Salesforce recently introduced the use of the SFDX scanner when submitting packages. Given the considerable number of items flagged by the scanner, is it necessary to fix all of them before submission? We're concerned about the significant time investment required to address these issues and would like to understand the best approach moving forward. Any recommendations or insights on prioritizing fixes and streamlining the process would be valuable. Thank you for your assistance.
You're supposed to run 3 special scans yourself (security, dfa and PMD with reduced ruleset) + Checkmarx (but it's a recent guidance so I guess just keep checking https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_code_analyzer_scan.htm
The release notes for the scanner change are in https://forcedotcom.github.io/sfdx-scanner/en/v3.x/release-information/#v3200-1-10-2024
For me the scans were somewhat broken, they need PMD 7.0 to understand insert as user syntax. Looks like it'll improve after Spring'24 release: https://github.com/forcedotcom/sfdx-scanner/issues/1026
Looks like they simplified Checkmarx scan too. I expected it to throw a tantrum about SOQL in a loop (which in the past I had to include in explanations doc), this time it "only" failed to understand Assert.isTrue syntax and complained my test class doesn't have any System.asserts.