Can someone please advise how Checkmarx/ Force.com Security Source Scanner will be performing code review
- Is code review happening within Salesforce servers or code get
ported to Checkmarx server
- How frequently we can submit our code for review (more than 3 times in a month)?
- Any other consideration before submitting the code for review
Here are your answers:
Salesforce has a license to run Checkmarx scanners on premise in order to scan third party code. The code never leaves Salesforce — it is pulled from the organization in which your code resides to the Checkmarx instances running on our servers. We manage these instances, but it is a Checkmarx scanner engine underneath. Results are only sent to the email address on file for the username, and only a user with author apex permission in an org can scan the code for the org. Because of this, sometimes a scan can be held back if
your org disables api access (we use the metadata api to pull code from your org)
your instance is down for service/upgrade (we will automatically retry in this case after a backoff)
your user account is new and has not been replicated to all instances
As per our license with Checkmarx, you can scan 3 times per security review. There is not a time limit for this: If you submit 10 reviews per month (say you are a PDO), then you can scan up to 30 times. If you are not scanning for a security review, you can scan 30,000 lines of code per month.
We currently impose additional throttling requirements: no business (checked by result email domain) can have more than one job in the queue at a time. You cannot scan more than 500,000 lines of code per job. These requirements are not contractual in basis but are to maximize scanner throughput and reduce wait times for most customers. As a result, these requirements are subject to change as we add more capacity or as scanner demand changes.
If you have issues, please file a support case. Please do not send scanner questions to email@example.com or to any mailinglist.