Start tracking your progress
Trailhead Home
Trailhead Home

Submit Your App for Security Review

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain when your product needs a security review.
  • List the materials you need to submit for a security review.
  • Explain how to begin the security review submission process.
  • Describe the security review submission process.

Know When You Need a Review

The security review process is critical, but it doesn’t have to be painful. We want to make it comfortable and familiar to you. We want it to be no big deal.

You know that your product needs to go through a security review before you launch it on AppExchange. But new threats appear every day. So the Salesforce Product Security team can ask for your product to be reviewed at any time, even after it’s been approved. Typically, AppExchange products are reviewed for security once a year.

Here’s the good news: You don’t have to go through a security review every time you release a new version of your product. Just follow the same submission process in this unit, and it is automatically reapproved.

Assemble Your Materials

What you provide to the Product Security team depends on your product’s architecture. The folks reviewing your product need everything a new customer needs to use it. After all, they are masquerading as attackers who have access to a running instance. So provide access to any environments, packages, and external components your app uses and include any documentation that comes with your product. Our testers like to see complete customer, admin, and user documentation. When you submit your app for review, make sure that you provide:

  • User navigation steps for the Salesforce org
  • Documentation of data flow between the Salesforce org and the composite site, mobile app, or chrome extension
  • A full list of features for the composite component
  • Valid requests and responses for any REST endpoint in the composite component, if present

The Product Security team also wants to know that you’ve done your homework. Include the reports you got from the scanners you ran on your product, along with explanations of any false positives.

Here’s a rundown of what the security team needs:

Required Materials
AppCloud
AppCloud with Lightning components
App with external web app/service
App with native mobile client
API only
Lightning Platform Developer Edition org
X
X
X
X
X
Logins, URLs for external components


X
X
X
Managed package
X
X
X
X
X
Checkmarx report
X
X
X
X
X
Chimera/ZAP report


X
X
X
False positives document(s)
X
X
X
X
X
Product documentation
X
X
X
X
X

You must complete several steps before you submit your product for Security Review. To learn about each step, review our Trailblazer Checklist

The key prerequisite to submitting your product for Security Review is getting the Salesforce stamp of approval for your business plan.

The business plan tab of the publish listing interface with a red circle around Salesforce Approval

When you’re ready to get started, follow the instructions in the Publish Your Solution on the AppExchange section of the ISVforce Guide.

Submit to the Wizard

The Salesforce Product Security team knows that they’re asking you for a lot. So they created the handy Security Review Wizard to help you submit everything.

Start the Review

Partner Community landing page with Publishing Console

Begin the security review submission process from the Publishing Console in the Partner Community.

  1. From the Publishing Console, click the Listings tab.
  2. Click your product listing.
  3. Click App. App tab on Listings page
  4. Under the name and version number for your package, click Start Review. A page appears for step 1 of the wizard, showing an overview of the security review and the items to prepare for it. Click Next when you’re ready to start entering information. Wizard step 1 screen: preparation

Provide Company Information

In steps 2 and 3 of the Security Review Wizard, tell the security team about your company.

  1. On the Step 2 screen, provide contact information for the person who the Salesforce security team can contact with questions. Wizard step 2 screen: general information
  2. Click Save & Next.
  3. On the Step 3 screen, check the top box if your company has a written security policy. Upload a copy of the policy, and provide information for your company’s point of contact.
  4. Check the bottom box if your company has any related security certifications, and include details on those certifications.
  5. Click Save & Next.

Wizard step 3 screen: policies and certifications

Define Application Components

In step 4 of the wizard, tell us about all the components and services in your app, and where they live.

