Loading views...
SalesforceSecurityCLIDevOpssf plugin

Catch Salesforce Security Gaps in One Command

Salesforce orgs accumulate risk quietly. A connected app that stopped being used two years ago. A profile that still has ModifyAllData because someone was in a rush during a go-live. Guest user access that made sense at the time.

None of it shows up anywhere unless you go looking. Setup is a point-in-time view, not a monitor. We built sf audit security to make the looking fast.

Getting Started

The audit hooks directly into the Salesforce CLI you already use. No separate auth flow or complex config files required.

1. Install the plugin

sf plugins install @cclabsnz/sf-audit

2. Run the audit

sf audit security --target-org myOrg

The command runs 22 automated checks against your org, providing real-time progress for each one:

[ 1/22] Health Check
[ 2/22] Users & Admins
...
─────────────────────────────
  Audit Summary
─────────────────────────────
  CRITICAL       2 findings
  HIGH           4 findings
  MEDIUM         7 findings
  LOW            3 findings
─────────────────────────────
  Score: 61/100   Grade: C
─────────────────────────────

Report written: ./sf-audit-00D8t000001abc-1711234567890.html

What it Checks

The audit covers six critical domains of Salesforce security. Instead of digging through Setup, you get a consolidated view of:

  • Org Health: Salesforce Health Check scores, password policies, and session settings.
  • Identity & Access: Users with "God Mode" permissions (ModifyAllData, AuthorApex), inactive users with active licenses, and login trends.
  • Data Security: OWD settings, Guest User permissions, and exposure of sensitive fields (SSN, Credit Cards).
  • Integration Security: Connected App restrictions, Remote Site settings, and hardcoded credentials in Apex.
  • Code & Automation: Apex sharing violations, Flows running in System Context, and unit test coverage.
  • Platform: API limit consumption, Setup Audit Trail alerts, and credential-like names in Custom Settings.

Professional Features

Pro Tip: Use the --fail-on HIGH flag in your CI/CD pipeline to automatically block deployments if new security risks are introduced.

Flag Purpose
--format html,json Generates both interactive and machine-readable reports.
--output ./docs Writes reports to a specific directory.
--fail-on HIGH Exits with an error if HIGH or CRITICAL findings exist.
--checks [names] Runs only a specific subset of security checks.

Understanding Your Grade

The scoring model provides an objective measure of your security posture. The health score starts at 100, with deductions based on the severity of findings.

Grade Criteria
A Score ≥ 85 AND zero HIGH findings.
B Score ≥ 70 AND max one HIGH finding.
C Score ≥ 55 AND max three HIGH findings.
D Score ≥ 40 AND zero CRITICAL findings.
F Score < 40 OR any CRITICAL finding.

The grade gives you an honest read on where your org sits. Most production orgs land between B and D on their first run. Start with the CRITICAL and HIGH findings, resolve them, and re-run the audit to track your progress.

Want to know how the plugin is built — the cache dependency system, the layered architecture, and the scoring model? Read part two.

Comments (0)

Loading comments...

More to Explore

How We Built a Native sf Plugin for Salesforce Security

We had a working Python script. Here is why we rewrote it as a native sf plugin, and the design decisions that made 22 parallel security checks practical.

1 view

Mixed DML Operations: Enterprise User Provisioning Patterns for Salesforce

Master the complex challenge of mixing setup and non-setup object operations in Salesforce user provisioning workflows with production-proven patterns and error handling strategies.

31 views

CPU Timeout Resolution: Advanced Debugging and Architecture Patterns for Salesforce Apex

Master advanced techniques for diagnosing, preventing, and recovering from CPU timeout errors in production Salesforce environments with architectural patterns that scale.

22 views