{"id":28828971,"url":"https://github.com/forcedotcom/run-code-analyzer","last_synced_at":"2025-12-30T13:05:17.049Z","repository":{"id":215151705,"uuid":"620528802","full_name":"forcedotcom/run-code-analyzer","owner":"forcedotcom","description":"GitHub Action to run Salesforce Code Analyzer","archived":false,"fork":false,"pushed_at":"2025-06-02T21:17:22.000Z","size":4300,"stargazers_count":54,"open_issues_count":5,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-07T21:23:31.557Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/forcedotcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-03-28T21:32:24.000Z","updated_at":"2025-06-02T20:18:33.000Z","dependencies_parsed_at":"2025-01-23T20:22:39.839Z","dependency_job_id":"91841f9a-6477-476a-8fdc-df07b4d305ec","html_url":"https://github.com/forcedotcom/run-code-analyzer","commit_stats":null,"previous_names":["forcedotcom/run-code-analyzer"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/forcedotcom/run-code-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forcedotcom%2Frun-code-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forcedotcom%2Frun-code-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forcedotcom%2Frun-code-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forcedotcom%2Frun-code-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/forcedotcom","download_url":"https://codeload.github.com/forcedotcom/run-code-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forcedotcom%2Frun-code-analyzer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260690928,"owners_count":23047104,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-19T05:11:08.786Z","updated_at":"2025-12-30T13:05:17.044Z","avatar_url":"https://github.com/forcedotcom.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Run Salesforce Code Analyzer - GitHub Action\n\n![CI](https://github.com/actions/typescript-action/actions/workflows/ci.yml/badge.svg)\n[![Check dist/](https://github.com/actions/typescript-action/actions/workflows/check-dist.yml/badge.svg)](https://github.com/actions/typescript-action/actions/workflows/check-dist.yml)\n[![CodeQL](https://github.com/actions/typescript-action/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/actions/typescript-action/actions/workflows/codeql-analysis.yml)\n[![Coverage](./badges/coverage.svg)](./badges/coverage.svg)\n\nThe `run-code-analyzer` GitHub Action scans your code for violations using\n[Salesforce Code Analyzer](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/overview), uploads the results as an artifact, and displays\nthe results as a job summary.\n\n# Version: v2\nThe `forcedotcom/run-code-analyzer@v2` GitHub Action is based on [Salesforce Code Analyzer v5.x](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-analyzer.html), which is the `code-analyzer` Salesforce CLI plugin.\n\n## v2 Inputs\n* \u003cb\u003e`run-arguments`\u003c/b\u003e *(Default: `--view detail --output-file sfca_results.json`)*\n  * Specifies the flags passed to the `code-analyzer run` command.\n    * For a full list of valid flags for the `code-analyzer run` command, see the [code-analyzer Command Reference](https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_code-analyzer_commands_unified.htm).\n  * The stdout text from the `code-analyzer run` command is written to the [GitHub workflow run logs](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/using-workflow-run-logs).\n  * Each output file specified by a `--output-file` (or `-f`) flag is included in the ZIP archive [GitHub workflow run artifact](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts) for you to download.\n* \u003cb\u003e`results-artifact-name`\u003c/b\u003e  *(Default: `salesforce-code-analyzer-results`)*\n  * Specifies the name of the ZIP archive [GitHub workflow run artifact](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/downloading-workflow-artifacts) where the results output files are uploaded.\n* \u003cb\u003e`github-token`\u003c/b\u003e\n  * When this action is run against a pull request, you can provide a GitHub token, which is used to create a review of the pull request. The review specifies how many violations were found (both in the project as a whole and in changed files) and links to the action summary page.\n  * This token must have write permissions for pull requests.\n    * You can use the default GitHub token stored as the `GITHUB_TOKEN` secret, as long as you also use the job-level `permissions` property to give that token write access for pull requests.\n\n## v2 Outputs\n* `exit-code`\n  * The Salesforce Code Analyzer execution exit code.\n* `num-violations`\n  * The total number of violations found.\n* `num-sev1-violations`\n  * The number of Critical (1) severity violations found.\n* `num-sev2-violations`\n  * The number of High (2) severity violations found.