Before you login:

• Gather the login details for a System Administrator user (they must have Author Apex permissions) on either your Developer Edition org where you’re packaging the code you want to scan, or your Dev Hub org if you’re packaging with 2GP (SFDX and scratch orgs).
• Make sure that the email associated with your DE or Dev Hub org above has been added to your Partner Community Publisher account. To do this, have an admin on your Partner Community account go to ‘Manage Users’ and click ‘Invite new user’ to add your DE or Dev Hub org email ID. Follow the instructions in the invite email to get the user added. (Note: make sure to grant the invited user ‘Listings’ permission.)
• Make sure that the DE or Dev Hub org is also added to the Technologies → Orgs tab of the Partner Community Publishing section. To do this, go to Technologies → Orgs → Click Connect Technology → Select Org → Login to the org via OAuth to link it. (Note: You may need to wait a few minutes for the Org ID to show up in your orgs list. Wait for this to happen before proceeding to the next steps.)

How to login:

1. Log in to the Salesforce Partner Community.
   
2. In another tab, login to your packaging DE org or Dev Hub org via login.salesforce.com
   
3. Go to the Partner Security Portal
   
4. Click Login
   

Use below mentioned steps to submit for a Salesforce Support Case:

1. Log in to Salesforce Partner Community
• Go to Salesforce Partner Community
• Log in with your Salesforce Partner credentials.
2. Click on question (?) mark icon on the top and click on 'Log a Case'
• Add Subject as 'Partner Security Portal Issue'.
• Add Description as '** Partner Security Portal Issue **' with all the details around the issue with Username, Org Id and so on. If the issue is related to Package Listing, please do provide Package Listing Name, Package ID and Package Version Id.
• In the Topic dropdown, select 'Partner Community and AppExchange (Security Review)'
3. Submit the case after filling all the details by clicking the 'Submit' button.
4. A Case Confirmation email will be shared with Case No. to track the case status.
5. IMPORTANT NOTE: You can follow up on your case by logging back into the Partner Community and navigating to the 'My Cases' section under the 'Support' tab.

The Source Code Scanner is a static scanning tool that uses Checkmarx security technology (hence it is often just referred to as the Checkmarx Scanner). It is mandatory for any security review submission that includes a Salesforce package or component. The Scanner checks Apex, Visualforce, and Lightning code, but doesn't check external endpoints of a solution, nor does it work on mobile clients or for API solutions.

Partners scanning for the AppExchange Security Review can use 3 free scans per review. Consider running an alternative tool as you develop, such as Salesforce Code Analyzer, or the PMD Extension for VS Code, and the Source Code Scanner as you finalize your submission. If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits and package linking requirements, you can also purchase a license from Checkmarx directly, but this is typically more financially feasible for large organizations.

To successfully run Checkmarx via this portal, you must submit scans via a user with Author Apex accounts (e.g. a System Admin user) associated to the packaging organization (this would either be a Developer Edition org where you're packaging your code directly, or if you're using a Dev Hub org with SFDX packaging methodology, you would use your Dev Hub org) for your Appexchange package. This packaging organization must be added to your Partner account on the AppExchange.

The scanner will only show packages meeting the following criteria:

• The package must be managed-beta or managed-released. In the case of 2GP, this means you need to “promote” the package version. You will only see package versions that are also showing up in the Partner Community → Publishing → Technologies —> Solutions tab.
• You need to be using the same Dev Hub or Developer Edition org that you used to create the package you want to scan.
• Only the last 10 versions of any given package will show up in the portal.

Yes, the scanner has been successfully tested on both 1GP and 2GP packages.

• For 1GP packages, you will need to access the scanner using the Developer Edition org where you developed the package. Make sure the package you want to scan has been uploaded as “Managed - Released” not beta, as is selected by default when you upload a package.
• For 2GP packages, you'll need to use the Dev Hub org you created the packages with to access the Portal. Make sure the package version you want to scan has been promoted to 'Released'.

If your package was created declaratively without adding custom code, there may not be any scannable content in the package. For example, if your package contains only things like custom objects, fields, reports, flow templates, dashboards, etc. you might not get any results at all from Checkmarx. In this case, for your security review submission, in place of Checkmarx results, you can upload a document stating that your package doesn't contain any code so the Checkmarx scan requirement is not applicable.

Those familiar with static analysis know that there is no single tool that can find all bugs.

