Recommended",
    "executedAt": "2026-05-19T10:15:30.123Z",
    "filesAnalyzed": 45,
    "violationCount": 127
  },
  "violations": [
    {
      "rule": "ApexCRUDViolation",
      "engine": "pmd",
      "severity": 2,
      "message": "Validate CRUD permission before SOQL/DML operation",
      "file": "force-app/main/default/classes/AccountService.cls",
      "line": 42,
      "column": 9,
      "fix": null
    },
    {
      "rule": "no-var",
      "engine": "eslint",
      "severity": 3,
      "message": "Unexpected var, use let or const instead.",
      "file": "force-app/main/default/lwc/accountCard/accountCard.js",
      "line": 12,
      "column": 5,
      "fix": {
        "range": [180, 183],
        "text": "let"
      }
    },
    {
      "rule": "ApexDoc",
      "engine": "pmd",
      "severity": 3,
      "message": "Missing ApexDoc comment",
      "file": "force-app/main/default/classes/AccountService.cls",
      "line": 15,
      "column": 1,
      "fix": null
    },
    {
      "rule": "@lwc/lwc/no-inner-html",
      "engine": "eslint",
      "severity": 2,
      "message": "Disallow use of innerHTML",
      "file": "force-app/main/default/lwc/riskComponent/riskComponent.js",
      "line": 28,
      "column": 9,
      "fix": null
    },
    {
      "rule": "prefer-const",
      "engine": "eslint",
      "severity": 3,
      "message": "'data' is never reassigned. Use 'const' instead.",
      "file": "force-app/main/default/lwc/accountCard/accountCard.js",
      "line": 18,
      "column": 5,
      "fix": {
        "range": [245, 248],
        "text": "const"
      }
    }
  ],
  "summary": {
    "bySeverity": {
      "1": 0,
      "2": 32,
      "3": 78,
      "4": 15,
      "5": 2
    },
    "byEngine": {
      "pmd": 65,
      "eslint": 58,
      "regex": 4
    },
    "topRules": [
      {"rule": "ApexDoc", "count": 45},
      {"rule": "no-var", "count": 28},
      {"rule": "prefer-const", "count": 19},
      {"rule": "ApexCRUDViolation", "count": 12},
      {"rule": "@lwc/lwc/no-inner-html", "count": 8}
    ],
    "topFiles": [
      {"file": "force-app/main/default/classes/AccountService.cls", "count": 23},
      {"file": "force-app/main/default/lwc/accountCard/accountCard.js", "count": 18},
      {"file": "force-app/main/default/classes/ContactTriggerHandler.cls", "count": 15}
    ]
  }
}


# Common Command Variations

Real-world command patterns with explanations. Use these as reference when building commands for specific scenarios.

---

## Basic Scans

### 1. Scan Entire Workspace (Default)
```bash
sf code-analyzer run \
  --rule-selector Recommended \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "scan my code" with no specifics.

---

### 2. Security-Focused Scan
```bash
sf code-analyzer run \
  --rule-selector "all:Security:(1,2)" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "check for security issues", "find vulnerabilities", "AppExchange security review".  
**Selector breakdown:** `all` = all engines, `:Security` = Security category only, `:(1,2)` = Critical and High severity only.

---

### 3. Specific Engine
```bash
sf code-analyzer run \
  --rule-selector "pmd" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "run PMD", "check my Apex code".

---

### 4. Multiple Engines
```bash
sf code-analyzer run \
  --rule-selector "(pmd,eslint)" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "scan Apex and JavaScript", "run PMD and ESLint".  
**Selector breakdown:** Parentheses + comma = OR logic.

---

## Targ

What is this skill?

