Stats
Actions
Tags
Audits Salesforce 2GP managed packages for security review, AppExchange readiness, and pass/fail prediction on Apex, LWC, SOQL with remediation steps.
How this skill is triggered — by the user, by Claude, or both
Slash command
/salesforce-claude-code:sf-2gp-security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- User asks for a 2GP managed package security review or AppExchange readiness assessment
This skill performs a comprehensive security review of a Salesforce 2GP managed package, assesses readiness for AppExchange security review, and produces a pass/fail prediction with actionable remediation steps.
When invoked, you will:
The output is a detailed markdown report saved to the project's docs/security/ directory.
Before auditing, build a complete inventory of the package contents. Run these searches
against the project's force-app/ directory:
Apex classes: force-app/**/classes/*.cls
Apex triggers: force-app/**/triggers/*.trigger
LWC components: force-app/**/lwc/*/
Aura components: force-app/**/aura/*/
Visualforce pages: force-app/**/pages/*.page
Custom objects: force-app/**/objects/*/
Permission sets: force-app/**/permissionsets/*/
Custom metadata: force-app/**/customMetadata/*/
Static resources: force-app/**/staticresources/*/
Named credentials: force-app/**/namedCredentials/*/
Remote site settings: force-app/**/remoteSiteSettings/*/
Connected apps: force-app/**/connectedApps/*/
Record the count of each metadata type. This inventory becomes the header of your report.
Audit every file from Step 1 against 15 categories. For each category, assign a status: PASS (no issues), WARN (minor issues, unlikely to fail review), or FAIL (will likely fail AppExchange security review).
Audit criteria, grep patterns, and PASS/WARN/FAIL thresholds for all 15 categories:
@../_reference/APPEXCHANGE_REVIEW.md
Supporting reference for implementation patterns:
Categories:
After the security audit, assess readiness for 2GP licensing and AppExchange distribution. Check every item and mark as DONE, NOT DONE, or N/A.
Full checklist (Dev Hub, package config, code quality, submission, ISV, post-review):
@../_reference/APPEXCHANGE_REVIEW.md (section: 2GP License Qualification Checklist)
After completing the audit and checklist, calculate the overall score using the scoring rules and produce one of these verdicts: READY TO SUBMIT / NEEDS REMEDIATION / MAJOR REWORK NEEDED.
Scoring rules and verdict criteria:
@../_reference/APPEXCHANGE_REVIEW.md (section: Scoring Rules)
Generate a markdown report with this structure and save it to docs/security/security-review-report.md:
# Security Review Report — [Package Name]
Generated: [Date]
Package Version: [version from sfdx-project.json]
Namespace: [namespace]
## Package Inventory
| Metadata Type | Count |
|--------------|-------|
| Apex Classes | X |
| ... | ... |
## Security Audit Results
### Overall Verdict: [READY TO SUBMIT / NEEDS REMEDIATION / MAJOR REWORK]
Score: X/15 categories passing
### Category Results
| # | Category | Status | Issues |
|---|----------|--------|--------|
| 1 | CRUD/FLS Enforcement | PASS/WARN/FAIL | Details |
| ... | ... | ... | ... |
### Critical Findings (FAIL)
[List each FAIL with file path, line number, and specific remediation]
### Warnings
[List each WARN with recommendation]
## 2GP License Qualification
[Checklist with DONE/NOT DONE status for each item]
## Remediation Plan
[Prioritized list of fixes, ordered by: automatic fails first, then likely fails, then warnings]
## Appendix: Scanner Commands
[Commands the user should run for Code Analyzer, Checkmarx, etc.]
npx claudepluginhub jiten-singh-shahi/salesforce-claude-code --plugin salesforce-claude-codeReviews Salesforce Apex classes, triggers, LWC, and async jobs for security vulnerabilities, governor-limit risks, and sharing enforcement issues. Works from pasted code only.
Provides expert patterns for Salesforce platform development including Lightning Web Components, Apex triggers, REST/Bulk APIs, Connected Apps, and Salesforce DX with scratch orgs and 2GP.
Runs Salesforce Code Analyzer to scan Apex, LWC, and JS code for security, performance, style, and duplicate violations. Supports all engines (PMD, ESLint, CPD, RetireJS, Flow, SFGE, ApexGuru) and targets including git diff.