It's also well understood that these tools, because they lack insight into the context of the application, can produce false positives as well. It is important to recognize that false negatives and false positives exist in these reports and any given report should not be considered a full and outright security assessment of your application and code. Manual reviews will always be necessary to verify code correctness. That being said, besides manual code review, the Product Security Team also makes use of Salesforce Code Analyzer, and/or the PMD Extension for VS Code, which we would strongly encourage you to use too. Using one of these tools along with Checkmarx will maximize your chances of finding all the Salesforce-code-specific bugs like CRUD/FLS violations, Sharing violations, SOQL injection, etc.

Chimera is a cloud-based security scanning service that combines 4 open-source security scanning tools into one service. Chimera is powered by and scans from the Heroku cloud platform. Custom-built code then combines and analyzes the results from all scanning tools used and provides a single, actionable security report to you.

You would use this scanner on any external (non-Salesforce) integrations that you own/develop and are planning to connect to an AppExchange offering. You would not use this on Salesforce package code or Salesforce web endpoints or APIs. If you are interested in doing so, you may download any of the component scanners that make up Chimera as stand-alone tools and run them against your projects internally. Downloading and running tools individually may be required for mobile or client applications, as well as web applications not accessible to the public internet. The open source scanners currently run as part of Chimera are:

• OWASP Zed Attack Proxy (ZAP): OWASP's Zed Attack Proxy (ZAP) is an open-source penetration testing, web scanning, and attack proxy tool. By making automated requests to your web application ZAP conducts automated black box testing of common web vulnerabilities such as XSS, SQL Injection, CSRF, and many others.
• Nmap: Nmap is a utility for network discovery, allowing us to determine which ports are currently open and accepting connections on your server. This helps an attacker identify which services are installed on your server and potentially which may be vulnerable for exploitation.
• Nikto2: Nikto is a web server scanner which performs black box tests against servers for common vulnerabilities and informational items. This includes vulnerable versions of software which may be installed, dangerous files or programs on the server, and default server or application pages that may still be publicly accessible due to misconfiguration or oversight.
• SSLyze: SSLyze is a scanner that analyzes the SSL configuration and certificate of your server. Through use of SSLyze and other, internal tools, Chimera will report on any misconfigurations or outdated/weak ciphers and libraries your server may be at risk by using.

Note: while OWASP ZAP scan results are an acceptable substitute for Chimera for an AppExchange Security Review submission, none of these other 3 scanning tools (Nmap, Nikto2, or SSLyze) are by themselves a sufficient substitute.

Chimera will not work on every site. Please note the following requirements:

• Chimera is only able to scan web applications that are reachable from the public internet.
• You must own the server hosting the site or service, because we require you to add an abuse prevention token file to the root of your server in order to run the scanner.
• Chimera won't work on AWS-hosted apps.
• Chimera relies on having a lot of "web surface area" to scan, so it tends not to be as useful for API-only systems.
• Chimera won't work for mobile or client apps that aren't reachable by public Internet, so please instead use OWASP ZAP for these types of apps as per instructions put together here.

1. Click the 'Create New Chimera Scan' button.
2. A window will pop up with a link to an abuse prevention token and a form to configure your scan request.
3. Download the token file and upload it as a .txt file to the root of the server you want to test. You should be able to access the file at yourwebsite.com/tokenfilename.txt (if you can't access it, Chimera won't be able to either)
4. Once this is done, fill out the other fields in the popup form:
• Target: the base URL of the site/service you want to scan
• Do Not Scan: URLs that you want the scanner to avoid
• Testing Username: username for the scanner to login with
• Testing Password: password for username above
5. Once you submit the scan, you'll be taken back to the Portal dashboard where you can view the status of the scan.
6. Scans can take a long time. The status should start as "Queued", move to "Working", move to "Ready to Generate", and once done, should show as "Completed." You should receive the results by email a while after the scan completes.

While Chimera will run correctly against your Production service, we recommend you provide a representative staging or development environment so as to mitigate the risk of data loss or corruption. The environment provided to Chimera must be accessible from the public internet.

Scan times vary widely due to factors such as volume, queue size, application size, and network speed/connectivity of the application servers. In general, we see scans complete anywhere from 4-16 hours after starting. Time in queue varies greatly and we cannot provide estimates at this time.

Due to the cloud-based nature of Chimera (we use Heroku for scalability), we are unable to give you an IP address or range that the scanner engines will use. At this time we have no plans to convert to a static IP address or range for Chimera to use. If we do implement this, we will update this page with the IP ranges you can expect to see traffic from.

