Static Code Analysis in CI-CD
Static code analysis (SCA) lets you catch bugs, security risks, and “code smells” before code is compiled or deployed. This guide shows how to configure and run SCA tools in ARM so every build, commit, and deployment meets your organization’s quality standards.
1. What is a Static Code Analysis (SCA)?
Static code analysis is the process of scanning source code without executing it. Automated tools check the code against coding standards and best practices to surface:
Syntax and semantic errors
Unused variables and dead code
Potential performance issues
Security vulnerabilities
General “code smells” indicating poor design
Running SCA early and often improves code quality, maintainability, and reliability while reducing the cost of fixing issues later in the lifecycle.
2. SCA tools supported
ARM supports the following SCA tools:
Apex PMD
Checkmarx
CodeScan
Salesforce Scanner
SonarQube
3. Integrate SCA into your build process
Add an SCA tool to any build or continuous integration (CI) job:
Log in to ARM.
Navigate to
Admin > Plugins
.In
Static Code Analysis
, select the tool you want to enable for builds or CI jobs.
3.1 Integrate Apex PMD
Apex PMD ships with a comprehensive default rule set, but you can supply your own:
Click the Edit icon next to Apex PMD.
Under
Choose file
, upload a custom ruleset XML.To start from the defaults, click the Download icon, edit the XML locally, then re-upload it.
Click Save.
3.2 Integrate Checkmarx
Click the Edit icon next to Checkmarx.
Enter:
CxServer
– Checkmarx server URL (e.g.,http://server-name
).Team Name
– your project’s team name.Select Credential
– choose or create credentials (see Create User’s Credentials).
Click Test Connection.
Click Save.
Click Save again on My Account.
3.3 Integrate CodeScan
Prerequisites
CodeScan security token – generate under
My Account > Security
in CodeScan.Organization key – shown in the upper-right corner of your CodeScan organization page.
Steps
Click the Edit icon next to CodeScan.
Enter the host URL:
https://app.codescan.io/
(US)https://app-eu.codescan.io/
(EU)https://app-aus.codescan.io/
(AUS)
Choose host type (cloud or on-premises).
Select or create credentials (use the token in the Password field).
Enter the Organization key (cloud only).
Click Test Connection, then Save (twice).
Excluding a file in ARM + CodeScan
Go to
Admin > My Account > Plugins > Static Code Analysis
.Click Edit for CodeScan.

Use Source File Exclusion to list files you want to skip.

Click Save, then rerun the analysis.
3.4 Integrate Salesforce Scanner
Salesforce Scanner combines several static analyzers under one ruleset.
Optional custom rules
Create files with the exact names:
pmdconfig.xml
.eslintrc.json
tsconfig.json
Steps
Select the Salesforce Scanner checkbox.
For extra configuration:
Click Edit.
Use
Choose File
to upload any of the config files above.Click Save.
Click Save again on My Account.
3.5 Integrate SonarQube
Prerequisites
SonarQube security token – create under
User > My Account > Security
.Organization key – view under
My Account > Organizations
.
Steps
Click the Edit icon next to SonarQube.
Enter the host URL (e.g.,
https://sonarcloud.io
).Choose host type (cloud or on-premises). If cloud, enter the Organization key.
Select or create credentials (use the token in the Password field).
Click Test Connection, then Save.
Click Save again on My Account.
4. Setting global criteria for SCA
You can enforce pass/fail thresholds for SCA across CI jobs, deployments, and gated commits.
Go to
Admin > My Account > Validation Criteria – Static Code Analysis
.Select
Enable Validation Criteria – SCA
.For each tool, define priority/severity thresholds (e.g., Apex PMD priorities 1–5). Use
+
to add multiple thresholds.

5. Running SCA in a CI job
To include SCA in a CI job:
In the Build section, select
Run Static Analysis Report
.Choose an SCA tool.
Complete any tool-specific fields.
Apex PMD and Salesforce Scanner
Run On All Supported Metadata Types – scans all metadata listed below.
Apex PMD:
Apex Classes
,Apex Triggers
,Apex Pages
,AuraDefinitionBundle
,LightningComponentBundle
Salesforce Scanner: all of the above plus
CustomObject
,Flow
,Profile
,PermissionSet
,Settings
,SharingRules
,Workflow
,StaticResource
Run On Newly Added Supported Metadata Types – scans only new or changed metadata.
Mark Build As Unstable If Doesn't Meet Below Criteria – fail the build if thresholds aren’t met.
Checkmarx
Run On All Apex Classes, Triggers, Apex Pages & AuraDefinitionBundles – scans supported metadata.
Criteria rules for the stable build – set thresholds as above.
CodeScan and SonarQube
Run On All Supported Metadata Types – scans everything in the branch (merge) or commit (pre-validation).
Run On Newly Added Supported Metadata Types – scans only new/changed items.
Run On All Supported Metadata Types from the full source – scans the entire branch in CI jobs.
Mark Build As Unstable If Doesn't Meet Below Criteria – fail if thresholds aren’t met.
6. Running SCA in CI job
ARM also enforces SCA during EZ-Commits.

Go to
Admin > My Account > Commit Validation – Approval Settings
.Select
Enable criteria-based review process
.Check
Should pass validation criteria for Static Code Analysis
and choose one or more tools.Optional:
Auto reject commit process if the criteria are not met – reject automatically.
Auto-approve on commit validation – approve when thresholds pass.
Auto-commit on approval – commit immediately after approval.
7. Running an SCA during deployment
On the Deployment Settings screen you can enable an SCA tool before deployment starts.

ARM stores SCA source content for 90 days and deletes it afterward. PMD reports younger than 90 days omit source files from the report.
Supported metadata
Apex PMD, Checkmarx, SonarQube:
Apex Classes
,Apex Triggers
,Apex Pages
,AuraDefinitionBundle
,LightningComponentBundle
CodeScan: everything above plus
CustomObjects
,Flow
,PermissionSets
,Profiles
,Settings
,SharingRules
,Workflows
Select Stop deployment if build doesn't meet global criteria
to block deployment until thresholds pass. Use SCA Mail Notifications to alert recipients.
8. Running an SCA during an EZ-Merge
Choose an SCA tool during a pre-validation merge.

Run Static Code Analysis – enabled by default if SCA criteria are set globally.
All supported metadata – scans the whole target branch during an EZ-Merge, or only commit files during an EZ-Commit.
Timeouts
ARM waits up to 5 hours for any SCA tool to finish.
A merge label stays valid for 7 days; related SCA reports expire at the same time.
Last updated
Was this helpful?