vulkro-sf antipatterns
Runs the Salesforce Well-Architected anti-pattern catalog over the
provided path. These rules cover architecture quality (governor-limit
risk, hard-coded IDs, recursive triggers, batch context misuse) rather
than security. The output is intentionally separate from vulkro-sf scan so the security report does not get diluted with maintainability
findings, and so a consultancy team can run the anti-pattern pass on a
different cadence from the security pass.
Synopsis
vulkro-sf antipatterns [PATH] [flags]
PATH defaults to the current directory.
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--format <fmt> | enum | text | Output format: text, sarif, json, html, junit. |
--output, -o <path> | path | stdout | Write the report to a file instead of stdout. |
--min-confidence <level> | enum | medium | Floor for emitted findings: high, medium, low. |
--rule <AP-NNN> | string (repeatable) | all | Run only the specified rule(s). Pass the flag multiple times to combine. |
--exclude <AP-NNN> | string (repeatable) | none | Skip the specified rule(s). Useful when one rule is noisy in a given codebase. |
Rule list (AP-001 to AP-014)
| Rule | Title | What it flags |
|---|---|---|
| AP-001 | SOQL inside a loop | Any [SELECT ...] query inside a for / while body. Governor-limit risk. |
| AP-002 | DML inside a loop | insert / update / delete / upsert operations inside a loop body. |
| AP-003 | Hard-coded record ID | An 15- or 18-character Salesforce ID embedded as a literal in Apex, LWC, Aura, or Flow. |
| AP-004 | Trigger without bulk-safety | Trigger handlers that operate on Trigger.new[0] instead of iterating the full collection. |
| AP-005 | Recursive trigger pattern | A trigger that performs DML on the same sObject without a static recursion guard. |
| AP-006 | Empty catch block | try { ... } catch (Exception e) { } swallowing every error silently. |
| AP-007 | System.debug left in production code | Debug statements outside a Test.isRunningTest() guard. Performance and PII-leak risk. |
| AP-008 | Schema introspection in a loop | Schema.getGlobalDescribe() or getDescribe() called per iteration. |
| AP-009 | Asynchronous chaining without governor budgeting | Database.executeBatch or System.enqueueJob issued inside a batch class without a chain-depth guard. |
| AP-010 | Missing with sharing on a class that does DML | A non-test Apex class that issues DML and declares neither with sharing nor inherited sharing nor without sharing. |
| AP-011 | Hard-coded URL in Apex | A literal https:// URL inside an Apex string concatenation (use a Named Credential or Custom Metadata Type). |
| AP-012 | Stateless Visualforce controller pattern misuse | A controller declared extends PageReference or that holds large in-memory collections across requests. |
| AP-013 | Aura component with aura:method exposing system context | An Aura controller method that does sharing-bypass work without enforcement comments. |
| AP-014 | Flow with no fault path | A screen or auto-launched Flow that calls a subflow or Apex action without a fault connector. |
Examples
# Full anti-pattern pass over an SFDX project.
vulkro-sf antipatterns .
# Narrow the run to two rules - useful in a tight CI lane.
vulkro-sf antipatterns . --rule AP-001 --rule AP-002
# Exclude one noisy rule (typical when a project intentionally uses
# fault-free Flows that are guarded by a wrapper).
vulkro-sf antipatterns . --exclude AP-014
# JSON for a dashboard ingestion.
vulkro-sf antipatterns . --format json -o antipatterns.json
Exit codes
0- scan completed, no anti-patterns at or above--min-confidence.1- scan completed, anti-patterns were reported.2- error: bad arguments, IO failure, parse error, or internal crash.
Where to go next
- vulkro-sf scan - the security pipeline (a separate command on purpose).
- Output: anti-patterns report -
the format reference for
text,html, andjsonoutput of this command. - Well-Architected anti-patterns concept - the Salesforce framework these rules are drawn from.