SFSEC Scanner 🔐

SFSEC Scanner is a Salesforce security analysis tool that detects misconfigurations, guest user exposure, IAM risks, and Apex vulnerabilities — directly from VS Code.

It generates:

• 📊 JSON report
• 🌐 Interactive HTML dashboard (with attack graph)

---

🚀 Features

• 🔍 Experience Cloud & Guest User security checks
• 🧠 IAM attack surface analysis (graph-based)
• ⚡ Apex vulnerability detection (patterns + taint)
• 📊 Interactive dashboard with filters & graph
• 🧩 VS Code integrated workflow

---

🧰 Prerequisites

Before using SFSEC, ensure the following are installed:

1. Python (Required)

• Version: 3.9+
• Verify:

python --version

---

2. Install SFSEC dependencies (Required)

Navigate to your project root and install:

pip install simple-salesforce click

---

3. Salesforce Credentials (Required)

You must have:

• Salesforce Username
• Salesforce Password
• Security Token

👉 Get token from: Settings → Reset Security Token

---

4. Enable API Access (Required)

Ensure your Salesforce user has:(Prefer Admin User)

• API Enabled
• Permission to query metadata objects

---

---

⚙️ Installation (VS Code)

Option 1 — From Marketplace (Recommended)

1. Open VS Code
2. Go to Extensions
3. Search: SFSEC Scanner
4. Click Install

---

Option 2 — Manual (.vsix)

code --install-extension sfsec-scanner-1.0.0.vsix

---

🧑‍💻 Usage

Step 1 — Configure Salesforce Credentials

Open Command Palette:

Ctrl + Shift + P

Run:

SFSEC: Configure Credentials

Enter:

• Username
• Password
• Security Token

Credentials are stored securely using VS Code secrets.

---

Step 2 — Run Security Scan

Ctrl + Shift + P → SFSEC: Run Scan

---

Step 3 — Output

After scan completes:

📄 JSON Report

report.json

🌐 HTML Dashboard

report.html

Open in browser for:

• Charts
• Findings table
• Attack graph visualization

---

Step 4 — Email Report (Optional)

If configured:

• Report is sent automatically
• Includes HTML content or attachment

---

📊 Understanding the Attack Graph

Node Type	Meaning
⚫ Black	Guest User (entry point)
🔵 Blue	Salesforce Object
🔴 Red	Vulnerability

👉 Click nodes to explore risk propagation

---

🧠 Supported Checks

Experience Cloud

• Guest object access
• CRUD exposure
• Public sharing
• Field-level exposure

IAM Risks

• Modify All Data exposure
• Sensitive field exposure
• Profile-object mapping

Apex

• Hardcoded secrets
• Without sharing
• Taint flow vulnerabilities

---

🛠 Troubleshooting

❌ ModuleNotFoundError: sfsec

Run from project root:

python -m sfsec.cli scan ...

---

❌ Encoding Errors (Windows)

SFSEC uses UTF-8. If issues occur:

chcp 65001

---

❌ Scan Fails in VS Code

• Ensure Python is in PATH
• Try replacing python with py in extension

---

🔐 Security Notes

• Credentials are stored securely using VS Code Secret Storage
• No data is sent externally except configured email delivery
• Runs entirely on your local machine

---

📈 Roadmap

• VS Code embedded dashboard
• Auto scan on file save
• Risk scoring system
• AppExchange integration
• Multi-org scanning

---

📄 License

This project is proprietary software. Unauthorized use, reproduction, or distribution is prohibited.

---

👨‍💻 Author

Abhishek Pandey

---

⭐ Support

If you find this useful:

• Star the repo
• Share feedback
• Report issues

---