Overview

Apex Security Checker is an MCP server that enables programmatic security analysis of Salesforce Apex code. Users submit Apex classes, triggers, controllers, or code snippets through API tools, receiving detailed reports on detected vulnerabilities, severity ratings, affected line numbers, and suggested fixes. It focuses on Salesforce-specific risks, enforcing security best practices like secure coding standards and governor limit-aware checks. This integration supports automated security in IDEs, CI/CD workflows, or custom scripts.

Key Capabilities

apex_scan: Performs full static analysis on submitted Apex code, identifying vulnerabilities such as injection points, access control gaps, and deserialization risks.
soql_validator: Checks dynamic SOQL queries for injection vulnerabilities and proper escaping.
fls_checker: Verifies CRUD operations and Field-Level Security (FLS) enforcement across methods.
report_generator: Outputs JSON or Markdown reports with remediation steps and compliance scores.

These capabilities draw from Salesforce security guidelines, covering common pitfalls in Apex development.

Use Cases

CI/CD Pipeline Integration: Developers run apex_scan on pull requests in GitHub Actions or Jenkins, blocking merges if high-severity issues like SOQL injection are found.
Pre-Deployment Audits: Platform admins submit entire Apex classes via fls_checker to confirm FLS compliance before sandbox promotion.
Legacy Code Migration: Security teams analyze old triggers with soql_validator to identify unsafe dynamic queries during org upgrades.
Batch Analysis: Script automated scans of multiple files using report_generator for quarterly security reviews.

Who This Is For

Salesforce developers writing Apex code, DevSecOps engineers building secure pipelines, platform administrators enforcing org policies, and security analysts auditing Salesforce applications. Requires familiarity with Apex and Salesforce security models.