Aggregates Recommended engine runs with filesAnalyzed and violationCount metadata

Surfaces PMD rules such as ApexCRUDViolation and ApexDoc on Apex classes

Includes ESLint findings for LWC (no-var, prefer-const, @lwc/lwc/no-inner-html)

JSON violations with file, line, column, severity, and fix objects when engines supply them

Supports prioritization by severity levels on security-sensitive rules

Adoption & trust: 331 installs on skills.sh; 513 GitHub stars; 1/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Running Code Analyzer

{
  "metadata": {
    "engine": "Recommended",
    "executedAt": "2026-05-19T10:15:30.123Z",
    "filesAnalyzed": 45,
    "violationCount": 127
  },
  "violations": [
    {
      "rule": "ApexCRUDViolation",
      "engine": "pmd",
      "severity": 2,
      "message": "Validate CRUD permission before SOQL/DML operation",
      "file": "force-app/main/default/classes/AccountService.cls",
      "line": 42,
      "column": 9,
      "fix": null
    },
    {
      "rule": "no-var",
      "engine": "eslint",
      "severity": 3,
      "message": "Unexpected var, use let or const instead.",
      "file": "force-app/main/default/lwc/accountCard/accountCard.js",
      "line": 12,
      "column": 5,
      "fix": {
        "range": [180, 183],
        "text": "let"
      }
    },
    {
      "rule": "ApexDoc",
      "engine": "pmd",
      "severity": 3,
      "message": "Missing ApexDoc comment",
      "file": "force-app/main/default/classes/AccountService.cls",
      "line": 15,
      "column": 1,
      "fix": null
    },
    {
      "rule": "@lwc/lwc/no-inner-html",
      "engine": "eslint",
      "severity": 2,
      "message": "Disallow use of innerHTML",
      "file": "force-app/main/default/lwc/riskComponent/riskComponent.js",
      "line": 28,
      "column": 9,
      "fix": null
    },
    {
      "rule": "prefer-const",
      "engine": "eslint",
      "severity": 3,
      "message": "'data' is never reassigned. Use 'const' instead.",
      "file": "force-app/main/default/lwc/accountCard/accountCard.js",
      "line": 18,
      "column": 5,
      "fix": {
        "range": [245, 248],
        "text": "const"
      }
    }
  ],
  "summary": {
    "bySeverity": {
      "1": 0,
      "2": 32,
      "3": 78,
      "4": 15,
      "5": 2
    },
    "byEngine": {
      "pmd": 65,
      "eslint": 58,
      "regex": 4
    },
    "topRules": [
      {"rule": "ApexDoc", "count": 45},
      {"rule": "no-var", "count": 28},
      {"rule": "prefer-const", "count": 19},
      {"rule": "ApexCRUDViolation", "count": 12},
      {"rule": "@lwc/lwc/no-inner-html", "count": 8}
    ],
    "topFiles": [
      {"file": "force-app/main/default/classes/AccountService.cls", "count": 23},
      {"file": "force-app/main/default/lwc/accountCard/accountCard.js", "count": 18},
      {"file": "force-app/main/default/classes/ContactTriggerHandler.cls", "count": 15}
    ]
  }
}


# Common Command Variations

Real-world command patterns with explanations. Use these as reference when building commands for specific scenarios.

---

## Basic Scans

### 1. Scan Entire Workspace (Default)
```bash
sf code-analyzer run \
  --rule-selector Recommended \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "scan my code" with no specifics.

---

### 2. Security-Focused Scan
```bash
sf code-analyzer run \
  --rule-selector "all:Security:(1,2)" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "check for security issues", "find vulnerabilities", "AppExchange security review".  
**Selector breakdown:** `all` = all engines, `:Security` = Security category only, `:(1,2)` = Critical and High severity only.

---

### 3. Specific Engine
```bash
sf code-analyzer run \
  --rule-selector "pmd" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "run PMD", "check my Apex code".

---

### 4. Multiple Engines
```bash
sf code-analyzer run \
  --rule-selector "(pmd,eslint)" \
  --output-file ./code-analyzer-results-20260519-101030.json \
  --include-fixes \
  2>&1 | tee ./code-analyzer-results-20260519-101030.log
```
**When:** User says "scan Apex and JavaScript", "run PMD and ESLint".  
**Selector breakdown:** Parentheses + comma = OR logic.

---

## Targ

Install

What is this skill?

Recommended Skills

Journey fit

Is Running Code Analyzer safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Running Code Analyzer safe to install?

SKILL.md