@salesforce/afv-skills 1.16.0 → 1.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/activating-datacloud/SKILL.md +2 -2
- package/skills/analyzing-omnistudio-dependencies/SKILL.md +1 -1
- package/skills/building-sf-integrations/SKILL.md +1 -1
- package/skills/building-ui-bundle-app/SKILL.md +1 -1
- package/skills/configuring-code-analyzer/SKILL.md +482 -0
- package/skills/configuring-code-analyzer/examples/apex-project-config.yml +41 -0
- package/skills/configuring-code-analyzer/examples/ci-github-actions.yml +96 -0
- package/skills/configuring-code-analyzer/examples/fullstack-project-config.yml +46 -0
- package/skills/configuring-code-analyzer/examples/lwc-project-config.yml +26 -0
- package/skills/configuring-code-analyzer/references/ci-cd-templates.md +648 -0
- package/skills/configuring-code-analyzer/references/config-schema.md +257 -0
- package/skills/configuring-code-analyzer/references/diagnostic-flow.md +70 -0
- package/skills/configuring-code-analyzer/references/engine-prerequisites.md +276 -0
- package/skills/configuring-code-analyzer/references/rule-name-resolution.md +67 -0
- package/skills/configuring-code-analyzer/references/troubleshooting.md +298 -0
- package/skills/configuring-code-analyzer/scripts/check-prerequisites.sh +189 -0
- package/skills/configuring-code-analyzer/scripts/generate-config.sh +143 -0
- package/skills/configuring-code-analyzer/scripts/validate-config.sh +153 -0
- package/skills/connecting-datacloud/SKILL.md +2 -2
- package/skills/creating-b2b-commerce-store/SKILL.md +0 -1
- package/skills/developing-agentforce/SKILL.md +0 -1
- package/skills/generating-apex/SKILL.md +1 -0
- package/skills/generating-mermaid-diagrams/assets/datamodel/b2b-commerce-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/campaigns-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/consent-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/files-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/forecasting-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/fsl-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/party-model-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/quote-order-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/revenue-cloud-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/sales-cloud-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/salesforce-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/scheduler-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/service-cloud-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/assets/datamodel/territory-management-erd.md +1 -1
- package/skills/generating-mermaid-diagrams/references/erd-conventions.md +1 -1
- package/skills/generating-mermaid-diagrams/references/preview-guide.md +2 -5
- package/skills/harmonizing-datacloud/SKILL.md +2 -2
- package/skills/implementing-ui-bundle-agentforce-conversation-client/SKILL.md +1 -2
- package/skills/investigating-agentforce-d360/SKILL.md +1 -1
- package/skills/managing-cdc-enablement/SKILL.md +164 -0
- package/skills/managing-cdc-enablement/assets/PlatformEventChannel-template.xml +5 -0
- package/skills/managing-cdc-enablement/assets/PlatformEventChannelMember-template.xml +11 -0
- package/skills/managing-cdc-enablement/references/deploy-troubleshooting.md +73 -0
- package/skills/managing-cdc-enablement/references/filter-expressions.md +93 -0
- package/skills/observing-agentforce/SKILL.md +0 -1
- package/skills/observing-agentforce/references/stdm-queries.md +3 -11
- package/skills/orchestrating-datacloud/README.md +5 -7
- package/skills/orchestrating-datacloud/SKILL.md +3 -3
- package/skills/orchestrating-datacloud/references/feature-readiness.md +2 -2
- package/skills/orchestrating-datacloud/references/plugin-setup.md +6 -8
- package/skills/orchestrating-datacloud/scripts/diagnose-org.mjs +1 -1
- package/skills/orchestrating-datacloud/scripts/verify-plugin.sh +2 -2
- package/skills/preparing-datacloud/SKILL.md +2 -2
- package/skills/retrieving-datacloud/SKILL.md +3 -3
- package/skills/reviewing-lwc-mobile-offline/SKILL.md +0 -1
- package/skills/running-code-analyzer/SKILL.md +264 -267
- package/skills/running-code-analyzer/references/post-scan-workflows.md +286 -0
- package/skills/running-code-analyzer/scripts/describe-rule.js +382 -0
- package/skills/running-code-analyzer/scripts/list-rules.js +260 -0
- package/skills/running-code-analyzer/scripts/query-results.js +230 -0
- package/skills/testing-agentforce/SKILL.md +0 -1
- package/skills/using-mobile-native-capabilities/SKILL.md +0 -1
- package/skills/using-salesforce-archive/SKILL.md +121 -0
- package/skills/using-salesforce-archive/examples/monitor-failed-jobs.md +47 -0
- package/skills/using-salesforce-archive/references/archive-activity-entity.md +59 -0
- package/skills/using-salesforce-archive/references/connect-api-operations.md +157 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: running-code-analyzer
|
|
3
|
-
description: "Run Salesforce Code Analyzer to scan code for security, performance, best practice, and code style violations. Supports all engines (PMD, ESLint, CPD, RetireJS, Flow, SFGE, ApexGuru), targets (files, folders, git diff), categories, and severities. TRIGGER when: user says 'scan my code', 'check for security issues', 'run PMD/ESLint', 'find duplicates', 'analyze Flows', 'check vulnerable libraries', 'AppExchange review', 'lint my LWC', 'static analysis', 'code quality', or mentions engines/file types (.cls, .trigger, .js, .flow-meta.xml). DO NOT TRIGGER when: user wants to fix code without scanning, or asks about installation/configuration."
|
|
3
|
+
description: "Run Salesforce Code Analyzer to scan code for security, performance, best practice, and code style violations. Supports all engines (PMD, ESLint, CPD, RetireJS, Flow, SFGE, ApexGuru), targets (files, folders, git diff), categories, and severities. Also handles post-scan exploration: filtering results by engine/severity/category/file, and explaining what specific rules mean. TRIGGER when: user says 'scan my code', 'check for security issues', 'run PMD/ESLint', 'find duplicates', 'analyze Flows', 'check vulnerable libraries', 'AppExchange review', 'lint my LWC', 'static analysis', 'code quality', 'show only security violations', 'what is this rule', 'explain ApexCRUDViolation', 'filter results', or mentions engines/file types (.cls, .trigger, .js, .flow-meta.xml). Use this skill for scanning, exploring results, understanding rules, and listing available rules. DO NOT TRIGGER when: user wants to fix code without scanning, or asks ONLY about installation/configuration."
|
|
4
4
|
allowed-tools: Read, Bash(sf code-analyzer), Bash(node), Bash(git diff), Bash(date), Write, Edit
|
|
5
5
|
metadata:
|
|
6
6
|
version: "1.0"
|
|
@@ -9,284 +9,233 @@ metadata:
|
|
|
9
9
|
|
|
10
10
|
# Running Code Analyzer Skill
|
|
11
11
|
|
|
12
|
-
## ⚠️ CRITICAL:
|
|
12
|
+
## ⚠️ CRITICAL: Mandatory Script Usage
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
Every interaction with Code Analyzer results MUST go through the bundled scripts in `<skill_dir>/scripts/`. No exceptions.
