Table of contens

• Usage
• Default Rules
• Configuration
• Installation

Usage

Lightning Flow Scanner CLI is plug-and-play. Just open any Salesforce project and run:

sf flow:scan

All default rules are applied automatically.

sf flow:scan # scan flows in current directory
sf flow:fix -d src/force-app # fix flows in force-app directory
sf flow:scan --sarif > report.sarif # get results as SARIF file

| Flag | Alias | Description | Example | |-----------------|-------|-----------------------------------------------|-------------------------------------| | --config | -c | Path to config file | -c .flow-scanner.yml | | --directory | -d | Directory to scan | -d force-app | | --files | -p | Specific flow files | -p "flows/MyFlow.flow-meta.xml" | | --csv | -v | CSV output | --csv > violations.csv | | --sarif | -s | SARIF output (GitHub, etc.) | --sarif > report.sarif | | --json | | Pretty JSON output | --json | | --threshold | -t | Fail on error/warn | --threshold error | | --betamode | -z | Enable beta rules | --betamode | | --loglevel | | Logging level | --loglevel debug |

Privacy: Zero user data collected. All processing is client-side. → See our Security Policy.

Default Rules

Want to code a new rule? → See How to Write a Rule

Action Calls In Loop

ActionCallsInLoop - To prevent exceeding Apex governor limits, it is advisable to consolidate and bulkify your apex calls, utilizing a single action call containing a collection variable at the end of the loop.

Outdated API Version

APIVersion - Introducing newer API components may lead to unexpected issues with older versions of Flows, as they might not align with the underlying mechanics. Starting from API version 50.0, the Api Version attribute has been readily available on the Flow Object. To ensure smooth operation and reduce discrepancies between API versions, it is strongly advised to regularly update and maintain them.

Auto Layout

AutoLayout - With Canvas Mode set to Auto‑Layout, elements are spaced, connected, and aligned automatically, keeping your Flow neatly organized—saving you time.

Copy API Name

CopyAPIName - Maintaining multiple elements with a similar name, like Copy_X_Of_Element, can diminish the overall readability of your Flow. When copying and pasting these elements, remember to update the API name of the newly created copy.

Cyclomatic Complexity

CyclomaticComplexity - The number of loops and decision rules, plus the number of decisions. Use a combination of 1) subflows and 2) breaking flows into multiple concise trigger‑ordered flows to reduce cyclomatic complexity within a single flow, ensuring maintainability and simplicity.

DML Statement In A Loop

DMLStatementInLoop - To prevent exceeding Apex governor limits, consolidate all your database operations—record creation, updates, or deletions—at the conclusion of the flow.

Duplicate DML Operation

DuplicateDMLOperation - When a flow executes database changes or actions between two screens, prevent users from navigating backward between screens; otherwise, duplicate database operations may be performed.

Flow Naming Convention

FlowName - The readability of a flow is paramount. Establishing a naming convention significantly enhances findability, searchability, and overall consistency. Include at least a domain and a brief description of the flow’s actions, for example Service_OrderFulfillment.

Get Record All Fields

GetRecordAllFields - Following the principle of least privilege (PoLP), avoid using Get Records with “Automatically store all fields” unless necessary.

Hardcoded Id

HardcodedId - Avoid hard‑coding IDs because they are org specific. Instead, pass them into variables at the start of the flow—via merge‑field URL parameters or a Get Records element.

Hardcoded Url

HardcodedUrl - Avoid hard‑coding URLs because they are environment specific. Use an $API formula (preferred) or environment‑specific sources like custom labels, metadata, or settings.

Inactive Flow

InactiveFlow - Like cleaning out your closet: deleting unused flows is essential. Inactive flows can still cause trouble—such as accidentally deleting records during testing, or being activated as subflows.

Missing Fault Path

MissingFaultPath - A flow may fail to execute an operation as intended. By default, the flow displays an error to the user and emails the creator. Customize this behavior by incorporating a Fault Path.

Missing Flow Description

FlowDescription - Descriptions play a vital role in documentation. We highly recommend including details about where flows are used and their intended purpose.

Missing Metadata Description

MissingMetadataDescription – Flags Flow elements (Get Records, Assignments, Decisions, Actions, etc.) and metadata components (Variables, Formulas, Constants, Text Templates) that lack a description. Adding concise descriptions greatly improves readability, maintainability, and helps AI tools understand your automation intent.

Missing Null Handler

MissingNullHandler - When a Get Records operation finds no data, it returns null. Validate data by using a Decision element to check for a non‑null result.

