Catch Salesforce Security Gaps in One Command
Salesforce orgs accumulate risk quietly. A connected app that stopped being used two years ago. A profile that still has ModifyAllData because someone was in a rush during a go-live. Guest user access that made sense at the time.
None of it shows up anywhere unless you go looking. Setup is a point-in-time view, not a monitor. We built sf audit security to make the looking fast.
Getting Started
The audit hooks directly into the Salesforce CLI you already use. No separate auth flow or complex config files required.
1. Install the plugin
sf plugins install @cclabsnz/sf-audit
2. Run the audit
sf audit security --target-org myOrg
The command runs 22 automated checks against your org, providing real-time progress for each one:
[ 1/22] Health Check
[ 2/22] Users & Admins
...
─────────────────────────────
Audit Summary
─────────────────────────────
CRITICAL 2 findings
HIGH 4 findings
MEDIUM 7 findings
LOW 3 findings
─────────────────────────────
Score: 61/100 Grade: C
─────────────────────────────
Report written: ./sf-audit-00D8t000001abc-1711234567890.html
What it Checks
The audit covers six critical domains of Salesforce security. Instead of digging through Setup, you get a consolidated view of:
- Org Health: Salesforce Health Check scores, password policies, and session settings.
- Identity & Access: Users with "God Mode" permissions (ModifyAllData, AuthorApex), inactive users with active licenses, and login trends.
- Data Security: OWD settings, Guest User permissions, and exposure of sensitive fields (SSN, Credit Cards).
- Integration Security: Connected App restrictions, Remote Site settings, and hardcoded credentials in Apex.
- Code & Automation: Apex sharing violations, Flows running in System Context, and unit test coverage.
- Platform: API limit consumption, Setup Audit Trail alerts, and credential-like names in Custom Settings.
Professional Features
Pro Tip: Use the
--fail-on HIGHflag in your CI/CD pipeline to automatically block deployments if new security risks are introduced.
| Flag | Purpose |
|---|---|
--format html,json |
Generates both interactive and machine-readable reports. |
--output ./docs |
Writes reports to a specific directory. |
--fail-on HIGH |
Exits with an error if HIGH or CRITICAL findings exist. |
--checks [names] |
Runs only a specific subset of security checks. |
Understanding Your Grade
The scoring model provides an objective measure of your security posture. The health score starts at 100, with deductions based on the severity of findings.
| Grade | Criteria |
|---|---|
| A | Score ≥ 85 AND zero HIGH findings. |
| B | Score ≥ 70 AND max one HIGH finding. |
| C | Score ≥ 55 AND max three HIGH findings. |
| D | Score ≥ 40 AND zero CRITICAL findings. |
| F | Score < 40 OR any CRITICAL finding. |
The grade gives you an honest read on where your org sits. Most production orgs land between B and D on their first run. Start with the CRITICAL and HIGH findings, resolve them, and re-run the audit to track your progress.
Want to know how the plugin is built — the cache dependency system, the layered architecture, and the scoring model? Read part two.
Comments (0)
Loading comments...