\n* `num-sev3-violations`\n  * The number of Medium (3) severity violations found.\n* `num-sev4-violations`\n  * The number of Low (4) severity violations found.\n* `num-sev5-violations`\n  * The number of Info (5) severity violations found.\n* `num-violations-in-changed-files`\n  * The total number of violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `num-sev1-violations-in-changed-files`\n  * The number of Critical (1) severity violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `num-sev2-violations-in-changed-files`\n  * The number of High (2) severity violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `num-sev3-violations-in-changed-files`\n  * The number of Medium (3) severity violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `num-sev4-violations-in-changed-files`\n  * The number of Low (4) severity violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `num-sev5-violations-in-changed-files`\n  * The number of Info (5) severity violations found in files changed by the pull request.\n  * Only available when running on a pull request with a `github-token` provided.\n* `review-id`\n  * If the action created a pull request review, this is its ID.\n\nThis `run-code-analyzer@v2` action doesn't exit your GitHub workflow when it finds violations. We recommend that you add a subsequent step to your workflow that uses the available outputs to determine how your workflow should proceed.\n\n**Tip:** The `*-in-changed-files` outputs are useful when introducing code analysis to a legacy codebase with existing violations. You can ensure new code meets quality standards without blocking PRs due to pre-existing issues. See \"Option 2\" in the example below.\n\n## Environment Prerequisites\nThe [Salesforce Code Analyzer v5.x](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-analyzer.html) and its bundled engines can each have their own set of requirements in order to run successfully. We recommend that you set up your GitHub runner(s) with this software:\n* `node` version 20.9.0 or greater\n  * Required by all engines.\n* `java` version 11 or greater\n  * Required by some engines, such as `pmd` and `cpd`, unless those engines have been explicitly disabled in your `code-analyzer.yml` configuration file.\n* `python` version 3.10 or greater\n  * Required by some engines, such as `flowtest`, unless those engines have been explicitly disabled in your `code-analyzer.yml` configuration file.\n\n## Example v2 Usage\n\n    name: Salesforce Code Analyzer Workflow\n    on:\n      pull_request:\n    jobs:\n      salesforce-code-analyzer-workflow:\n        permissions:\n          pull-requests: write # Grants permission to create a pull request review. Only necessary if running against pull requests.\n          contents: read # Grants permission to check out the repository. Only necessary for private repos.\n          actions: read # Grants permission to read the in-progress actions. Only necessary for private repos.\n        runs-on: ubuntu-latest\n        steps:\n          - name: Check out files\n            uses: actions/checkout@v5\n\n          # PREREQUISITES - Only needed if the runner doesn't already satisfy these requirements.\n          - name: Ensure node v20.9.0 or greater\n            uses: actions/setup-node@v5\n            with:\n              node-version: '\u003e=20.9.0'\n          - name: Ensure java v11 or greater\n            uses: actions/setup-java@v5\n            with:\n              java-version: '\u003e=11'\n              distribution: 'zulu'\n          - name: Ensure python v3.10 or greater\n            uses: actions/setup-python@v6\n            with:\n              python-version: '\u003e=3.10'\n\n          - name: Install Salesforce CLI\n            run: npm install -g @salesforce/cli@latest\n    \n          - name: Install Latest Salesforce Code Analyzer CLI Plugin\n            run: sf plugins install code-analyzer@latest\n    \n          - name: Run Salesforce Code Analyzer\n            id: run-code-analyzer\n            uses: forcedotcom/run-code-analyzer@v2\n            with:\n              run-arguments: --workspace . --view detail --output-file sfca_results.html --output-file sfca_results.json\n              results-artifact-name: salesforce-code-analyzer-results\n              github-token: ${{ github.token }}\n    \n          # Option 1: Quality gate on ALL files in the repository\n          - name: Fail on Critical/High Violations (All Files)\n            if: |\n              steps.run-code-analyzer.outputs.exit-code \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-sev1-violations \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-sev2-violations \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-violations \u003e 10\n            run: exit 1\n\n          # Option 2: Quality gate on CHANGED files only (useful for legacy codebases)\n          - name: Fail on Critical/High Violations (Changed Files Only)\n            if: |\n              steps.run-code-analyzer.outputs.num-sev1-violations-in-changed-files \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-sev2-violations-in-changed-files \u003e 0\n            run: exit 1\n\n# Version: v1\nThe `forcedotcom/run-code-analyzer@v1` GitHub Action is based on [Salesforce Code Analyzer v4.x](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-analyzer-3x.html), which is the original `@salesforce/sfdx-scanner` Salesforce CLI plugin.