|
|
15
15
|
|
|
16
|
-
|
|
16
|
+
### ❌ WRONG — never do this:
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
-
|
|
21
|
-
- ❌ Any tool containing `mcp` in its name
|
|
18
|
+
```bash
|
|
19
|
+
# WRONG: inline Python to parse results
|
|
20
|
+
python3 -c "import json; data = json.load(open('results.json'))..."
|
|
22
21
|
|
|
23
|
-
|
|
22
|
+
# WRONG: inline Node.js to parse results
|
|
23
|
+
node -e "const data = require('./results.json')..."
|
|
24
24
|
|
|
25
|
-
|
|
25
|
+
# WRONG: jq to filter results
|
|
26
|
+
cat results.json | jq '.violations[] | select(.engine=="pmd")'
|
|
26
27
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
28
|
+
# WRONG: reading the results file directly (it can be 10MB+)
|
|
29
|
+
Read tool → code-analyzer-results-*.json
|
|
30
|
+
```
|
|
30
31
|
|
|
31
|
-
|
|
32
|
+
Also forbidden: `run_code_analyzer` and any `mcp__*` tool — Bash only.
|
|
32
33
|
|
|
33
|
-
|
|
34
|
+
### ✅ RIGHT — always do this:
|
|
34
35
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
-
|
|
38
|
-
- Applying engine-provided auto-fixes when available
|
|
39
|
-
- Handling diff-based scans (scan only changed files)
|
|
40
|
-
- Supporting all output formats (JSON, HTML, SARIF, CSV, XML)
|
|
41
|
-
- Troubleshooting scan failures and prerequisite issues
|
|
36
|
+
```bash
|
|
37
|
+
# Summarize scan results
|
|
38
|
+
node "<skill_dir>/scripts/parse-results.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
42
39
|
|
|
43
|
-
|
|
44
|
-
-
|
|
45
|
-
- Writing custom Code Analyzer rules or engines (separate skill needed)
|
|
46
|
-
- AI-generated code fixes beyond engine-provided deterministic fixes
|
|
47
|
-
- Deep code refactoring or architectural changes based on violations
|
|
48
|
-
- Setting up CI/CD integration for automated scanning (separate workflow skill)
|
|
40
|
+
# Filter/rank/query results (by engine, severity, file, rule, category)
|
|
41
|
+
node "<skill_dir>/scripts/query-results.js" "./code-analyzer-results-TIMESTAMP.json" --engine pmd --summary
|
|
49
42
|
|
|
50
|
-
|
|
43
|
+
# List/browse available rules (by engine, category, language, severity)
|
|
44
|
+
node "<skill_dir>/scripts/list-rules.js" "Security" --top 10
|
|
51
45
|
|
|
52
|
-
|
|
46
|
+
# Look up what a rule means
|
|
47
|
+
node "<skill_dir>/scripts/describe-rule.js" "ApexCRUDViolation" --engine pmd
|
|
53
48
|
|
|
54
|
-
|
|
49
|
+
# Discover fixable violations
|
|
50
|
+
node "<skill_dir>/scripts/discover-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
55
51
|
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
3. **ALWAYS use `--output-file`** to write results to a file — do NOT rely on terminal stdout
|
|
59
|
-
4. **ALWAYS include `--output-file`** with a timestamped filename (e.g., `./code-analyzer-results-20260512-143022.json`)
|
|
60
|
-
5. **Do NOT run in background** — use foreground with timeout of 1200000ms for large scans
|
|
61
|
-
6. **INVALID v3 flags:** `--format`, `--engine`, `--category`, `--json` — these cause errors, use `--rule-selector` and `--output-file` instead
|
|
62
|
-
7. **NEVER use MCP tools** — ONLY use the Bash tool to execute `sf code-analyzer run`
|
|
63
|
-
8. **Tool restriction:** This skill MUST use ONLY: Read, Bash, Write, Edit tools
|
|
64
|
-
9. **Forbidden tools:** Do NOT use any MCP tools (mcp__*), Agent tool, or web tools
|
|
65
|
-
10. **Script execution:** ALL scripts MUST be executed via `node <skill_dir>/scripts/*.js` using the Bash tool
|
|
52
|
+
# Apply fixes (after user confirms)
|
|
53
|
+
node "<skill_dir>/scripts/apply-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
66
54
|
|
|
67
|
-
|
|
55
|
+
# Summarize applied fixes
|
|
56
|
+
node "<skill_dir>/scripts/summarize-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
68
57
|
|
|
69
|
-
|
|
58
|
+
# Filter vendor files (jQuery, Bootstrap, *.min.js) before applying fixes
|
|
59
|
+
node "<skill_dir>/scripts/filter-violations.js" "./code-analyzer-results-TIMESTAMP.json" "./code-analyzer-results-TIMESTAMP-filtered.json" --report
|
|
60
|
+
```
|
|
70
61
|
|
|
71
|
-
|
|
62
|
+
`<skill_dir>` is the absolute path to the directory containing this SKILL.md. **Never** use `./scripts/` — that resolves against the user's CWD, not the skill dir.
|
|
72
63
|
|
|
73
|
-
|
|
64
|
+
Any aggregation, filter, or rank question ("which file has the most violations?", "how many PMD issues?", "top rules by count", "break down by severity") is answered by `query-results.js` — its output already includes `topRules`, `topFiles`, and `severityCounts`.
|
|
74
65
|
|
|
75
|
-
|
|
66
|
+
---
|
|
76
67
|
|
|
77
|
-
|
|
68
|
+
## Overview
|
|
78
69
|
|
|
79
|
-
|
|
70
|
+
This skill translates natural-language requests ("scan for security issues", "check my changes") into the correct `sf code-analyzer run` command, executes scans across any combination of engines/targets/severities, and presents actionable results. When engine-provided fixes are available, it discovers them, asks for user confirmation, applies them safely, and offers verification. Use it for static analysis, security reviews, AppExchange certification, code-quality checks, and finding duplicates/vulnerabilities in Salesforce projects.
|
|
80
71
|
|
|
81
|
-
|
|
72
|
+
**In scope:** running scans, parsing/filtering/ranking results, applying engine auto-fixes, diff-based scans, all output formats (JSON/HTML/SARIF/CSV/XML), describing/listing rules, scan-failure troubleshooting.
