How Checkmarx works

Here are your answers:

1. Salesforce has a license to run Checkmarx scanners on premise in order to scan third party code. The code never leaves Salesforce — it is pulled from the organization in which your code resides to the Checkmarx instances running on our servers. We manage these instances, but it is a Checkmarx scanner engine underneath. Results are only sent to the email address on file for the username, and only a user with author apex permission in an org can scan the code for the org. Because of this, sometimes a scan can be held back if

   • your org disables api access (we use the metadata api to pull code from your org)

   • your instance is down for service/upgrade (we will automatically retry in this case after a backoff)

   • your user account is new and has not been replicated to all instances

2. As per our license with Checkmarx, you can scan 3 times per security review. There is not a time limit for this: If you submit 10 reviews per month (say you are a PDO), then you can scan up to 30 times. If you are not scanning for a security review, you can scan 30,000 lines of code per month.

3. We currently impose additional throttling requirements: no business (checked by result email domain) can have more than one job in the queue at a time. You cannot scan more than 500,000 lines of code per job. These requirements are not contractual in basis but are to maximize scanner throughput and reduce wait times for most customers. As a result, these requirements are subject to change as we add more capacity or as scanner demand changes.

If you have issues, please file a support case. Please do not send scanner questions to securecloud@salesforce.com or to any mailinglist.