npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

connected-app-monitor

v1.0.0

Published

This plugin is used to fetch details for the connected apps of an org.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

manjunath.smanjunath.s

Keywords

forcesalesforcesalesforcedxsfsf-pluginsfdxsfdx-plugin

Readme

Connected App Monitor

NPM Downloads/week License

A Salesforce CLI plugin for monitoring and analyzing Connected App configurations, OAuth policies, security settings, and generating comprehensive security checklists.

Features

  • Connected App Discovery: List all Connected Apps in your Salesforce org
  • Security Analysis: Comprehensive security checklist with 20+ security checkpoints
  • OAuth Configuration Review: Analyze OAuth settings, scopes, and callback URLs
  • CSV Export: Export security analysis to CSV format for spreadsheet analysis
  • Metadata API Integration: Retrieves detailed Connected App metadata for thorough analysis

Install

sf plugins install [email protected]

Quick Start

  1. List all Connected Apps in your org:

    sf monitor conn-app --targetorg myorg

  2. Generate security checklist for a specific app:

    sf monitor conn-app --targetorg myorg --name "My App" --checklist

  3. Export all apps to CSV for security review:

    sf monitor conn-app --targetorg myorg --all

Security Checklist

The plugin generates a comprehensive security checklist covering:

OAuth and OpenID Connect Settings

  • ✅ Callback URL uses HTTPS
  • ✅ Callback URL is specific (no wildcards)
  • ✅ Digital signatures enabled
  • ✅ Require Proof Key (PKCE) enabled
  • ✅ Require Secret for Web Server Flow
  • ✅ Require Secret for Refresh Token Flow
  • ✅ Introspect All Tokens enabled
  • ⚠️ Configure ID Token (only if OpenID needed)
  • ⚠️ Enable Asset Tokens (avoid unless required)

API Access (OAuth Scopes)

  • ✅ Minimum required scopes only
  • ⚠️ refresh_token/offline_access (only if needed)
  • ❌ Avoid 'full' scope
  • ⚠️ OpenID scope (only if identity verification)
  • ⚠️ Web scope (only if session access needed)

Session Policies

  • ✅ IP restrictions locked to origin
  • ✅ Refresh token policy restrictive
  • ✅ Session timeout ≤ 2 hours
  • ✅ Enforce login IP ranges
  • ✅ High Assurance session (for sensitive data)

Access Control and Authorization

  • ✅ Admin approved users are pre-authorized
  • ✅ Access via Permission Sets (not Profiles)
  • ✅ User Provisioning disabled (unless required)

CSV Export Format

When using the --all flag, the plugin generates a CSV file (ConnectedApp-Review.csv) with:

  • Column 0: Connected App Name
  • Columns 1-2: Basic app information (ID, Contact Email)
  • Columns 3-25: Security checklist questions with Yes/No/Review answers
  • Columns 26-29: Security summary (Critical Issues, Warnings, Good Practices, Overall Status)

Development

Prerequisites

  • Node.js (v18 or later)
  • Yarn package manager
  • Salesforce CLI

Build

To build the plugin locally, make sure to have yarn installed and run the following commands:

# Clone the repository
git clone [email protected]:salesforcecli/connected-app-monitor

# Install the dependencies and compile
yarn && yarn build

To use your plugin, run using the local ./bin/dev or ./bin/dev.cmd file.

# Run using local run file.
./bin/dev monitor conn-app --target-org myorg

There should be no differences when running via the Salesforce CLI or using the local run file. However, it can be useful to link the plugin to do some additional testing or run your commands from anywhere on your machine.

# Link your plugin to the sf cli
sf plugins link .
# To verify
sf plugins

Testing

# Run unit tests
yarn test

# Run integration tests
yarn test:nuts

Contributing

  1. Please read our Code of Conduct
  2. Create a new issue before starting your project so that we can keep track of what you are trying to add/fix. That way, we can also offer suggestions or let you know if there is already an effort in progress.
  3. Fork this repository.
  4. Build the plugin locally
  5. Create a topic branch in your fork. Note, this step is recommended but technically not required if contributing using a fork.
  6. Edit the code in your fork.
  7. Write appropriate tests for your changes. Try to achieve at least 95% code coverage on any new code. No pull request will be accepted without unit tests.
  8. Sign CLA (see CLA below).
  9. Send us a pull request when you are done. We'll review your code, suggest any needed changes, and merge it in.

CLA

External contributors will be required to sign a Contributor's License Agreement. You can do so by going to https://cla.salesforce.com/sign-cla.

Commands

sf monitor conn-app

Monitor and analyze Connected App configurations, OAuth policies, and security settings.

USAGE
  $ sf monitor conn-app [--json] [--flags-dir <value>] [-o <value>] [-n <value>] [--checklist] [--all]

FLAGS
  -n, --name=<value>        [default: All Connected Apps] Name of the Connected App to monitor
  -o, --target-org=<value>  Username or alias of the target org. Not required if the "target-org" configuration variable is already set.
      --all                 Export all Connected Apps to CSV format for security review
      --checklist           Display security checklist for the Connected App(s)

GLOBAL FLAGS
  --flags-dir=<value>  Import flag values from a directory.
  --json               Format output as json.

DESCRIPTION
  Monitor and analyze Connected App configurations, OAuth policies, and security settings.

  This command helps you analyze Connected App security configurations including OAuth settings,
  callback URLs, API scopes, session policies, and access controls. It can generate comprehensive
  security checklists and export results to CSV format for security reviews.

EXAMPLES
  List all Connected Apps in the target org:

    $ sf monitor conn-app --target-org myorg

  Display security checklist for a specific Connected App:

    $ sf monitor conn-app --target-org myorg --name "My Connected App" --checklist

  Export all Connected Apps to CSV for security review:

    $ sf monitor conn-app --target-org myorg --all

  Generate security analysis for all apps with checklist display:

    $ sf monitor conn-app --target-org myorg --checklist