|
|
82
73
|
|
|
83
|
-
**
|
|
84
|
-
**Forbidden:** MCP tools, Agent tool, Web tools, other skills
|
|
74
|
+
**Out of scope:** installing/configuring `sf` or the plugin (→ `configuring-code-analyzer`), writing custom rules/engines, AI-generated fixes beyond engine-provided ones, deep refactoring, CI/CD setup (→ `configuring-code-analyzer`).
|
|
85
75
|
|
|
86
|
-
|
|
76
|
+
**Allowed tools:** Bash (`sf code-analyzer`, `node`, `git diff`, `date`), Read, Write, Edit. **Forbidden:** any MCP tool, Agent tool, web tools, other skills, Python, `jq`, inline scripts/heredocs. This skill owns the complete scan-fix-verify-query-explain workflow end-to-end.
|
|
87
77
|
|
|
88
78
|
---
|
|
89
79
|
|
|
90
|
-
##
|
|
80
|
+
## Command Syntax Rules (READ FIRST — ABSOLUTE)
|
|
91
81
|
|
|
92
|
-
|
|
82
|
+
1. The command is **`sf code-analyzer run`** — NOT `sf scanner run` (deprecated v3).
|
|
83
|
+
2. **No `--format` flag.** Use `--output-file <path>.<ext>`; the extension determines the format.
|
|
84
|
+
3. **Always** pass `--output-file` with a timestamped name (e.g., `./code-analyzer-results-20260512-143022.json`) — do not rely on stdout.
|
|
85
|
+
4. **Foreground only** (no `run_in_background`); timeout 1200000ms for large scans.
|
|
86
|
+
5. **Invalid v3 flags** that cause errors: `--format`, `--engine`, `--category`, `--json`. Use `--rule-selector` + `--output-file` instead.
|
|
87
|
+
6. **Tool restriction:** Bash, Read, Write, Edit only. No MCP tools, no Agent tool, no web tools, no other skills.
|
|
93
88
|
|
|
94
|
-
|
|
95
|
-
|-----------|--------|---------------|-------|
|
|
96
|
-
| "scan my code" / "run code analyzer" | Default scan | `Recommended` | Curated rule set, all file types |
|
|
97
|
-
| "check for security issues" / "security review" | Security scan | `all:Security:(1,2)` | All engines, Critical+High only |
|
|
98
|
-
| "scan my changes" / "check the diff" | Diff-based scan | Get changed files via `git diff`, filter to scannable types, use `--target` | See Step 1.5 for filtering logic |
|
|
99
|
-
| "run PMD" / "check my Apex" | PMD only | `pmd` | Apex classes and triggers |
|
|
100
|
-
| "lint my LWC" / "check my JavaScript" | ESLint only | `eslint` | JavaScript/TypeScript/LWC |
|
|
101
|
-
| "find duplicates" / "check for copy-paste" | CPD (Copy-Paste Detector) | `cpd` | Detects code clones |
|
|
102
|
-
| "check for vulnerabilities" / "scan libraries" | RetireJS | `retire-js` | JavaScript library CVEs |
|
|
103
|
-
| "deep analysis" / "data flow analysis" | SFGE (Graph Engine) | `sfge` | Requires Java 11+, 10-20min, use `--workspace "force-app"` |
|
|
104
|
-
| "performance analysis" / "governor limits" | ApexGuru | `apexguru` | Requires authenticated org |
|
|
105
|
-
| "analyze my Flows" | Flow engine | `flow` | Target: `**/*.flow-meta.xml`, requires Python 3 |
|
|
106
|
-
| "AppExchange security review" | AppExchange scan | `all:Security:(1,2)` | Read `<skill_dir>/references/special-behaviors.md` → AppExchange section |
|
|
89
|
+
Why: the v4+ CLI redesigned the flag interface; v3 flags now error.
|
|
107
90
|
|
|
108
|
-
|
|
91
|
+
Full flag/selector docs: `<skill_dir>/references/flag-reference.md`.
|
|
109
92
|
|
|
110
93
|
---
|
|
111
94
|
|
|
112
|
-
##
|
|
113
|
-
|
|
114
|
-
Analyze the user's request along these 7 dimensions. Any can be combined freely:
|
|
115
|
-
|
|
116
|
-
### 1.1 ENGINE — Which analysis engine(s)?
|
|
95
|
+
## Prerequisites
|
|
117
96
|
|
|
118
|
-
|
|
119
|
-
- PMD / Apex rules → `pmd`
|
|
120
|
-
- ESLint / JS/TS rules / lint → `eslint`
|
|
121
|
-
- Flows / Flow analysis → `flow`
|
|
122
|
-
- duplicates / copy-paste / CPD → `cpd`
|
|
123
|
-
- vulnerabilities / CVE / libraries / RetireJS → `retire-js`
|
|
124
|
-
- SFGE / data flow / deep analysis → `sfge`
|
|
125
|
-
- performance / ApexGuru → `apexguru`
|
|
126
|
-
- regex / pattern rules → `regex`
|
|
127
|
-
- all engines / everything → `all`
|
|
128
|
-
- Not specified / general "scan" → `Recommended` (default)
|
|
97
|
+
User needs: **Salesforce CLI** (`sf`), **@salesforce/plugin-code-analyzer** (v5.x+), **Java 11+** (PMD/CPD/SFGE), **Node.js 18+** (ESLint/RetireJS), **Python 3** (Flow), **authenticated org** (ApexGuru).
|
|
129
98
|
|
|
130
|
-
|
|
99
|
+
Pre-flight: run `sf code-analyzer --help 2>&1 | head -1`. If that fails, or if a scan reports an engine startup error (e.g., "PMD failed to start", "java: command not found", "SFGE failed"):
|
|
131
100
|
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
- best practices / quality → `BestPractices`
|
|
136
|
-
- code style / formatting → `CodeStyle`
|
|
137
|
-
- design / complexity → `Design`
|
|
138
|
-
- error prone / bugs → `ErrorProne`
|
|
139
|
-
- documentation / comments → `Documentation`
|
|
101
|
+
1. **Stop** — do not attempt to install/diagnose prerequisites yourself.
|
|
102
|
+
2. **Delegate to `configuring-code-analyzer`** — it handles all setup.
|
|
103
|
+
3. After it finishes, return here and re-run the scan.
|
|
140
104
|
|
|
141
|
-
|
|
105
|
+
If a scan fails for other reasons, see `<skill_dir>/references/error-handling.md`.
|
|
142
106
|
|
|
143
|
-
|
|
107
|
+
---
|
|
144
108
|
|
|
145
|
-
|
|
146
|
-
- "critical only" / "sev 1" → `1`
|
|
147
|
-
- "critical and high" / "sev 1-2" → `(1,2)`
|
|
148
|
-
- "moderate and above" / "sev 1-3" → `(1,2,3)`
|
|
109
|
+
## Quick Start: Common Patterns
|
|
149
110
|
|
|
150
|
-
|
|
111
|
+
Match the request below; if it matches, jump to Step 3 (Build Command). Otherwise, walk Step 1.
