jiten-singh-shahi/sf-2gp-security-review
skills/sf-2gp-security-review/SKILL.md
Use when user asks for a 2GP security review, AppExchange readiness check, or pass/fail prediction for Apex, LWC, SOQL. Do NOT use for general security patterns.
$ install --global
skillsauthnpx skillsauth add jiten-singh-shahi/salesforce-claude-code sf-2gp-security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:58 PM1.9s1 file scanned
SKILL.md
- name:
- sf-2gp-security-review
- description:
- Use when user asks for a 2GP security review, AppExchange readiness check, or pass/fail prediction for Apex, LWC, SOQL. Do NOT use for general security patterns.
- origin:
- SCC
- user-invocable:
- true
- disable-model-invocation:
- true
Salesforce 2GP Managed Package Security Review
When to Use
- User asks for a 2GP managed package security review or AppExchange readiness assessment
- User wants a pass/fail prediction for their managed package security review submission
- User needs a 2GP license qualification checklist or submission readiness scoring
This skill performs a comprehensive security review of a Salesforce 2GP managed package, assesses readiness for AppExchange security review, and produces a pass/fail prediction with actionable remediation steps.
How This Skill Works
When invoked, you will:
- Discover the package structure (scan for Apex, LWC, objects, permissions, config)
- Audit every file against the security review criteria below
- Score each category (PASS / WARN / FAIL)
- Produce a structured report with an overall pass/fail prediction and remediation plan
The output is a detailed markdown report saved to the project's docs/security/ directory.
Step 1 — Package Discovery
Before auditing, build a complete inventory of the package contents. Run these searches
against the project's force-app/ directory:
Apex classes: force-app/**/classes/*.cls
Apex triggers: force-app/**/triggers/*.trigger
LWC components: force-app/**/lwc/*/
Aura components: force-app/**/aura/*/
Visualforce pages: force-app/**/pages/*.page
Custom objects: force-app/**/objects/*/
Permission sets: force-app/**/permissionsets/*/
Custom metadata: force-app/**/customMetadata/*/
Static resources: force-app/**/staticresources/*/
Named credentials: force-app/**/namedCredentials/*/
Remote site settings: force-app/**/remoteSiteSettings/*/
Connected apps: force-app/**/connectedApps/*/
Record the count of each metadata type. This inventory becomes the header of your report.
Step 2 — Security Audit Categories
Audit every file from Step 1 against 15 categories. For each category, assign a status: PASS (no issues), WARN (minor issues, unlikely to fail review), or FAIL (will likely fail AppExchange security review).
Audit criteria, grep patterns, and PASS/WARN/FAIL thresholds for all 15 categories:
@../_reference/APPEXCHANGE_REVIEW.md
Supporting reference for implementation patterns:
- CRUD/FLS, sharing, injection, XSS, Named Credentials: @../_reference/SECURITY_PATTERNS.md
- Sharing model details: @../_reference/SHARING_MODEL.md
- Testing standards and annotations: @../_reference/TESTING_STANDARDS.md
- Namespace, versioning, package CLI: @../_reference/PACKAGE_DEVELOPMENT.md
- Governor limits and anti-patterns: @../_reference/GOVERNOR_LIMITS.md
- LWC lifecycle and patterns: @../_reference/LWC_PATTERNS.md
Categories:
- CRUD/FLS Enforcement (CRITICAL — #1 failure reason)
- Sharing Model Enforcement
- SOQL/DML Injection Prevention
- Sensitive Data Exposure
- XSS and Content Security Policy
- External Callout Security
- Third-Party Library Vulnerabilities
- Code Coverage
- Namespace and Packaging Compliance
- Permission Model
- Governor Limit Safety
- Lightning Web Security (LWS) Compliance
- Connected App and OAuth Configuration
- Data at Rest and in Transit
- Documentation and Submission Readiness
Step 3 — 2GP License Qualification Checklist
After the security audit, assess readiness for 2GP licensing and AppExchange distribution. Check every item and mark as DONE, NOT DONE, or N/A.
Full checklist (Dev Hub, package config, code quality, submission, ISV, post-review):
@../_reference/APPEXCHANGE_REVIEW.md (section: 2GP License Qualification Checklist)
Step 4 — Pass/Fail Prediction
After completing the audit and checklist, calculate the overall score using the scoring rules and produce one of these verdicts: READY TO SUBMIT / NEEDS REMEDIATION / MAJOR REWORK NEEDED.
Scoring rules and verdict criteria:
@../_reference/APPEXCHANGE_REVIEW.md (section: Scoring Rules)
Step 5 — Report Output
Generate a markdown report with this structure and save it to docs/security/security-review-report.md:
# Security Review Report — [Package Name]
Generated: [Date]
Package Version: [version from sfdx-project.json]
Namespace: [namespace]
## Package Inventory
| Metadata Type | Count |
|--------------|-------|
| Apex Classes | X |
| ... | ... |
## Security Audit Results
### Overall Verdict: [READY TO SUBMIT / NEEDS REMEDIATION / MAJOR REWORK]
Score: X/15 categories passing
### Category Results
| # | Category | Status | Issues |
|---|----------|--------|--------|
| 1 | CRUD/FLS Enforcement | PASS/WARN/FAIL | Details |
| ... | ... | ... | ... |
### Critical Findings (FAIL)
[List each FAIL with file path, line number, and specific remediation]
### Warnings
[List each WARN with recommendation]
## 2GP License Qualification
[Checklist with DONE/NOT DONE status for each item]
## Remediation Plan
[Prioritized list of fixes, ordered by: automatic fails first, then likely fails, then warnings]
## Appendix: Scanner Commands
[Commands the user should run for Code Analyzer, Checkmarx, etc.]
Related
- Scanner commands: @../_reference/APPEXCHANGE_REVIEW.md (section: Scanner Commands)
- Top 20 failures: @../_reference/APPEXCHANGE_REVIEW.md (section: Top 20 Failures)
- 2026 platform changes: @../_reference/APPEXCHANGE_REVIEW.md (section: 2026 Considerations)
Related Skills
jiten-singh-shahi/update-platform-docs
development
VerifiedTrustedCommunity
Update Salesforce platform reference docs with latest release features and deprecation announcements. Use when SessionStart hook warns docs are outdated or a new Salesforce release has shipped. Do NOT use for Apex or LWC development.
5SKILL.mdUpdated Apr 16, 2026
jiten-singh-shahi/update-docs
development
VerifiedTrustedCommunity
Use when syncing documentation after Salesforce Apex code changes. Update README, API docs, and deploy metadata references to match the current org codebase.
5SKILL.mdUpdated Apr 16, 2026
jiten-singh-shahi/strategic-compact
development
VerifiedTrustedCommunity
Use when managing context during long Salesforce Apex development sessions. Suggests manual compaction at logical intervals to preserve deploy and org context across phases.
5SKILL.mdUpdated Apr 16, 2026
jiten-singh-shahi/sf-visualforce-development
tools
VerifiedTrustedCommunity
Visualforce development — pages, controllers, extensions, ViewState, JS Remoting, LWC migration. Use when maintaining VF pages, building PDFs, or planning VF-to-LWC migration. Do NOT use for LWC, Aura, or Flow.
5SKILL.mdUpdated Apr 16, 2026