How Checkmarx works

Here are your answers:

1. Salesforce has a license to run Checkmarx scanners on premise in order to scan third party code. The code never leaves Salesforce -- it is pulled from the organization in which your code resides to the Checkmarx instances running on our servers. We manage these instances, but it is a Checkmarx scanner engine underneath. Results are only sent to the email address on file for the username, and only a user with author apex permission in an org can scan the code for the org. Because of this, sometimes a scan can be held back if

   • your org disables api access (we use the metadata api to pull code from your org)

   • your instance is down for service/upgrade (we will automatically retry in this case after a backoff)

   • your user account is new and has not been replicated to all instances

2. As per our license with Checkmarx, you can scan 3 times per security review. There is not a time limit for this: If you submit 10 reviews per month (say you are a PDO), then you can scan up to 30 times. If you are not scanning for a security review, you can scan 30,000 lines of code per month.

3. We currently impose additional throttling requirements: no business (checked by result email domain) can have more than one job in the queue at a time. You cannot scan more than 500,000 lines of code per job. These requirements are not contractual in basis but are to maximize scanner throughput and reduce wait times for most customers. As a result, these requirements are subject to change as we add more capacity or as scanner demand changes.

If you have issues, please file a support case. Please do not send scanner questions to [email protected] or to any mailinglist.

They don't explicitly state what format they run the scanner in, but I would be very surprised if salesforce didn't have their own checkmarx server on their internal network that does the scanning. In other words, it's very likely to be a server under salesforce's control, but running the checkmarx application on it.

If you're really worried about where the code is sent you can ask them, they've responded to me on twitter before via the @SecureCloudDev account, and they also have an office hours program available for Q&A.

Per their help the only rate limits are:

no more than 3 scans per security review and no more than 30,000 lines of code scanned per month

This seems rather odd to me, and is likely unenforced, especially since you can submit scans not related to a specific security review, and there's a previously listed limit of 500k lines of code per org. As you're unable to specify components to be scanned I don't see any logical way to reconcile these points. I've never hit this limit in practice.

Take a look at that help document for other considerations, but there's one I'll add: the larger your codebase the longer it takes to scan, and the effort increases non-linearly: a 20k line scan is much more than twice as fast as a 40k line scan.

If you're undergoing security review I'd kick off a scan now, before you even start the review. No reason not to!