CodeScan Integration with ARM

ARM, an Automated Release Management solution built for the Salesforce platform, delivers fast CI/CD solutions for DevOps teams.

This helps us to offer essential solutions to the Salesforce DevOps ecosystem. ARM partnered with our CodeScan automated code review and standardization enables developers on the Salesforce platform to deliver new customer experiences with better quality, greater velocity, and increased security.

To integrate all the functionalities included in your CodeScan account with ARM, you need to integrate CodeScan as a plugin with your ARM account which involves a few steps in your CodeScan as well as ARM account.

To integrate CodeScan with the ARM, follow the prcodure as described below.

Create a CodeScan Token

  1. Click HERE to see the documentation on how create a new security token.

  2. Copy the token. This token will be used while storing your credential with ARM.

Store your CodeScan's credential in ARM

  1. Login into your ARM account.

  2. On the next pop up screen, enter the Credential name.

  3. Choose the Credential Type as User name with Password.

  4. Choose your Credential Scope,

    • Global: Credential can be accessed within the team

    • Private: Credential for private usage

  5. Username: Enter the username for your CodeScan account.

  6. Password: Use the copied token (CodeScan token) you made in the previous step as a password.

  7. Please double check that you use your CodeScan username instead of the email address that you use to log in to CodeScan.

Integrate ARM with CodeScan

  1. Go to Admin > My Account section.

  2. Go to the Plugins section.

  3. Fill in the below details:

  4. Select your Credential from the drop-down.

  5. Click Test Connection to check if the connection has been authenticated or not. A success message is displayed after the authentication is completed.

Configuring CodeScan's Global Criteria in ARM

  1. Go to Admin > My Account section.

  2. Next, navigate to the Validation Criteria-Static Code Analysis section.

  3. Select the Enable checkbox.

  4. Click Save.

  5. Next, go to section Commit Validation - Approval Settings. In this section, you can allow CodeScan tools to identify potential software quality issues before the code moves to production and abort the commit process if the Quality Gate set earlier matches with the status in CodeScan application.

  6. Select the checkbox: Enable criteria-based Review Process

  7. Enable the Should pass validation criteria for Static Code Analysis checkbox and then select the below checkboxes:

    • CodeScan

  8. Click Save.

  9. Similar to CodeScan criteria globally configured in ARM for the Commit operation, you can even set the same for Merge process.

  10. Go to next section: Merge Settings

  11. Select the Enable criteria-based Review Process checkbox.

  12. Now, click on Save.

Running CodeScan SCA in ARM

After integrating ARM with CodeScan plugin, select CodeScan as static code analysis tool to detect bugs, code smells and security vulnerabilities before the code moves to the production on ARM.

During Deployment Process:

  1. AutoRABIT has a provision for you to freeze or stop the deployment if the build doesn't meet the global criteria set under My Account > Validation Criteria-Static Code Analysis settings .

During EZ- Merge Process:

While merging Salesforce records between two Version Control branches, you can allow CodeScan to check for any bugs, code smells and security vulnerabilities.

  1. In the New EZ-Merge screen, go to the Prevalidate Merge section.

  2. Select CodeScan/Lint as a SCA tool.

  3. Proceed with the merge process.

  4. Find the detailed SCA Report under Commits screen.

During Commit Process:

While performing a validation deployment before actually committing the changes, you can allow CodeScan to check for any bugs, code smells and security vulnerabilities.

  1. In the Submit for Validation screen, go to the Validation Reports section.

  2. Proceed with the Prevalidate Commit process.

  3. Find the detailed SCA Report under Commits screen.

During CI Job:

While carrying out the CI Job process, you can configure CodeScan to check for any bugs, code smells and security vulnerabilities.

  1. In the Create CI Job screen, search for the Run Code Analysis Report checkbox under the Build section.

    • Enable the checkbox: Run Code Analysis Report.

  2. Here, you will have provision to set the condition for running CodeScan SCA tool, i.e, running for all the Apex Classes, Triggers, Apex Pages & AuraDefinitionBundles components or from the full source or stating the time period from where it will run.

CodeScan SCA Results:

During the implementation phase of a Security Development Lifecycle (SDL), Static Code Analysis is usually performed as part of a Code Review.

  • CodeScan being a Static Analysis tool continuously detects and reports on data flow problems, software defects, language implementation errors, inconsistencies, dangerous usage, coding standard violations, and security vulnerabilities.

  • ARM generates a detailed SCA result report and the Lint runs by default every time you run a static code analysis. Lint analyzes source code to flag programming errors, bugs, stylistic errors, and suspicious constructs.

  • Lint Report will only display information about AuraBundle components.

These reports will have information about the files that were reviewed and its related violations.

  • Click on each file to view its related violations that will appear at the bottom right side of the page.

Last updated