Process Builder

ProcessBuilder - Salesforce is transitioning away from Workflow Rules and Process Builder in favor of Flow. Begin migrating your organization’s automation to Flow.

Recursive After Update

RecursiveAfterUpdate - After‑update flows are meant for modifying other records. Using them on the same record can cause recursion. Consider before‑save flows for same‑record updates.

Same Record Field Updates

SameRecordFieldUpdates - Similar to triggers, before‑save contexts can update the same record via $Record without invoking DML.

SOQL Query In A Loop

SOQLQueryInLoop - To prevent exceeding Apex governor limits, consolidate all SOQL queries at the end of the flow.

Trigger Order

TriggerOrder - Guarantee your flow execution order with the Trigger Order property introduced in Spring ’22.

Unconnected Element

UnconnectedElement - Avoid unconnected elements that are not used by the flow to keep flows efficient and maintainable.

Unsafe Running Context

UnsafeRunningContext - This flow is configured to run in System Mode without Sharing, granting all users permission to view and edit all data. This can lead to unsafe data access.

Unused Variable

UnusedVariable - To maintain efficiency and manageability, avoid including variables that are never referenced.

Configuration

It is recommend to configure and define:

• The rules to be executed.
• The severity of violating any specific rule.
• Rule properties such as REGEX expressions.
• Any known exceptions that should be ignored during scanning.

{
  "rules": {
    // Your rules here
  },
  "exceptions": {
    // Your exceptions here
  }
}

Most Lightning Flow Scanner distributions automatically resolve configurations from .flow-scanner.yml, .flow-scanner.json, or package.json → flowScanner.

Using the rules section of your configurations, you can specify the list of rules to be run. Furthermore, you can define the severity and configure expressions of rules. Below is a breakdown of the available attributes of rule configuration:

{
  "rules": {
    "<RuleName>": {
      "severity": "<Severity>",
      "expression": "<Expression>"
    }
  }
}

Defining Severity Levels

When the severity is not provided it will be warning by default. Other available values for severity are error and note. Define the severity per rule as shown below:

{
  "rules": {
    "FlowDescription": {
      "severity": "error"
    },
    "UnusedVariable": {
      "severity": "note"
    }
  }
}

Configuring Expressions

Some rules have additional attributes to configure, such as the expression, that will overwrite default values. These can be configured in the same way as severity as shown in the following example.

{
  "rules": {
    "APIVersion": {
      "severity": "error",
      "expression": "===58" // comparison operator
    },
    "FlowName": {
      "severity": "note",
      "expression": "[A-Za-z0-9]" // regular expression
    }
  }
}

Specifying Exceptions

Specifying exceptions allows you to exclude specific scenarios from rule enforcement. Exceptions can be specified at the flow, rule, or result level to provide fine-grained control. Below is a breakdown of the available attributes of exception configuration:

{
  "exceptions": {
    "<FlowName>": {
      "<RuleName>": [
        // Suppress a specific result:
        "<ResultName>",
        // Suppress ALL results of rule:
        "*",
        ...
      ]
    },
    ...
  }
}

Example

{
  "exceptions": {
    "MyFlow": {
      "MissingNullHandler": ["*"],
      "HardcodedId": ["Old_Lookup_1"]
    }
  }
}

Report Detail Level

Control the verbosity of violation reports via detailLevel. By default (enriched), outputs include element or flow-level details like variable data types, node connectors/locations, or attribute expressions for comprehensive reports. Set to simple for lighter output with only line and column numbers.

{
  "rules": {
    ...
  },
  "exceptions": {
    ...
  },
  "detailLevel": "simple"
}

Include Beta Rules

New rules are introduced in Beta mode before being added to the default ruleset. To include current Beta rules, enable the optional betamode parameter in your configuration:

{
  "rules": {
    ...
  },
  "exceptions": {
    ...
  },
  "betaMode": true
}

Installation

sf plugins install lightning-flow-scanner

OR

npm install -g lightning-flow-scanner

Development

This project optionally uses Volta to guarantee the exact same Node.js and tool versions for every contributor. Install Volta with:

MacOs/Linux:

curl https://get.volta.sh | bash

Windows:

winget install Volta.Volta 

Volta will automatically install and lock the tool versions defined in package.json.

1. Clone the repository

   git clone https://github.com/Flow-Scanner/lightning-flow-scanner.git

2. Install dependencies:

   pnpm install

3. Compile:

   pnpm run build:cli

4. Run tests:

   pnpm test:cli

5. Linking the Salesforce CLI module locally(Optional):

   To link the module, run:

   cd packages/cli
   sf plugins link .