Static Flow Analysis: How to Run Static Code Analysis for Flows

In the Salesforce ecosystem, Flow is the unavoidable juggernaut in “clicks-not-code” automation. Every time release notes come out, the Flow Builder section is always one of the most extensive and exciting, especially as Salesforce continues to release new features for Flow including HTTP callouts, custom error messages, and more.

The fact that Flow is declarative opens up so much possibility to organizations to automate complex business processes without the need to write code, but its declarative nature can lead to users using it who may not fully understand the complexities that surround it. This is where code review or a static code analysis tool like PMD or SonarQube could help. However, it takes a lot of clicks to thoroughly code review a flow, and a traditional static code analysis tool can’t be run on your flows. Thankfully, there is a budding ecosystem for what I’ve been calling “static flow analysis”, and this article will speak to the tools available and why you should use one or multiple.

Why Run Static Flow Analysis?

Flows are Powerful… and Sometimes Scary

Raise your hand if you’ve been personally victimized by a poorly-built flow. As I mentioned previously, flows are becoming more and more powerful with every release, and we all remember that great Spider Man quote from Uncle Ben, “with great power comes great ability to wreak havoc in a multi-tenant software environment”. Or at least I think that’s how it goes… But you get the drift.

Flows have the capability to do a lot for a business, but they also have the capability to make it impossible to save a record if they are built incorrectly. Governor limits is a concept that oftentimes is not taught to folks when they are first learning flows, so they are simply not aware that what they are building is going to cause issues. Because of this fact, it’s easy to fall into the trap of DML updates inside a loop or throwing in hard-coded IDs. For this reason, scanning your flows is imperative to help learn flow best practices not just conceptually, but in your own work.

Make Code Reviews More Thorough and Efficient

Let’s be honest: flows can be a bear to code review. To do a thorough review, searching every nook and cranny for a hard-coded ID for instance, takes a lot of clicks and a lot of time. This leads to code reviews of flows typically being less thorough, which can lead to some poor practices sneaking into your production org. Having a tool that can scan Flow metadata and surface any best practices issues helps you focus on reviewing that the flow actually does what it’s supposed to do.

How to Run Static Flow Analysis

There are two tools, of which I am aware, out there to run static analysis on flows. Those tools are the Lightning Flow Scanner and the Flow Analyzer, which will be discussed below. 

Now, I want to be perfectly transparent in this section that I am the creator of one of the tools that will be discussed in this article, the Flow Analyzer. I have collaborated with the creator of the Lightning Flow Scanner, Ruben Halman, and we both agree that there is no competition here. We are both interested in the betterment of the Flow ecosystem, which is why both tools are completely free. I strongly suggest that you evaluate both tools for yourself and decide which, if not both, tools your organization should use.

Lightning Flow Scanner

Let’s start with the Lightning Flow Scanner.

What Is It?

The Lightning Flow Scanner, primarily developed and maintained by Ruben Halman, was the first application to enter this space of static low analysis to my knowledge. In delivery mechanism, this app takes the traditional approach of many static code analysis tools, running against local flow XML files, and was developed as a VS Code Extension and Salesforce CLI plugin. However, with the advent of code builder, the app can also be run on a browser because it is available as a code builder extension as well! This means you take out a fair amount of the complexity around retrieving the metadata. Another highlight of the app is that it’s open source! This means that the rule engine can be reviewed and collaborated on, which it has.

How Do I Get It?

VS Code Extension

If you have not installed VS Code onto your system, I suggest you follow the first two modules of this Trailhead project to get set up and familiarize yourself with using VS Code a bit. Once you have VS Code set up, you can click the Extensions tab on the left hand side and type Lightning Flow Scanner into the search bar, and click Install next to the Lightning Flow Scanner. The picture below shows the steps (I do not have the Install option next to the Lightning Flow Scanner since I’ve already installed it).

Salesforce CLI Plugin

In order to install the Salesforce CLI plugin, you will need to have Salesforce CLI installed on your computer. Once you have Salesforce CLI installed, you can simply run the below command in the terminal to install the plugin:

sfdx plugins:install lightning-flow-scanner

Once the command finishes, you should be ready to go!

How Do I Use It?

For the sake of brevity, I will be walking through how to run the Lightning Flow Scanner VS Code extension only. For more information on using the Salesforce CLI plugin directly, please visit the repo. There are instructions in the extension listing on how you can use it, so I’ll walk through a use case on how you can scan all of the flows in your org.

