Table of Contents
sf-cat is a Salesforce CLI plugin that converts output from Salesforce Code Analyzer into SonarQube-compatible format. This enables development teams to suface Salesforce-specific code quality results from multiple scanning engines directly within 1 SonarQube project.
sf plugins install sf-cat@x.y.zSalesforce Code Analyzer is a tool for developers to maintain high standards of code quality and efficiency by identifying issues such as security vulnerabilities, performance bottlenecks, and violations of coding best practices. It leverages various scanning engines like PMD, ESLint, RetireJS, and Salesforce Graph Engine, to analyze code in Apex, Visualforce, Flows, and Lightning components.
But SonarQube is often used as a central platform to consolidate code quality results across repositories and languages — including CI pipelines, pull request gating, and dashboards.
Unfortunately, Salesforce Code Analyzer output is not directly compatible with SonarQube.
That’s where sf-cat comes in:
✅ Converts Salesforce Code Analyzer JSON to SonarQube's Generic Issue Data format
✅ Enables seamless inclusion in sonar-scanner reports
✅ Allows teams to view Salesforce-specific quality violations in the same place as other code and integrate it into DevOps platforms — enabling a unified view of code quality across the entire stack
Salesforce Code Analyzer output sometimes contains startColumn and endColumn values that exceed the actual length of the line in the source file.
SonarQube enforces strict bounds on these values and will fail the scan if a column offset exceeds the line length.
To prevent such failures, sf-cat automatically removes column values (startColumn, endColumn) from all issues reported by the Salesforce Code Analyzer. This ensures compatibility with SonarQube while preserving line-level highlighting.
sf code-analyzer run --workspace "./force-app/main/default/" --rule-selector Recommended -f "output.json"
sf cat transform -j "output.json" -r "results.json"
In your sonar-project.properties:
sonar.externalIssuesReportPaths=results.json
Or pass it via CLI:
sonar-scanner -Dsonar.externalIssuesReportPaths=results.json
USAGE
$ sf cat transform -i <value> [-o <value>] [--json]
FLAGS
-i, --input-file=<value> Path to the JSON file created by the Salesforce Code Analyzer plugin.
-o, --output-file=<value> Path to the output created by this plugin.
[default: "output.json"]
GLOBAL FLAGS
--json Format output as json.
EXAMPLES
$ sf cat transform -i "salesforce-code-analyzer.json" -o "sonar.json"
If you encounter any issues or would like to suggest features, please create an issue.
This project is licensed under the MIT license. Please see the LICENSE file for details.