▲ 15 r/SalesforceDeveloper+2 crossposts

Free open-source sf CLI plugin for Salesforce org security audits, would love your feedback on what to add

!'m a Salesforce architect, 18 years exp. I've done a lot of org security reviews by hand and found them genuinely cumbersome, I'd spend more time clicking through Setup and capturing data than actually analysing it. There are so many ways an org can be configured to leak data or open a vulnerability that doing it manually is slow and easy to miss things.

So I ended up building a free sf CLI plugin that runs entirely locally, using your existing sf CLI auth. It's strictly read-only, no writes, doesn't need View All Data, so it's safe to point at a real org.

It runs 64 read-only checks across identity, access, data, apex, integrations and monitoring, gives a health score A-F grade, maps each finding to compliance frameworks (OWASP, SOC 2, ISO 27001, NZISM and others), flags attack chains, and outputs HTML/MD/JSON.

It uses deterministic rules, no AI, so isn't exhaustive, and the coverage is opinionated, based on what I've learned to look for.

Genuinely after feedback:

  • What checks would you add?
  • What else do you look for when you run a security review?

https://github.com/cclabsnz/sf-audit-plugin

github.com
u/gosfdc — 13 days ago