• Open a new VS Code Window.
• Hit ctrl + shift + p and you should see a toolbar open on the top of the screen.
• Type Create Project with Manifest, and you should see the below option come up.

• Click that option, select Standard, and give the project a name. Pick the directory in which you want to save the project and it should open. 
• On the lower left-hand corner of the window, you should see a little plug next to some text saying No Default Org Set. Click on that and select to authorize an org.

• Select the appropriate org type and give the org a name. A window should open for you to log into that org and authorize the org. Once you have done so, you should see your new org in the lower left-hand corner.
• Switch to the terminal tab and run the below command (which will retrieve the metadata for all flows in your authorized org).
  • sf force source retrieve -m Flow.

• Now you have your flows, you have your scanner, so let’s scan! Type ctrl + shift + p and type “Flow”.
• Select Scan Flows and select the …\force-app\main\default\flows folder. 

• Once the scanner finishes running, you can review the results. You have a number of ways you can review the results, and I’ll let you play around with that, but I’ll summarize it below:
  • You can view the scan results for an individual flow by clicking the details button.
  • You can review the results by rule for all flows by clicking the All Results button in the upper-left corner.
  • You can filter out rules you don’t care about.
  • You can download the results to a csv.

Additional Highlights

• You can configure the severity of a rule.
  • In the configuration file, you can set whether a rule should be considered an error, a warning, or a note.
• You can set up exceptions to rules.
  • In the configuration file, you can set up exceptions to the rules such as the name of a variable that should be ignored in the evaluation of unused variables.
• You can configure expressions.
  • Certain rules such as rules around naming conventions or API version have expressions that are applied, and you can configure these expressions.

Flow Analyzer

Now, let’s take a look at Flow Analyzer.

What Is It?

The Flow Analyzer, developed and maintained by Alec Dorner, is the second tool to come to this marketplace of static Flow analysis. The Flow Analyzer, in contrast to the Lightning Flow Scanner, is a completely Salesforce-native application developed as a second-generation managed package.

How Do I Get It?

The Flow Analyzer is available on the Salesforce AppExchange as a free app. The listing can be found here. You can use the Get It Now button to install the package into an org.

How Do I Use It?

For the sake of brevity, I will be walking through the use case of scanning all active flows in the org in which the package is installed. More in depth walkthroughs on the features can be found in the documentation.

• Once you have the app installed in your org, you must first authorize the current org. Click the app launcher and type in Flow Analyzer and click the app.

• Click the Configuration tab and you will be prompted with a message to authorize this org. Click the Authorize button.

• You will be prompted to log into the current org and authorize the OAuth scopes for the Flow Analyzer app.
• Once you’ve authorized the org, you’re ready to scan flows in this org! Go to the Flow Analyzer tab.
• Select your org and set your filter to Active Equals True.
• Click Get Flows, and select all of the flows that are returned.
• Click Run.

• Once the run is complete, you can review the results on the link provided in the email you will receive.

Additional Highlights

• You can create templates.
  • You can set up templates for specific criteria and quickly scan flows that meet those criteria.
• You can connect to multiple orgs from a single hub org.
  • With the Flow Analyzer, you can authorize multiple orgs to scan flows across your whole development pipeline from a single hub org.
• You can configure rule severity and thresholds.
  • You can set a severity for each rule by giving it a numeric value to be applied per violation of that rule. The higher the number, the worse the violation. You can also configure thresholds over which is considered a violation, for rules for which it makes sense like evaluating cyclomatic complexity.
• Subflow detection and scanning.
  • The Flow Analyzer will automatically include any subflows of a selected flow into the scan and can determine if that subflow executes any DML. If the subflow is executed in the context of a loop, a violation will be created for limit-consuming elements inside of a loop.

Final Thoughts

Flows can be a great tool in the toolbelt of any Salesforce professional, but there are pitfalls that can be tricky to navigate if you do not understand the underlying concerns. This is where a tool can step in to help identify potential violations of best practices. That is where the Lightning Flow Scanner and Flow Analyzer step in. Both are great tools aimed at the same goal; create a stronger, more scalable, and more efficient flow ecosystem.

I think we can all agree that it is an important initiative, so I implore that you use at least one of them, but to cover your bases best, use both!