|
|
112
|
+
|
|
113
|
+
| User Says | Rule Selector | Notes |
|
|
114
|
+
|-----------|---------------|-------|
|
|
115
|
+
| "scan my code" / "run code analyzer" | `Recommended` | Curated set, all file types |
|
|
116
|
+
| "check for security issues" / "security review" | `all:Security:(1,2)` | All engines, Critical+High |
|
|
117
|
+
| "scan my changes" / "check the diff" | (see Step 1.5) | Get files via `git diff`, filter to scannable types, pass via `--target` |
|
|
118
|
+
| "run PMD" / "check my Apex" | `pmd` | Apex classes and triggers |
|
|
119
|
+
| "lint my LWC" / "check my JavaScript" | `eslint` | JavaScript/TypeScript/LWC |
|
|
120
|
+
| "find duplicates" / "check for copy-paste" | `cpd` | Code clones |
|
|
121
|
+
| "check for vulnerabilities" / "scan libraries" | `retire-js` | JavaScript library CVEs |
|
|
122
|
+
| "deep analysis" / "data flow analysis" | `sfge` | Java 11+, 10–20 min, use `--workspace "force-app"` |
|
|
123
|
+
| "performance analysis" / "governor limits" | `apexguru` | Authenticated org required |
|
|
124
|
+
| "analyze my Flows" | `flow` | `--target **/*.flow-meta.xml`, Python 3 |
|
|
125
|
+
| "AppExchange security review" | `all:Security:(1,2)` | See `<skill_dir>/references/special-behaviors.md` → AppExchange |
|
|
151
126
|
|
|
152
|
-
|
|
153
|
-
- Map to: `--rule-selector <engine>:<ruleName>`
|
|
154
|
-
- If engine is ambiguous, use just the rule name: `--rule-selector <ruleName>`
|
|
127
|
+
---
|
|
155
128
|
|
|
156
|
-
|
|
129
|
+
## Step 1: Parse the User's Intent
|
|
157
130
|
|
|
158
|
-
|
|
159
|
-
- **Do NOT guess** — a wrong name returns 0 results and wastes a scan cycle
|
|
160
|
-
- Instead, **look up the rule first** using the `sf code-analyzer rules` command with grep:
|
|
161
|
-
```bash
|
|
162
|
-
sf code-analyzer rules --rule-selector all 2>&1 | grep -i "USER_KEYWORD"
|
|
163
|
-
```
|
|
164
|
-
- Extract the full rule name from the output, then use it in your scan command
|
|
165
|
-
- If grep returns multiple matches, present them to the user and ask which one they meant
|
|
166
|
-
- If grep returns 0 matches, tell the user no rule matched their keyword
|
|
131
|
+
Analyze the request along these 7 dimensions; any can combine.
|
|
167
132
|
|
|
168
|
-
### 1.
|
|
133
|
+
### 1.1 ENGINE
|
|
134
|
+
PMD/Apex → `pmd` · ESLint/JS/TS/lint → `eslint` · Flows → `flow` · duplicates/CPD → `cpd` · vulnerabilities/CVE/RetireJS → `retire-js` · SFGE/data flow → `sfge` · performance/ApexGuru → `apexguru` · regex → `regex` · everything → `all` · unspecified → `Recommended`.
|
|
169
135
|
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
- Glob pattern / "all Apex classes" → `--target **/*.cls,**/*.trigger`
|
|
173
|
-
- "my changes" / "diff" → Run `git diff --name-only [base]...HEAD`, filter to scannable types, pass as `--target`
|
|
174
|
-
- "LWC" → `--target **/lwc/**`
|
|
175
|
-
- "Flows" → `--target **/*.flow-meta.xml`
|
|
176
|
-
- Not specified → Entire workspace (omit `--target`)
|
|
136
|
+
### 1.2 CATEGORY
|
|
137
|
+
security/OWASP → `Security` · performance → `Performance` · best practices → `BestPractices` · style/format → `CodeStyle` · design/complexity → `Design` · bugs → `ErrorProne` · docs → `Documentation`.
|
|
177
138
|
|
|
178
|
-
|
|
139
|
+
### 1.3 SEVERITY
|
|
140
|
+
1=Critical · 2=High · 3=Moderate · 4=Low · 5=Info. "critical only" → `1` · "critical+high" → `(1,2)` · "moderate and above" → `(1,2,3)`.
|
|
179
141
|
|
|
180
|
-
### 1.
|
|
142
|
+
### 1.4 SPECIFIC RULE
|
|
143
|
+
If the user names a rule (e.g., "ApexCRUDViolation", "no-unused-vars"): `--rule-selector <engine>:<ruleName>`, or just `<ruleName>` if engine is ambiguous.
|
|
181
144
|
|
|
182
|
-
**
|
|
145
|
+
⚠️ **Partial names:** `--rule-selector` requires the **exact full** rule name (e.g., `@salesforce-ux/slds/no-hardcoded-values-slds2`, not `no-hardcoded-values`). No wildcards. If you are not 100% certain, look it up first — **do not guess**:
|
|
146
|
+
```bash
|
|
147
|
+
sf code-analyzer rules --rule-selector all 2>&1 | grep -i "USER_KEYWORD"
|
|
148
|
+
```
|
|
149
|
+
Multiple matches → ask the user which. Zero matches → tell the user nothing matched.
|
|
183
150
|
|
|
184
|
-
|
|
151
|
+
### 1.5 TARGET
|
|
152
|
+
specific path → `--target <path>` · glob ("all Apex") → `--target **/*.cls,**/*.trigger` · "my changes"/"diff" → `git diff --name-only [base]...HEAD`, filter to scannable types, pass as `--target` · "LWC" → `--target **/lwc/**` · "Flows" → `--target **/*.flow-meta.xml` · unspecified → omit (entire workspace).
|
|
185
153
|
|
|
186
|
-
|
|
154
|
+
Diff-filtering details: `<skill_dir>/references/special-behaviors.md`.
|
|
187
155
|
|
|
188
|
-
### 1.
|
|
156
|
+
### 1.6 OUTPUT
|
|
157
|
+
**Default JSON.** Only change if the user explicitly asks. Name: `./code-analyzer-results-<YYYYMMDD-HHmmss>.<ext>` via `TIMESTAMP=$(date +%Y%m%d-%H%M%S)`. Formats: `.json` (default), `.html`, `.sarif`, `.csv`, `.xml`.
|
|
189
158
|
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
- "new since last commit" → `git diff --name-only HEAD~1`
|
|
193
|
-
- "compared to develop" → `git diff --name-only develop...HEAD`
|
|
159
|
+
### 1.7 COMPARISON / DELTA
|
|
160
|
+
"new since main" → `git diff --name-only main...HEAD` → scan those · "since last commit" → `HEAD~1` · "vs develop" → `develop...HEAD`.
