Before you login:
How to login:
The scanner will only show packages meeting the following criteria:
Yes, the scanner has been successfully tested on both 1GP and 2GP packages.
Those familiar with static analysis know that there is no single tool that can find all bugs.
It's also well understood that these tools, because they lack insight into the context of the application, can produce false positives as well. It is important to recognize that false negatives and false positives exist in these reports and any given report should not be considered a full and outright security assessment of your application and code. Manual reviews will always be necessary to verify code correctness. That being said, besides manual code review, the Product Security Team also makes use of Salesforce Code Analyzer, and/or the PMD Extension for VS Code, which we would strongly encourage you to use too. Using one of these tools along with Checkmarx will maximize your chances of finding all the Salesforce-code-specific bugs like CRUD/FLS violations, Sharing violations, SOQL injection, etc.
A DAST scan is an automated security test that acts like an attacker to find weaknesses in a live website or app. It helps developers fix problems before real attackers can find and exploit them.
As part of Partner Self-Enablement, Chimera will no longer be available. Partners can use a DAST scanner of their choice..
Partners still need to submit full DAST scan reports and any false positive documentation. Partners must still ensure Salesforce has permission to conduct a security review of integrated web applications/APIs and submit credentials for third-party integrations.
Partners will have until June 15, 2025, to download any previous Chimera reports they want to retain.If partners cannot log in to the portal, they should raise a support case with details as soon as possible
Partners WILL NOT BE able to access their Chimera reports after June 16, 2025.
Salesforce WILL NOT provide any support for Chimera DAST scans after June 16, 2025.
A DAST (Dynamic Application Security Test) scanner is a security tool that analyzes web applications to identify vulnerabilities by simulating real-world attacks. Unlike static analysis tools (SAST), DAST scanners do not require access to the application's source code; instead, they interact with the application through its front end, just as an end-user or an API client would. Below are a few DAST scanner suggestions:
Please reach out to the respective vendor’s support team and documentation for any assistance you need.
The DAST scan report should present the current security risk level, along with the confidence in the likelihood of risk exploitation, for each respective request and response payload. For reference, please see this template.
Salesforce requires full pentest results, not summaries. Pentests should be recent (preferably within 30 days of submission), and all actionable vulnerabilities should be remediated.
Salesforce security review teams host office hours for AppExchange partners. During office hours, you have direct, scheduled, web conference access to security review team members. Get answers about the submission process from Security Review Operations or troubleshoot security vulnerabilities with Product Security.
There are 2 types of office hours you can schedule:
Operations Office Hours: During operations office hours, Security Review Operations team members answer questions about security review logistics and submission requirements. Typical questions include:It's true that our office hours can be in very high demand, especially at certain times of the year, such as closer to Dreamforce.
You have the following options: