Detect unsafe contexts, queries in loops, hardcoded IDs, and more to optimize Salesforce Flows.
Lightning Flow Scanner Action integrates Flow Scanner into your GitHub CI/CD pipeline. .github/workflows/scan-flows.yml to automatically detect 20+ critical issues in your flows — hardcoded IDs, unsafe contexts, inefficient SOQL/DML, recursion risks, missing fault handling — directly in pull requests. Example:
name: Scan Flows
on:
pull_request:
branches: [ main ]
jobs:
scan-flows:
runs-on: ubuntu-latest
permissions:
contents: read # Read flow files
security-events: write # Upload SARIF to Code Scanning
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Flow Scanner
id: scanner
uses: Flow-Scanner/[email protected]
with:
outputMode: sarif # optional (default)
- name: Upload SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.flowscan.outputs.sarifPath }}To set-up the action you must also:
- Create a secrets file:
- Add a secrets file at the repository root(
.secretsis recommended). - Include the following key-value pair:
GITHUB_TOKEN=<personal-access-token>.Replace
<personal-access-token>with a valid GitHub Personal Access Token(PAT) with appropriate permissions (repo,workflowscopes).
- Configure repository permissions:
- Navigate to Repository Settings > Actions > General.
- Under Workflow permissions, select:
- Read and write permissions.
Privacy: Zero user data collected. All processing is client-side. → See our Security Policy.
Trigger Flow Scanner on-demand to scan all flows in the repo.
on: workflow_dispatch- Navigate to the "Actions" tab of your GitHub repository.
- Click on "Run Flow Scanner" in the list of available workflows.
- Press the "Run workflow" button to trigger the action.
Scan only changed flow files when a PR is opened or updated.
on:
pull_request:
branches: [ main ]
In Settings → Actions → General, ensure: "Allow GitHub Actions to create and approve pull requests" is checked
Scan all flows on every push to selected branches.
on:push:branches: [ main ]: will trigger Flow Scanner to scan the every time a new change is pushed to the provide a list of branch names.
It is recommended to set up a .flow-scanner.yml and define:
- The rules to be executed.
- The severity of violating any specific rule.
- Rule properties such as REGEX expressions.
- Any known exceptions that should be ignored during scanning.
{
"rules": {
// Your rules here
},
"exceptions": {
// Your exceptions here
},
"betamode": false // Enable beta rules
}Using the rules section of your configurations, you can specify the list of rules to be run. Furthermore, you can define the severity and configure expressions of rules. Below is a breakdown of the available attributes of rule configuration:
{
"rules": {
"<RuleName>": {
"severity": "<Severity>",
"expression": "<Expression>"
}
}
}Note: if you prefer JSON format, you can create a .flow-scanner.json file using the same format. For a more on configurations, review the scanner documentation.
This project optionally uses Volta to manage Node.js versions. Install Volta with:
curl https://get.volta.sh | bashVolta will automatically use the Node.js version defined in
package.json.
To debug the action you need to:
- Install
nccfor compilation. On MacOs/ Unix run:
npm i -g @vercel/ncccurl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash - Compile a new version
npm run build- Test the workflows locally:
act workflow_dispatch --secret-file .secretsWant to help improve Lightning Flow Scanner? See our Contributing Guidelines.