|
|
194
161
|
|
|
195
162
|
---
|
|
196
163
|
|
|
197
164
|
## Step 2: Build the Rule Selector
|
|
198
165
|
|
|
199
|
-
|
|
166
|
+
Syntax: `:` = AND, `,` = OR, `()` = grouping.
|
|
200
167
|
|
|
201
|
-
**Examples:**
|
|
202
168
|
- Engine only: `pmd`
|
|
203
169
|
- Engine + category: `pmd:Security`
|
|
204
170
|
- Engine + severity: `pmd:2`
|
|
205
|
-
- Complex: `(pmd,eslint):Security:(1,2)` = (PMD or ESLint) AND Security AND
|
|
171
|
+
- Complex: `(pmd,eslint):Security:(1,2)` = (PMD or ESLint) AND Security AND sev (1 or 2)
|
|
206
172
|
- Specific rule: `pmd:ApexCRUDViolation`
|
|
207
|
-
- All
|
|
173
|
+
- All: `all`
|
|
208
174
|
|
|
209
|
-
|
|
175
|
+
More: `<skill_dir>/references/command-examples.md`.
|
|
210
176
|
|
|
211
177
|
---
|
|
212
178
|
|
|
213
179
|
## Step 3: Build the Full Command
|
|
214
180
|
|
|
215
|
-
Generate timestamp: `TIMESTAMP=$(date +%Y%m%d-%H%M%S)`
|
|
216
|
-
|
|
217
|
-
Build command:
|
|
218
181
|
```bash
|
|
182
|
+
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
|
|
219
183
|
sf code-analyzer run \
|
|
220
184
|
--rule-selector <selector> \
|
|
221
|
-
--target <targets> \
|
|
222
|
-
--output-file "./code-analyzer-results-${TIMESTAMP}.json" \
|
|
223
|
-
--include-fixes \
|
|
224
|
-
--workspace <path>
|
|
185
|
+
--target <targets> \ # optional
|
|
186
|
+
--output-file "./code-analyzer-results-${TIMESTAMP}.json" \ # default JSON
|
|
187
|
+
--include-fixes \ # always
|
|
188
|
+
--workspace <path> # optional
|
|
225
189
|
```
|
|
226
190
|
|
|
227
|
-
|
|
228
|
-
-
|
|
229
|
-
-
|
|
230
|
-
-
|
|
231
|
-
- For diff-based scans: get files via `git diff --name-only`, filter to scannable types, pass as `--target`
|
|
191
|
+
- Default to timestamped JSON; only change format on explicit request.
|
|
192
|
+
- Always pass `--include-fixes` (enables Step 6 auto-fix).
|
|
193
|
+
- Omit `--target` to scan the whole workspace.
|
|
194
|
+
- Diff scans: `git diff --name-only` → filter scannable types → pass as `--target`.
|
|
232
195
|
|
|
233
|
-
|
|
196
|
+
Special cases (SFGE/ApexGuru/AppExchange/diff): `<skill_dir>/references/special-behaviors.md`.
|
|
234
197
|
|
|
235
198
|
---
|
|
236
199
|
|
|
237
200
|
## Step 4: Execute the Scan
|
|
238
201
|
|
|
239
|
-
|
|
202
|
+
Use the **Bash tool only** — never the `run_code_analyzer` MCP tool.
|
|
240
203
|
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
**Steps:**
|
|
244
|
-
|
|
245
|
-
1. Generate timestamp: `date +%Y%m%d-%H%M%S` → capture output (e.g., `20260512-143022`) **using Bash tool**
|
|
246
|
-
2. Tell user:
|
|
204
|
+
1. Generate the timestamp via Bash: `date +%Y%m%d-%H%M%S` → e.g. `20260512-143022`.
|
|
205
|
+
2. Tell the user:
|
|
247
206
|
```
|
|
248
207
|
Starting scan...
|
|
249
208
|
Results: ./code-analyzer-results-20260512-143022.json
|
|
250
209
|
Log: ./code-analyzer-results-20260512-143022.log
|
|
251
210
|
May take several minutes for large codebases.
|
|
252
211
|
```
|
|
253
|
-
3. Run
|
|
254
|
-
|
|
255
|
-
⚠️ **IMPORTANT:** Use the Bash tool, NOT the run_code_analyzer MCP tool.
|
|
256
|
-
|
|
212
|
+
3. Run with the **literal** timestamp baked in (not `$TIMESTAMP`), foreground, timeout 1200000ms, `tee` to a `.log`:
|
|
257
213
|
```bash
|
|
258
|
-
sf code-analyzer run --rule-selector Recommended
|
|
214
|
+
sf code-analyzer run --rule-selector Recommended \
|
|
215
|
+
--output-file "./code-analyzer-results-20260512-143022.json" \
|
|
216
|
+
--include-fixes 2>&1 | tee "./code-analyzer-results-20260512-143022.log"
|
|
259
217
|
```
|
|
260
|
-
4.
|
|
261
|
-
5.
|
|
218
|
+
4. Exit 0 = success. On error, read both the log file and `<skill_dir>/references/error-handling.md`.
|
|
219
|
+
5. **Immediately** parse results (Step 5) — do not ask the user what to do next.
|
|
262
220
|
|
|
263
221
|
---
|
|
264
222
|
|
|
265
223
|
## Step 5: Parse and Present Results
|
|
266
224
|
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
1. **Execute the parse script using `<skill_dir>`** — see below
|
|
270
|
-
2. **NEVER use `jq` to parse results** — jq one-liners WILL fail due to shell quoting issues
|
|
271
|
-
3. **Run it IMMEDIATELY after the scan** — do NOT ask the user "what would you like next?"
|
|
272
|
-
|
|
273
|
-
### Script Execution
|
|
274
|
-
|
|
275
|
-
All scripts are bundled in the `scripts/` subdirectory of the same directory that contains this SKILL.md file. Use the absolute path to that directory — do NOT use `./scripts/` as that resolves relative to the current working directory, not the skill directory.
|
|
225
|
+
Run the parse script straight after the scan — do not pause to ask:
|
|
276
226
|
|
|
277
227
|
```bash
|
|
278
|
-
node <skill_dir>/scripts/parse-results.js "./code-analyzer-results-TIMESTAMP.json"
|
|
228
|
+
node "<skill_dir>/scripts/parse-results.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
279
229
|
```
|
|
280
230
|
|
|
281
231
|
⚠️ **DO NOT:**
|
|
282
232
|
- ❌ Invent or generate script code yourself
|
|
283
233
|
- ❌ Use bare relative paths like `node scripts/parse-results.js` (won't resolve from user's CWD)
|
|
284
234
|
- ❌ Use heredocs or inline script content
|
|
285
|
-
- ❌ Use `jq` as a substitute for the parse script
|
|
235
|
+
- ❌ Use `jq` as a substitute for the parse script (shell quoting will break)
|
|
236
|
+
- ❌ Read the JSON file directly
|
|
286
237
|
|
|
287
|
-
###
|
|
288
|
-
|
|
289
|
-
**ALWAYS present a concise summary, then point to the output file for full details.**
|
|
238
|
+
### Presentation template
|
|
290
239
|
|
|
291
240
|
```
|
|
292
241
|
## Scan Complete
|
|
@@ -305,44 +254,30 @@ node <skill_dir>/scripts/parse-results.js "./code-analyzer-results-TIMESTAMP.jso
|
|
|
305
254
|
| # | Rule | Engine | Sev | File | Line |
|
|
306
255
|
|---|------|--------|-----|------|------|
|
|
307
256
|
| 1 | ApexCRUDViolation | pmd | 2 | AccountService.cls | 42 |
|
|
308
|
-
|
|
|
309
|
-
| ... (show up to 10 most critical) |
|
|
257
|
+
| ... up to 10 most critical |
|
|
310
258
|
|
|
311
259
|
### Top Rules by Frequency
|
|
312
260
|
| Rule | Engine | Count |
|
|
313
261
|
|------|--------|-------|
|
|
314
262
|
| no-var | eslint | 170 |
|
|
315
|
-
| ApexDoc | pmd | 165 |
|
|
316
263
|
| ... |
|
|
317
264
|
|
|
318
265
|
Full results: `./code-analyzer-results-20260512-143022.json`
|
|
319
266
|
```
|
|
320
267
|
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
- **0 violations**: "Scan complete — no violations found! Output: `<path>`"
|
|
324
|
-
- **1-10**: Show all violations in table
|
|
325
|
-
- **11-50**: Show severity counts + top 10 violations
|
|
326
|
-
- **50-5000**: Show counts + top 10 violations + top 10 rules + top 5 files
|
|
327
|
-
- **5000+**: Same as 50-5000, plus suggest narrowing scope (severity/category/folder)
|
|
268
|
+
Scale to result size: **0** → "no violations found"; **1–10** → all in one table; **11–50** → severity counts + top 10; **50–5000** → counts + top 10 violations + top 10 rules + top 5 files; **5000+** → same, plus suggest narrowing scope (severity/category/folder). Always end with the output path and offer next actions: filter / explain rule / apply fixes.
|
|
328
269
|
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
**For large result sets:** See `<skill_dir>/references/special-behaviors.md`.
|
|
270
|
+
Large-result handling: `<skill_dir>/references/special-behaviors.md`.
|
|
332
271
|
|
|
333
272
|
---
|
|
334
273
|
|
|
335
274
|
## Step 6: Apply Engine-Provided Fixes (Post-Scan)
|
|
336
275
|
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
**Rules:** NEVER apply without confirmation. Use EXACT scripts from `<skill_dir>/scripts/`. Filter vendor files if needed, then: Discover → Apply → Summarize.
|
|
276
|
+
Engine-provided fixes are **deterministic** (not AI-generated). Flow: vendor filter (if needed) → discover → present → **wait for user confirmation** → apply → summarize.
|
|
340
277
|
|
|
341
|
-
|
|
278
|
+
### 6.1 Vendor file filter (when needed)
|
|
342
279
|
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
If user said "fix my code" or "project source", or if top files by violation count are vendor libraries (jQuery, Bootstrap, *.min.js), run:
|
|
280
|
+
Run if the user said "fix my code" / "project source", or if top-violation files are vendor libs (jQuery, Bootstrap, `*.min.js`):
|
|
346
281
|
|
|
347
282
|
```bash
|
|
348
283
|
node "<skill_dir>/scripts/filter-violations.js" \
|
|
@@ -351,31 +286,23 @@ node "<skill_dir>/scripts/filter-violations.js" \
|
|
|
351
286
|
--report
|
|
352
287
|
```
|
|
353
288
|
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
Use filtered file for Step 6.3+. **See:** `<skill_dir>/references/vendor-file-handling.md` for detailed logic.
|
|
289
|
+
Report: "Excluded X vendor files (Y violations) — jQuery, Bootstrap, etc. Applying fixes to Z project files only." Use the filtered file in 6.2+. Detection logic: `<skill_dir>/references/vendor-file-handling.md`.
|
|
357
290
|
|
|
358
|
-
### 6.2
|
|
291
|
+
### 6.2 Discover
|
|
359
292
|
|
|
360
293
|
```bash
|
|
361
294
|
node "<skill_dir>/scripts/discover-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
362
295
|
```
|
|
363
296
|
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
### 6.3 — Present fixable violations and ASK for confirmation
|
|
367
|
-
|
|
368
|
-
After running the discovery script, present results:
|
|
297
|
+
### 6.3 Present + ASK (then STOP)
|
|
369
298
|
|
|
370
299
|
```
|
|
371
300
|
### Engine-Provided Fixes Available
|
|
372
|
-
|
|
373
301
|
**X of Y violations** have auto-fixes provided by the analysis engine:
|
|
374
302
|
|
|
375
303
|
| Rule | Engine | Sev | Fixable Count |
|
|
376
304
|
|------|--------|-----|---------------|
|
|
377
305
|
| no-var | eslint | 3 | 170 |
|
|
378
|
-
| no-hardcoded-values-slds2 | eslint | 4 | 76 |
|
|
379
306
|
| ... |
|
|
380
307
|
|
|
381
308
|
These are safe, deterministic fixes generated by the engines (not AI-generated).
|
|
@@ -383,39 +310,30 @@ These are safe, deterministic fixes generated by the engines (not AI-generated).
|
|
|
383
310
|
Would you like me to apply these fixes? (yes / no / select specific rules)
|
|
384
311
|
```
|
|
385
312
|
|
|
386
|
-
|
|
313
|
+
⚠️ **Stop and wait for the user's reply, even if they originally said "scan and fix everything".** Apply only on a fresh "yes" / "apply" / "go ahead" in the next turn.
|
|
387
314
|
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
### 6.4 — Apply fixes ONLY after user confirms
|
|
391
|
-
|
|
392
|
-
**Only proceed after user says "yes", "apply", "go ahead" IN A SEPARATE RESPONSE.**
|
|
315
|
+
### 6.4 Apply
|
|
393
316
|
|
|
394
317
|
```bash
|
|
395
318
|
node "<skill_dir>/scripts/apply-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
396
319
|
```
|
|
320
|
+
(Filtered file if 6.1 created one.)