  1. On the Step 4 screen, check the first box if your product uses any Lightning Platform components.
  2. Select Managed Packages, since we allow only managed packages on AppExchange. Wizard step 4 screen: managed packages
  3. In the Technologies Used section (1), check Apex and Visualforce if your product uses them. We no longer support S-Controls, so make sure that you aren’t using them. If you’ve used any APIs outside Salesforce with these technologies, list them in the text box. Wizard step 4 screen: technologies used
  4. In the next section (2), check the box if your product includes a mobile or desktop client. In the text box, list any external APIs that these clients use.
  5. In the next two sections, check the appropriate boxes if your product implements the Database.com API (3) or the Lightning Platform API (4).
  6. Below (5), check the box if your product includes one or more mobile web apps. List any APIs these apps use in the text box.
    • For iOS clients, provide a link to your App Store listing. If your app is not listed there, use TestFlight for iOS and send an invite to srops@salesforce.com.
    • For Android clients, provide a link to your Google Play listing. If you haven’t listed your app there, link to the necessary SDK files.
  7. In the next section (6), check the box if your product includes a web app or service. Check boxes next to any platforms and programming languages you’ve used, and list any credentials stored by your product. Indicate whether your product uses our single sign-on service. Wizard step 4 screen: frameworks, languages, web apps, services
  8. In the next two sections (7 and 8), check the boxes that indicate whether your product has any client or mobile apps. Wizard step 4 screen: client and mobile apps
  9. Click Save.

Provide Test Environments

In step 5 of the wizard, provide credentials for your Lightning Platform org and for any external components or services.

  1. Type in a username and password for your Lightning Platform production org. Make sure it’s a Developer Edition org with Locker Service enabled. Click Add. The form verifies this information by logging in to the org. Wizard step 5 screen: test environments
  2. Enter credentials and a URL for each web app or service your product uses, clicking Add to verify each one. For web apps, select the proper form of authentication from the picklist. Wizard step 5 screen: test environment credentials
  3. For each desktop client your product includes, enter a link to use for installation, along with any credentials, license files, and configuration data. Click Add after you’ve finished entering each one.
  4. For each of your product’s mobile apps, provide the platform, an installation file or link, and any other helpful information. Click Add after each one.

Upload Scanner Reports

You’re almost finished! In step 6 of the wizard, give the security team the reports generated by the scanners you ran on your product, along with any related documentation.

Wizard step 6 screen: reports

  1. In “Lightning Platform Security Code Scanner report” (1) attach the report you got from Checkmarx. Don’t check the box that says you ran the report—we’d prefer to see your clean bill of health. It gives us a warm and fuzzy feeling.
  2. If Checkmarx reported any false positives, attach a document explaining each one.
  3. If you are using external services, that means you used ZAP or Chimera to scan them. Provide any reports from these tools in “Other report or documentation” (2). Bundle the reports and related documents into an archive and upload it here. If ZAP reported no issues, we ask you demonstrate that you’ve tested the correct external endpoint. Do this by including a screenshot of each tool scanning that endpoint.
  4. Click Save & Next.

Have Your Credit Card Ready

After a brief review in step 7, we ask you to pay for the security review in step 8 of the wizard. For every product you sell on AppExchange, we ask for a $2,700 setup fee. This pays for the review itself and your first $150 annual AppExchange fee. If your product is free, we waive the security review fee.

Finally, you need a distribution agreement with Salesforce. If you don’t have one yet, contact your Partner Account Manager before the review.

You’re All Set!

Congratulations—you made it! Take a deep breath, do some stretches. Maybe walk around a bit. If anything is missing from your submission, the security review team contacts you. Once everything is in place, you get an email confirming that your product is in line for a security review.

A product typically takes 6 to 8 weeks to get through the review process. When the Product Security team finishes, they send you a report listing any issues that they found. If they find nothing wrong, they approve your product. Woo-hoo!

If the team does find issues and you have questions, get help at our office hours. Our technical office hours are very popular. To receive the best technical guidance from our security experts, we recommend that you meet for an office hour after you submit your product for security review and a few weeks before the review is complete. A little extra help is likely all that you need to get your product approved.

What happens next? Continue on to find out.

Resources