How to choose your Salesforce static analysis tool

What is static code analysis?

Static code analysis tools can process application source code automatically, and help identify problems, security flaws, estimate technical debt, etc. Such tools process large amounts of code in a very scalable way and enforce checks systematically; for this reason, they can be instrumental to your technical debt management strategy.

How to choose the right tool

There is a wide range of static code analysis tools in the market, and finding the right solution may not be a straightforward task. Every tool has its own pros and cons and there are many considerations to be factored in before making a decision.

Popular Salesforce static code analysis tools include Clayton, CheckmarxCodeScan, and PMD an open-source solution.

The following paragraph summarises the most important criteria that every team should take into account when evaluating static code analysis tools.

Key questions to compare solutions

1. Language support

Why does it matter?

Your tool must adequately support the programming languages, paradigms and frameworks you use for development

Key questions and considerations

  • Does it support all the relevant languages for your use case? (e.g. Apex, Visualforce, Aura)
  • Does it support the source format in use? (e.g metadata, SFDX)
  • What artefacts does it scan?

2. Accuracy

Why does it matter?

The accuracy of your tool naturally determines the amount of noise to your developers. Inaccurate tools cause distractions and are more likely to be ignored by the developer

Key questions and considerations

  • How accurate is the tool?
  • How common are false positives?
  • Is the tool capable of finding problems across multiple files?
  • Is the tool capable of traversing the flow of execution?
  • Is the tool capable of traversing nested calls?

3. Ruleset

Why does it matter?

The ruleset determines what checks can be performed automatically by your static code analysis tool.

Key questions and considerations

  • What types of checks does the tool perform?
  • How completely does the ruleset address your technical and security standards?
  • Are there any items in your technical and security standards that are not addressed by the ruleset?

4. Ease of customisation

Why does it matter?

In some circumstances, you might want to deviate from the standard rulesets, for example, to codify your own internal standards.

Key questions and considerations

  • Does the tool support custom rules?
  • How easy is to create custom rules?
  • Once custom rules are created, how easy is to roll them out?

5. Ease of setup

Why does it matter?

Ease of setup determines your time to value: the shorter the better.

Key questions and considerations

  • How easy is to set up? What skills are involved?
  • How quickly can you set it up on your existing projects?
  • How quickly can you set it up on any new projects?

6. Ease of use

Why does it matter?

Tools that are used on a daily basis, should be easy to use for developers and technical architects.

Key questions and considerations

  • How easy is to launch a scan?
  • How easy is to read a report?
  • Are the right information made available to the developers at the right time?
  • How easy is to upgrade?

7. Workflow and integrations

Why does it matter?

Your tool must support your workflow well, have minimal overhead on your developers and provide an integrated, cohesive development experience.

Key questions and considerations

  • Can it be run continuously and automatically?
  • Does it fit well into your development workflow?
  • Does it integrate well with your version control?
  • Does it integrate well with your CI/CD tools?
  • Can developers omit/bypass/skip it?
  • Can exceptions be easily managed?
  • Can false positives be managed?

8. Pricing and cost

Why does it matter?

Pricing model must be right for you, reflect the value you are getting and grow appropriately as you scale.

Key questions and considerations

  • What’s the license model for the tool?
  • What is the ongoing maintenance cost (e.g. upgrades, security patches, etc)
  • Does the tool require additional software that is sold separately?
  • Is the cost reasonably aligned to the value you are getting?




About Clayton

What is Clayton

Clayton is the automated assistant that helps Salesforce teams spot security vulnerabilities, design flaws and code quality issues automatically before they become problems. We work with companies like Silverline, Deliveroo, Apttus helping them gain total control over code quality, security, and technical debt.

What makes us different

Clayton is the first static application security testing (SAST) solution uniquely designed for Salesforce teams. It provides the most in-depth, accurate analysis of all types of Salesforce code and metadata. It’s 100% SaaS, so it’s easy to set up and runs entirely in your browser.

If you need more information or try our free trial, please contact us at