sf-audit v1.0: New Checks, Configurable Scoring, and Externalized Queries

April 3, 2026

The audit plugin has grown from 22 checks to 23, added four new threat surfaces, and gained a fully configurable scoring model. Here is what changed and why it matters.

TL;DR: New checks cover flows without sharing, hardcoded credentials, guest user access, and public group over-sharing. The scoring model is now fully configurable via --scoring-config. SOQLs and Tooling queries live in JSON files outside the code.

SalesforceSecuritysf pluginCLITypeScriptOpen Source

Catch Salesforce Security Gaps in One Command

March 31, 2026

Most Salesforce orgs are carrying security debt they don't know about. This plugin surfaces it in a single command.

TL;DR: Install @cclabsnz/sf-audit, run sf audit security --target-org <alias>, get an HTML report with a health score, a grade, and a prioritised list of findings.

SalesforceSecurityCLIDevOpssf plugin

How We Built a Native sf Plugin for Salesforce Security

March 31, 2026

We had a working Python script. Here is why we rewrote it as a native sf plugin, and the design decisions that made 22 parallel security checks practical.

TL;DR: A layered architecture, a cache dependency system to avoid redundant API calls, and a configurable scoring model.

SalesforceArchitectureTypeScriptsf pluginSecurityOpen Source

Mixed DML Operations: Enterprise User Provisioning Patterns for Salesforce

August 3, 2025

Master the complex challenge of mixing setup and non-setup object operations in Salesforce user provisioning workflows with production-proven patterns and error handling strategies.

TL;DR: Mixed DML restrictions prevent combining User/Group operations with standard objects in single transactions. Use async patterns, state machines, and sophisticated error handling to build reliable user provisioning systems.

SalesforceApexUser ManagementEnterprise ArchitectureSecurityMixed DML

Secure APIs against XEE Attacks (XML Injection Attacks)

November 1, 2014

Learn how to secure your APIs against XML External Entity (XEE) attacks, including XML Injection and XML Expansion attacks, with practical mitigation steps for Java and RestEasy.

TL;DR: Prevent XEE attacks in Java/RestEasy by configuring SAXParserFactory to disable external entities and disallow DTDs, and enabling secure processing.

Software ArchitectureDevelopment Best PracticesProgramming LanguagessecurityAPIXMLJava