Partner Security Portal

Accessing the Portal

It's my first time using the Portal. How do I login?
Before you login:
- Get the login details for a System Administrator having Author Apex permissions on either your Developer Edition org where you’re packaging the code you want to scan, or your Dev Hub org if you’re packaging with 2GP (SFDX and scratch orgs).
- Make sure that the email associated with your DE or Dev Hub org is added to your Partner Community Publisher account. To do this, have an admin on your Partner Community account go to ‘Manage Users’ and click ‘Invite new user’ to add your DE or Dev Hub org email ID. Follow the instructions in the invite email to get the user added. (Note: make sure to grant the invited user ‘Listings’ permission.)
- Make sure that the DE or Dev Hub org is also added to the Technologies → Orgs tab of the Partner Community Publishing section. To do this, go to Technologies → Orgs → Click Connect Technology → Select Org → Login to the org via OAuth to link it. (Note: You may need to wait a few minutes for the Org ID to show up in your orgs list. Wait for this to happen before proceeding to the next steps.)
How to login:
1. Log in to the Salesforce Partner Community.
2. In another tab, login to your packaging DE org or Dev Hub org via login.salesforce.com
3. Go to the Partner Security Portal
4. Click Login
If the above login process does not work, what should I do ?
Use below mentioned steps to submit for a Salesforce Support Case:
1. Log in to Salesforce Partner Community
2. Click on question (?) mark icon on the top and click on 'Log a Case'
3. Submit the case after filling all the details by clicking the 'Submit' button.
4. A Case Confirmation email will be shared with Case No. to track the case status.
5. IMPORTANT NOTE: You can follow up on your case by logging back into the Partner Community and navigating to the 'My Cases' section under the 'Support' tab.

Running the Source Code Scanner (AKA Checkmarx)

What is the Source Code Scanner?

The Source Code Scanner is a static scanning tool that uses Checkmarx security technology (hence it is often just referred to as the Checkmarx Scanner). It is mandatory for any security review submission that includes a Salesforce package or component. The Scanner checks Apex, Visualforce, and Lightning code, but doesn't check external endpoints of a solution, nor does it work on mobile clients or for API solutions.
How many scans can I run?

Partners scanning for the AppExchange Security Review can use 3 free scans per review. Consider running an alternative tool as you develop, such as Salesforce Code Analyzer, or the PMD Extension for VS Code, and the Source Code Scanner as you finalize your submission. If you want the flexibility and freedom to scan unpackaged code, or bypass scan limits and package linking requirements, you can also purchase a license from Checkmarx directly, but this is typically more financially feasible for large organizations.
How do I run a Checkmarx scan?

To successfully run Checkmarx via this portal, you must submit scans via a user with Author Apex accounts (e.g. a System Admin user) associated to the packaging organization (this would either be a Developer Edition org where you're packaging your code directly, or if you're using a Dev Hub org with SFDX packaging methodology, you would use your Dev Hub org) for your Appexchange package. This packaging organization must be added to your Partner account on the AppExchange.
The package version I want to scan is not showing up in the Portal. What can I do?
The scanner will only show packages meeting the following criteria:
- The package must be managed-beta or managed-released. In the case of 2GP, this means you need to “promote” the package version. You will only see package versions that are also showing up in the Partner Community → Publishing → Technologies —> Solutions tab.
- You need to be using the same Dev Hub or Developer Edition org that you used to create the package you want to scan.
- Only the last 10 versions of any given package will show up in the portal.
Does the scanner work for both 1GP and 2GP packages?
Yes, the scanner has been successfully tested on both 1GP and 2GP packages.
- For 1GP packages, you will need to access the scanner using the Developer Edition org where you developed the package. Make sure the package you want to scan has been uploaded as “Managed - Released” not beta, as is selected by default when you upload a package.
- For 2GP packages, you'll need to use the Dev Hub org you created the packages with to access the Portal. Make sure the package version you want to scan has been promoted to 'Released'.
My package doesn't contain any Apex, Visualforce, or Lightning Code. Do I still need to scan it?

If your package was created declaratively without adding custom code, there may not be any scannable content in the package. For example, if your package contains only things like custom objects, fields, reports, flow templates, dashboards, etc. you might not get any results at all from Checkmarx. In this case, for your security review submission, in place of Checkmarx results, you can upload a document stating that your package doesn't contain any code so the Checkmarx scan requirement is not applicable.
My Checkmarx results were clean, but my security review still failed. Is the Security Review Team using a different scanning tool?