Chimera does its best to identify how to login to your web application automatically, but this service is not perfect. We are constantly working on improving this service and hope to have a significantly more powerful auto-login engine online soon. We log every failed attempt to determine how to login for jobs that credentials were provided for and investigate to learn from it, so there is no need to email us about every failure. In cases where Chimera was unable to login to your site automatically, we recommend that you download ZAP and run a security scan locally. We will periodically post announcements on this page relating to new releases, including new auto-login engine releases.

Troubleshooting steps:

• You may need to wait a day for the scan to run, depending on the scanner bandwidth and “size” of your scan.
• Double-check that your abuse prevention token can be accessed at yourwebsite.com/tokenfilename.txt
• Check your email to see if you received any error notifications about the scan, or if the results were sent to spam.
• Check your website logs to make sure the scanner was not blocked from your side.
• Double-check the criteria listed in the question above "Does Chimera work on all websites, APIs, and services?"
• If you've waited 48 hours with no results, you may want to try re-initiating the scan.

Since Chimera is not well-supported, you won't be able to get much assistance by logging a Partner Community case. If you can't get the scanner to work, we'd recommend running either just (1) OWASP ZAP, and additionally, if you'd like, any of the other tools that make up the Chimera scanner individually: (2) NMap, (3) Nikto2, and (4) SSLyze. The latter 3 are optional for your security review submission (we will accept OWASP ZAP scan results in place of Chimera, but the other 3 tools would not be valid substitutes on their own because they have narrower scopes). If you have a license for the Burp Suite Scanner (available from PortSwigger), we will also gladly accept Burp scan results in place of Chimera or OWASP ZAP.

Due to the volume of security scans provided by Chimera, we cannot answer technical security questions (which tend to be quite in-depth discussions) on an ad-hoc basis. If you have questions about the issues found on your site, please schedule an Office Hour appointment with the Salesforce Product Security team via this same Portal.

Chimera reports endeavor to give you all information about all issues or potential issues discovered on your site with as much documentation as it is possible for us to provide. Some of these issues may be false positives, or may not be valid security issues. We ask that you carefully review the report and provided documentation and reference. If you have any questions, we are happy to help. Please schedule an Office Hour appointment with the Salesforce Product Security team.

At this time, Chimera is only available to ISV Partners developing external integrations for the AppExchange.

The Security Review is a manual process, performed by one of our security engineers. Having clean Chimera scan results does not guarantee that your external endpoints are free of security issues, nor should you rely on any single tool for this.

All tools (as well as human reviewers) have limited coverage, therefore your software development methodology should include a variety of different security checks, so that issues that are missed by one check are caught by another. For example, architectural reviews during the design phase, linters used as pre-commit hooks, periodic code reviews to ensure compliance with our Secure Coding Guidelines, static analysis scans with other tools like Salesforce Code Analyzer, dynamic analysis testing using webdriver or a similar tool for websites, use of API fuzzers, and even third party penetration testing or code audits are all part of a modern software development process. That being said, one of the best tools for conducting your own security analysis of non-Salesforce endpoints is Burp Suite. At this time, Salesforce cannot provide licenses for this tool, but many features are also available with a free license. Learn more about testing with Burp here.

Salesforce security review teams host office hours for AppExchange partners. During office hours, you have direct, scheduled, web conference access to security review team members. Get answers about the submission process from Security Review Operations or troubleshoot security vulnerabilities with Product Security.

There are 2 types of office hours you can schedule:

Operations Office Hours: During operations office hours, Security Review Operations team members answer questions about security review logistics and submission requirements. Typical questions include:

• What components of the solution are in scope for the security review?
• What type of reports and scan results am I required to provide?
• What happens if the solution that I submit doesn't pass the review?

Technical Office Hours: Technical office hours are available when you need specific security-related technical assistance from the Product Security team. Typical questions include:

• How do I navigate the AppExchange security requirements?
• What is a secure way to design and implement a specific aspect of my solution?
• How do I address issues that the automated security scanning tools detect?
• What does a finding in my security review report mean?
• What security scan results can I regard as false positives?
• How do I resolve the issues in my security review report that I think are false positives?
• Does my reworking of the code fix the security vulnerabilities identified in the security review?

It's true that our office hours can be in very high demand, especially at certain times of the year, such as closer to Dreamforce.

You have the following options:

• For extremely urgent and rare cases, you can reach out to your Partner Account Manager to raise a request for a priority office hour. We cannot guarantee the availability of these but it may be possible in very urgent cases.
• You may be able to get technical advice by posting in the Partner Community Security Review Group, or in the Trailblazer Community.
• In the rare case that all else fails, and you feel that you need extensive professional help getting your app through security review, you may want to consider enlisting a Product Development Outsourcer (PDO).