|
|
397
321
|
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
### 6.5 — After applying, ALWAYS run the summary script
|
|
401
|
-
|
|
402
|
-
⚠️ **MANDATORY**: After the apply script completes, you MUST run the summary script as your VERY NEXT action.
|
|
322
|
+
### 6.5 Summarize (MANDATORY immediately after 6.4)
|
|
403
323
|
|
|
404
324
|
```bash
|
|
405
325
|
node "<skill_dir>/scripts/summarize-fixes.js" "./code-analyzer-results-TIMESTAMP.json"
|
|
406
326
|
```
|
|
407
327
|
|
|
408
|
-
Then present
|
|
328
|
+
Then present:
|
|
409
329
|
|
|
410
330
|
```
|
|
411
331
|
### Engine-Provided Fixes Applied Successfully ✓
|
|
412
|
-
|
|
413
332
|
**Applied X auto-fixes across Y files.**
|
|
414
333
|
|
|
415
334
|
| Severity | Fixes Applied |
|
|
416
335
|
|----------|---------------|
|
|
417
336
|
| Critical (1) | X |
|
|
418
|
-
| High (2) | X |
|
|
419
337
|
| ... |
|
|
420
338
|
|
|
421
339
|
| Rule | Fixes Applied |
|
|
@@ -426,56 +344,130 @@ Then present to the user:
|
|
|
426
344
|
Want me to re-run the scan to verify the fixes resolved the violations?
|
|
427
345
|
```
|
|
428
346
|
|
|
429
|
-
### 6.6 —
|
|
347
|
+
### 6.6 — Handling the user's choice
|
|
348
|
+
- **Decline / "no":** skip apply, skip summarize. Do not re-scan.
|
|
349
|
+
- **"Select rules":** filter the discovery list to those rules and pass the filtered file to `apply-fixes.js`.
|
|
350
|
+
- **"All" / "yes":** run `apply-fixes.js` against the full (or vendor-filtered) results file as-is.
|
|
351
|
+
|
|
352
|
+
### 6.7 — Optional re-scan for verification
|
|
353
|
+
If the user accepts the offer in 6.5, re-run the same scan with a **new timestamp** (do not overwrite the original). Compare violation counts before vs. after and show the delta — fixes that resolved cleanly will drop out; remaining violations either need manual remediation or are unrelated.
|
|
430
354
|
|
|
431
|
-
### 6.7 — Re-scan (optional): Re-run with new timestamp, compare before/after counts.
|
|
432
355
|
---
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
443
|
-
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
356
|
+
|
|
357
|
+
## Step 7: Query and Filter Existing Results
|
|
358
|
+
|
|
359
|
+
After Step 5, the user may want to **drill into specific subsets** without re-running the entire scan. This step handles all result-exploration requests.
|
|
360
|
+
|
|
361
|
+
### When to trigger
|
|
362
|
+
Activate when the user asks to slice, filter, rank, or explore existing results:
|
|
363
|
+
- "Show me just the security violations"
|
|
364
|
+
- "What's in AccountService.cls?"
|
|
365
|
+
- "Show only PMD issues" / "Filter to critical and high"
|
|
366
|
+
- "What ESLint rules fired?" / "Show violations in the lwc folder"
|
|
367
|
+
- "Top 20 most severe" / "Which file has the most violations?"
|
|
368
|
+
- "What are the most common rules?" / "How many violations per engine?" / "Break it down by severity"
|
|
369
|
+
|
|
370
|
+
**Important:** Any question about existing scan results — filtering, ranking, counting, aggregating — MUST use `query-results.js`. NEVER write inline Python, `jq`, or ad-hoc scripts to parse the results JSON. The query script already provides `topRules`, `topFiles`, and `severityCounts` in its output.
|
|
371
|
+
|
|
372
|
+
### How to execute
|
|
373
|
+
Run the query script against the **same results file** from Step 4 (no re-scan needed):
|
|
374
|
+
|
|
375
|
+
```bash
|
|
376
|
+
node "<skill_dir>/scripts/query-results.js" "./code-analyzer-results-TIMESTAMP.json" [options]
|
|
377
|
+
```
|
|
378
|
+
|
|
379
|
+
| User says | Options |
|
|
380
|
+
|-----------|---------|
|
|
381
|
+
| "security violations" | `--category Security` |
|
|
382
|
+
| "PMD issues only" | `--engine pmd` |
|
|
383
|
+
| "critical and high" / "sev 1-2" | `--severity 1,2` |
|
|
384
|
+
| "in AccountService.cls" | `--file AccountService.cls` |
|
|
385
|
+
| "the ApexCRUDViolation rule" | `--rule ApexCRUDViolation` |
|
|
386
|
+
| "top 20" | `--top 20` |
|
|
387
|
+
| "sort by file" | `--sort file` |
|
|
388
|
+
| "just give me counts" | `--summary` |
|
|
389
|
+
| "which file has the most violations?" | `--sort file --summary` (read `topFiles`) |
|
|
390
|
+
| "which file has most PMD violations?" | `--engine pmd --summary` (read `topFiles`) |
|
|
391
|
+
| "most common rules?" | `--summary` (read `topRules`) |
|
|
392
|
+
| "how many per engine?" | use Step 5's summary, or run with `--engine X --summary` per engine |
|
|
393
|
+
| Combinations | `--engine pmd --severity 1,2 --top 5` |
|
|
394
|
+
|
|
395
|
+
Output format and presentation templates: `<skill_dir>/references/post-scan-workflows.md`.
|
|
449
396
|
|
|
450
397
|
---
|
|
451
398
|
|
|
452
|
-
##
|
|
399
|
+
## Step 8: Describe a Rule
|
|
400
|
+
|
|
401
|
+
When the user asks "what does this rule mean?" or "how do I fix this?", use this step to look up and explain a specific rule.
|
|
453
402
|
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
|
|
463
|
-
|
|
464
|
-
|
|
403
|
+
### When to trigger
|
|
404
|
+
- "What is ApexCRUDViolation?"
|
|
405
|
+
- "Explain this rule" / "Why is this flagged?"
|
|
406
|
+
- "What does no-var mean?"
|
|
407
|
+
- "How do I fix OperationWithLimitsInLoop?"
|
|
408
|
+
- "Tell me about this violation"
|
|
409
|
+
|
|
410
|
+
### How to execute
|
|
411
|
+
|
|
412
|
+
```bash
|
|
413
|
+
node "<skill_dir>/scripts/describe-rule.js" "<rule-name>" [--engine <engine>]
|
|
414
|
+
```
|
|
415
|
+
|
|
416
|
+
Pass `--engine` when known (from scan context); omit for a broader search. Returns one of `success` / `multiple_matches` / `not_found`. Status handling and templates: `<skill_dir>/references/post-scan-workflows.md`.