Those familiar with static analysis know that there is no single tool that can find all bugs.

It's also well understood that these tools, because they lack insight into the context of the application, can produce false positives as well. It is important to recognize that false negatives and false positives exist in these reports and any given report should not be considered a full and outright security assessment of your application and code. Manual reviews will always be necessary to verify code correctness. That being said, besides manual code review, the Product Security Team also makes use of Salesforce Code Analyzer, and/or the PMD Extension for VS Code, which we would strongly encourage you to use too. Using one of these tools along with Checkmarx will maximize your chances of finding all the Salesforce-code-specific bugs like CRUD/FLS violations, Sharing violations, SOQL injection, etc.

Chimera Sunset and DAST Scan

What is a DAST Scan ?

A DAST scan is an automated security test that acts like an attacker to find weaknesses in a live website or app. It helps developers fix problems before real attackers can find and exploit them.
What is changing for Partners regarding the Chimera DAST Scanner ?

As part of Partner Self-Enablement, Chimera will no longer be available. Partners can use a DAST scanner of their choice..
What is NOT changing for Partners ?

Partners still need to submit full DAST scan reports and any false positive documentation. Partners must still ensure Salesforce has permission to conduct a security review of integrated web applications/APIs and submit credentials for third-party integrations.
What should partners do before Chimera is decommissioned ?

Partners will have until June 15, 2025, to download any previous Chimera reports they want to retain.If partners cannot log in to the portal, they should raise a support case with details as soon as possible
What happens if partners don't download their Chimera reports before the deadline ?

Partners WILL NOT BE able to access their Chimera reports after June 16, 2025.
Will Salesforce provide support for Chimera DAST scans after the sunset date?

Salesforce WILL NOT provide any support for Chimera DAST scans after June 16, 2025.
What are the alternatives for Chimera for DAST scanner ?
A DAST (Dynamic Application Security Test) scanner is a security tool that analyzes web applications to identify vulnerabilities by simulating real-world attacks. Unlike static analysis tools (SAST), DAST scanners do not require access to the application's source code; instead, they interact with the application through its front end, just as an end-user or an API client would. Below are a few DAST scanner suggestions:
- OWASP ZAP (Free to Use)
- BurpSuite Enterprise Edition
- Similar industry-standard DAST tools includes, but not limited to:
Can Salesforce assist me in configuring and using the DAST scanner ?

Please reach out to the respective vendor’s support team and documentation for any assistance you need.
What are the essential details that should be included in the DAST Scan report ?

The DAST scan report should present the current security risk level, along with the confidence in the likelihood of risk exploitation, for each respective request and response payload. For reference, please see this template.
What about independent pentest reports instead of DAST Scan reports ?

Salesforce requires full pentest results, not summaries. Pentests should be recent (preferably within 30 days of submission), and all actionable vulnerabilities should be remediated.

Office Hours

What are Office Hours?
Salesforce security review teams host office hours for AppExchange partners. During office hours, you have direct, scheduled, web conference access to security review team members. Get answers about the submission process from Security Review Operations or troubleshoot security vulnerabilities with Product Security.

There are 2 types of office hours you can schedule:
Operations Office Hours: During operations office hours, Security Review Operations team members answer questions about security review logistics and submission requirements. Typical questions include:
- What components of the solution are in scope for the security review?
- What type of reports and scan results am I required to provide?
- What happens if the solution that I submit doesn't pass the review?
Technical Office Hours: Technical office hours are available when you need specific security-related technical assistance from the Product Security team. Typical questions include:
- How do I navigate the AppExchange security requirements?
- What is a secure way to design and implement a specific aspect of my solution?
- How do I address issues that the automated security scanning tools detect?
- What does a finding in my security review report mean?
- What security scan results can I regard as false positives?
- How do I resolve the issues in my security review report that I think are false positives?
- Does my reworking of the code fix the security vulnerabilities identified in the security review?
The next upcoming office hours are too far away. How can I get help sooner?
It's true that our office hours can be in very high demand, especially at certain times of the year, such as closer to Dreamforce.
You have the following options:
- For extremely urgent and rare cases, you can reach out to your Partner Account Manager to raise a request for a priority office hour. We cannot guarantee the availability of these but it may be possible in very urgent cases.
- You may be able to get technical advice by posting in the Partner Community Security Review Group, or in the Trailblazer Community.
- In the rare case that all else fails, and you feel that you need extensive professional help getting your app through security review, you may want to consider enlisting a Product Development Outsourcer (PDO).