\n\n**Note:**\n\u003e Starting May 1, 2025, we no longer support v4.x of Code Analyzer. You should use v5.x of Code Analyzer instead. See https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-analyzer.html. For information about migrating from v4.x to v5.x, see https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/migrate.html.\n\n\u003e We recommend that you use the `run-code-analyzer@v2` GitHub Action, because it's based on v5.x. (see [above](./README.md#run-salesforce-code-analyzer---github-action))\n\n* \u003cb\u003e`run-command`\u003c/b\u003e  *(Default: `run`)*\n  * Specifies the Salesforce Code Analyzer command to run.\u003cbr/\u003e\n    Possible values are: *`run`, `run dfa`*.\u003cbr/\u003e\n  * For more info on Code Analyzer, read our [documentation](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/overview).\n* \u003cb\u003e`run-arguments`\u003c/b\u003e  *(Default: `--normalize-severity`)*\n  * Specifies arguments passed to the specified `run-command` value.\u003cbr/\u003e\n    The arguments provided must include *`--normalize-severity`*.\u003cbr/\u003e\n    To control the output file included in the uploaded artifact, specify an output file with the *`--outfile`* argument.\u003cbr/\u003e\n    If an output file isn’t specified, results are written to GitHub workflow run logs and a\n    *SalesforceCodeAnalyzerResults.json* file is included in the uploaded artifact.\n  * For a full list of acceptable arguments, read the appropriate Command Reference:\n    * [sf scanner run](https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_scanner_commands_unified.htm#cli_reference_scanner_run_unified)\n    * [sf scanner run dfa](https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_scanner_commands_unified.htm#cli_reference_scanner_run_dfa_unified)\n* \u003cb\u003e`results-artifact-name`\u003c/b\u003e  *(Default: `code-analyzer-results`)*\n  * Specifies the name of the zip archive job artifact where the results output file is uploaded.\n\n## v1 Outputs\n* `exit-code`\n  * The Salesforce Code Analyzer execution exit code.\n* `num-violations`\n  * The total number of violations found.\n* `num-sev1-violations`\n  * The number of normalized high-severity violations found.\n* `num-sev2-violations`\n  * The number of normalized medium-severity violations found.\n* `num-sev3-violations`\n  * The number of normalized low-severity violations found.\n\nThis `run-code-analyzer` action will not exit your GitHub workflow when violations are found. Instead, we recommend adding a subsequent step to your workflow that uses these outputs to determine how your workflow should proceed.\n\n## Example v1 Usage\n\n    name: Salesforce Code Analyzer Workflow\n    on: push\n    jobs:\n      salesforce-code-analyzer-workflow:\n        runs-on: ubuntu-latest\n        steps:\n          - name: Check out files\n            uses: actions/checkout@v5\n    \n          - name: Install Salesforce CLI\n            run: npm install -g @salesforce/cli@latest\n    \n          - name: Install Salesforce Code Analyzer v4.x CLI Plugin\n            run: sf plugins install @salesforce/sfdx-scanner@latest\n    \n          - name: Run Salesforce Code Analyzer\n            id: run-code-analyzer\n            uses: forcedotcom/run-code-analyzer@v1\n            with:\n              run-command: run\n              run-arguments: --normalize-severity --target . --outfile results.html\n              results-artifact-name: salesforce-code-analyzer-results\n    \n          - name: Check the outputs to determine whether to fail\n            if: |\n              steps.run-code-analyzer.outputs.exit-code \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-sev1-violations \u003e 0 ||\n              steps.run-code-analyzer.outputs.num-violations \u003e 10\n            run: exit 1\n\n# Contributing\nTo contribute to the `run-code-analyzer` GitHub Action, see [CONTRIBUTING.md](https://github.com/forcedotcom/run-code-analyzer/blob/main/CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforcedotcom%2Frun-code-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fforcedotcom%2Frun-code-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforcedotcom%2Frun-code-analyzer/lists"}