|
|
465
417
|
|
|
466
418
|
---
|
|
467
419
|
|
|
468
|
-
##
|
|
420
|
+
## Step 9: List Available Rules
|
|
421
|
+
|
|
422
|
+
Triggers: "what security rules are available?", "list all PMD rules", "rules for JavaScript", "Recommended rules", "how many ESLint rules?", "rules for Apex".
|
|
469
423
|
|
|
470
|
-
|
|
424
|
+
```bash
|
|
425
|
+
node "<skill_dir>/scripts/list-rules.js" "<selector>" [options]
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
| User says | Selector | Options |
|
|
429
|
+
|-----------|----------|---------|
|
|
430
|
+
| "security rules" | `Security` | |
|
|
431
|
+
| "PMD rules" | `pmd` | |
|
|
432
|
+
| "ESLint security rules" | `eslint:Security` | |
|
|
433
|
+
| "JavaScript rules" | `JavaScript` | |
|
|
434
|
+
| "Apex rules" | `Apex` | |
|
|
435
|
+
| "Recommended rules" | `Recommended` | |
|
|
436
|
+
| "high severity rules" | `(1,2)` | |
|
|
437
|
+
| "just give me counts" | `Recommended` | `--count-only` |
|
|
438
|
+
| "top 10 security rules" | `Security` | `--top 10` |
|
|
439
|
+
|
|
440
|
+
Filters: `--engine`, `--severity`, `--top` (default 100), `--count-only`. The script pre-validates selector tokens (catches typos like `secruity`) before calling the CLI. Presentation: `<skill_dir>/references/post-scan-workflows.md`.
|
|
441
|
+
|
|
442
|
+
---
|
|
443
|
+
|
|
444
|
+
## Constraints & Gotchas
|
|
445
|
+
|
|
446
|
+
| Item | Why / Fix |
|
|
447
|
+
|------|-----------|
|
|
448
|
+
| Use timestamped JSON + `.log` via `tee` | Prevents overwrite; matches log to results |
|
|
449
|
+
| `--format` flag | Removed in v4+; use `--output-file <path>.<ext>` |
|
|
450
|
+
| Foreground, 1200000ms timeout | SFGE can take 10–20 min; backgrounding loses output |
|
|
451
|
+
| Run scripts with absolute `<skill_dir>` path | `./scripts/` resolves against the user's CWD, not the skill dir |
|
|
452
|
+
| Never apply fixes without confirmation | User must approve code modifications |
|
|
453
|
+
| Vendor file check before fixes | If 50%+ vendor (jQuery/Bootstrap/`*.min.js`), filter first |
|
|
454
|
+
| Fix-script order: filter (if needed) → discover → apply → summarize | Skipping summary leaves the user without an outcome report |
|
|
455
|
+
| SFGE needs explicit `--workspace` | Otherwise template files cause compilation errors |
|
|
456
|
+
| Look up partial rule names first | Guessing returns 0 results; use `sf code-analyzer rules` |
|
|
457
|
+
| `ONLY` Bash tool, never MCP | `run_code_analyzer` and other MCP tools bypass the script workflow |
|
|
458
|
+
| Never invoke other skills for fixes | This skill owns the full workflow end-to-end |
|
|
459
|
+
| Query existing results, don't re-scan | Step 7 filters existing JSON instantly |
|
|
460
|
+
| Scan returns 0 results | Invalid rule selector — verify with `sf code-analyzer rules --rule-selector <selector>` |
|
|
461
|
+
| `jq` parsing fails | Shell quoting — use `parse-results.js` / `query-results.js` instead |
|
|
462
|
+
| Inline scripts written by LLM | Never write scripts — use existing ones in `<skill_dir>/scripts/` |
|
|
463
|
+
| Ranking/aggregation answered by ad-hoc Python | Always use `query-results.js`; output already has `topFiles`/`topRules`/`severityCounts` |
|
|
471
464
|
|
|
472
465
|
---
|
|
473
466
|
|
|
474
467
|
## Reference File Index
|
|
475
468
|
|
|
476
|
-
|
|
469
|
+
**Scripts** (always execute via `node` with the absolute `<skill_dir>/` prefix, never Read):
|
|
477
470
|
|
|
478
|
-
### Scripts (Always execute, never read)
|
|
479
471
|
| File | When to use |
|
|
480
472
|
|------|-------------|
|
|
481
473
|
| `<skill_dir>/scripts/parse-results.js` | Step 5 — extract summary from scan JSON |
|
|
@@ -483,16 +475,21 @@ Every scan produces: timestamped JSON file, concise summary (severity/top violat
|
|
|
483
475
|
| `<skill_dir>/scripts/discover-fixes.js` | Step 6.2 — identify fixable violations |
|
|
484
476
|
| `<skill_dir>/scripts/apply-fixes.js` | Step 6.4 — apply engine fixes after user confirms |
|
|
485
477
|
| `<skill_dir>/scripts/summarize-fixes.js` | Step 6.5 — summarize applied changes |
|
|
478
|
+
| `<skill_dir>/scripts/query-results.js` | Step 7 — filter/drill into existing results without re-scanning |
|
|
479
|
+
| `<skill_dir>/scripts/describe-rule.js` | Step 8 — look up rule description and documentation |
|
|
480
|
+
| `<skill_dir>/scripts/list-rules.js` | Step 9 — list/browse available rules by selector with validation |
|
|
481
|
+
|
|
482
|
+
**References** (read on demand):
|
|
486
483
|
|
|
487
|
-
### References (Read when needed)
|
|
488
484
|
| File | When to read |
|
|
489
|
-
|
|
490
|
-
|
|
|
491
|
-
|
|
|
492
|
-
|
|
|
493
|
-
|
|
|
494
|
-
|
|
|
495
|
-
|
|
|
496
|
-
|
|
|
497
|
-
|
|
498
|
-
|
|
485
|
+
|------|--------------|
|
|
486
|
+
| `references/quick-start.md` | Command-syntax templates |
|
|
487
|
+
| `references/flag-reference.md` | Full flag docs, rule-selector syntax |
|
|
488
|
+
| `references/error-handling.md` | Scan-failure diagnosis |
|
|
489
|
+
| `references/engine-reference.md` | Engine capabilities, file types, rule tags |
|
|
490
|
+
| `references/command-examples.md` | Less-common command scenarios |
|
|
491
|
+
| `references/special-behaviors.md` | SFGE/ApexGuru/AppExchange/diff/large scans |
|
|
492
|
+
| `references/vendor-file-handling.md` | Vendor-file detection and filtering |
|
|
493
|
+
| `references/post-scan-workflows.md` | Steps 7–9 — querying, rule description, rule listing |
|
|
494
|
+
|
|
495
|
+
`examples/` contains output-structure validation and command patterns (basic/large/security scans, fix workflows).
|