Find your content:

Search form

You are here

Apex static code analysis


What static code analysis tools are there for apex? The only one I seem to be able to find is the Security Source Code Scanner but that has the draw back of placing your request into a queue and running it when it can. I would like something I can run locally so I can make refactoring into a number of very short cycles.

Attribution to: Bob Roberts

Possible Suggestion/Solution #1

You can get a local version of the Checkmarx source code scanner to run in Eclipse as a plugin. I think you get 90 days for free.

See Apex security scanner - Eclipse Plug-in.

The report is the same as the one you get from the Security Source Code Scanner, just integrated into the IDE. So you can go straight to the applicable lines in the source code.

While this solution is more local than the version you run from the website, it still relies on sending the code off to Checkmarx for remote analysis.

Attribution to: Daniel Ballinger

Possible Suggestion/Solution #2

Apologies for plugging myself, but I've been working on a static analysis tool. You can find some information and try out a single page at

The enterprise version is based on Sonar, so it's got graphs and timelines, code reviews functionality, and much more.

There are over 100 static analysis checks including many very specific to Apex; code complexity metrics, etc. You can also build your own rules using XPath, or use it for continuous integration by having it run your Apex class tests and recording the results.

On you can also try out the analysis by uploading a single file. It doesn't have all the functionality as the enterprise version though, and quite a few metrics and analysis points are not enabled.

There is an eclipse version of this as well which displays the static analysis results as you work in Eclipse (analysis is done locally, so you can fix it as you work).

Let me know if you want some more information or a demo.

Attribution to: bvanklinken

Possible Suggestion/Solution #3

I won't take away from the far more feature-full, already accepted answer, but I did write some code and a blog post about static code analysis of apex. Just to toss my own home-made hat in the ring.

Attribution to: Bob Roberts

Possible Suggestion/Solution #4

UPDATE: On Pluralsight Robert from PMD and Lorenzo from just released a FREE (no-signup) in-depth course on Automated Code Analysis in Salesforce.

I recently ported the famous Java Static code analyzer PMD to Apex. We also ported many of the original Java rules and created a few Apex specific to showcase how to write language-specific rules (e.g. AvoidSoqlInLoops, AvoidLogicInTriggers,...).

Other than CodeScan, our effort is open source and was merged back into the original PMD repository on Github ( Every Salesforce developer or expert out there can fork the repo and create new and better rules and integrations.

As the Apex language module is now part of the regular PMD distribution all PMD-based tools also speak Apex now, e.g. the Eclipse / IDE.

enter image description here

We have also built an open-source engine for CodeClimate so you cannot only analyze files on your local machine but also have code checked into your Github repos verified.

enter image description here

Just recently another Github-integrated services called added full support for PMD and Apex.

enter image description here

Attribution to: Robert Sösemann

Possible Suggestion/Solution #5

I believe Appirio debuted Cloud Metrics at DF12. Not sure if it is available publicly just yet

Attribution to: techtrekker

Possible Suggestion/Solution #6

For those of you that hate eclipse, I've written an open source vscode extension called Apex PMD. It uses the same rules as code climate by default but allows you to configure your own ruleset.

CodeScan, CodeClimate,, etc are awesome because they show you have your code is improving/degrading between commits/pr's.

Having Static Anylsis in your IDE will help ensure you are following best practices in realtime.

Attribution to: NSjonas

Possible Suggestion/Solution #7

very old question, but it's worth pointing out a new addition in the static code analysis space,

I am the person who created it. Clayton uses static code analysis techniques to do automatic code reviews. It's hosted on Heroku, meaning that assuming you use a Git repository on the cloud (Github, Bitbucket) you don't need to install anything anywhere.

Attribution to: Lorenzo Frattini
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content