sf-agent-framework/common/utils/security-scanner.md

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

# Security Scanner Utility

This utility provides comprehensive security scanning capabilities for
Salesforce implementations, identifying vulnerabilities and compliance issues.

## Purpose

Automated security assessment to detect:

- Access control vulnerabilities
- Data exposure risks
- Authentication weaknesses
- Compliance violations
- Security best practice deviations

## Core Features

### 1. Permission Analysis

```javascript
scanPermissions({
  profiles: ['*'],
  permissionSets: ['*'],
  checks: {
    overPrivileged: true,
    unusedPermissions: true,
    highRiskCombinations: true,
    publicAccess: true,
  },
});
```

### 2. Data Security Scan

```javascript
scanDataSecurity({
  objects: ['*'],
  validation: {
    sharingRules: true,
    fieldLevelSecurity: true,
    recordTypeAccess: true,
    encryptionStatus: true,
  },
});
```

### 3. Code Security Analysis

```javascript
scanCodeSecurity({
  classes: ['*.cls'],
  triggers: ['*.trigger'],
  vulnerabilities: [
    'soql-injection',
    'cross-site-scripting',
    'insecure-endpoints',
    'hardcoded-credentials',
    'weak-encryption',
  ],
});
```

## Security Scan Categories

### Access Control

- Profile permissions analysis
- Permission set review
- Role hierarchy validation
- Sharing rule assessment
- Guest user access audit

### Data Protection

- Field-level security gaps
- Unencrypted sensitive data
- Data masking requirements
- Export/import controls
- Backup security

### Authentication & Authorization

- SSO configuration review
- Session settings audit
- Password policy validation
- MFA enforcement check
- API access controls

### Compliance Checks

- GDPR compliance
- HIPAA requirements
- SOC 2 controls
- PCI DSS standards
- Industry-specific regulations

## Usage Examples

### Basic Security Scan

```bash
# Full security scan
securityScan --comprehensive

# Specific area scan
securityScan --focus permissions

# Compliance-specific scan
securityScan --compliance HIPAA
```

### Automated Scanning

```yaml
schedule:
  daily:
    - securityScan --quick
  weekly:
    - securityScan --comprehensive
  monthly:
    - securityScan --penetration-test
```

## Scan Results

### Risk Assessment

```
Security Scan Results - 2024-01-31
==================================
Critical: 2 issues found
High: 5 issues found
Medium: 12 issues found
Low: 23 issues found

Critical Issues:
✗ Public Read access on Payment__c object
✗ Hardcoded API key in IntegrationHelper.cls
```

### Detailed Report

```json
{
  "scanDate": "2024-01-31",
  "riskScore": 78,
  "findings": [
    {
      "severity": "critical",
      "category": "data-exposure",
      "finding": "Public Read access on sensitive object",
      "object": "Payment__c",
      "recommendation": "Change OWD to Private",
      "complianceImpact": ["PCI-DSS", "SOC2"]
    }
  ]
}
```

## Configuration

### Scan Policies

```yaml
scanPolicies:
  dataClassification:
    PII:
      - fields: [SSN__c, TaxID__c]
        requiredSecurity: encrypted
    sensitive:
      - fields: [Salary__c, Medical_History__c]
        requiredSecurity: private

  accessControl:
    highRiskPermissions:
      - ModifyAllData
      - ViewAllData
      - ManageUsers
    restrictedProfiles:
      - System Administrator
      - Integration User
```

### Custom Security Rules

```javascript
// Define custom security rule
addSecurityRule({
  name: 'custom-api-security',
  description: 'Check for secure API patterns',
  scan: (metadata) => {
    // Custom security logic
    return violations;
  },
  severity: 'high',
});
```

## Remediation Guidance

### Automated Fixes

```javascript
// Auto-remediation for common issues
autoRemediate({
  fixPublicAccess: true,
  removeUnusedPermissions: true,
  enforceFieldSecurity: true,
  enableEncryption: ['SSN__c', 'CreditCard__c'],
});
```

### Manual Remediation Steps

Each finding includes:

- Clear description of the issue
- Step-by-step fix instructions
- Impact assessment
- Testing recommendations
- Rollback procedures

## Integration Points

### With CI/CD Pipeline

- Pre-deployment security gates
- Automated scan on PR
- Block deployments on critical issues
- Security trend tracking

### With Monitoring

- Real-time security alerts
- Anomaly detection
- Compliance dashboards
- Executive reporting

## Best Practices

1. **Regular Scanning**
   - Daily quick scans
   - Weekly comprehensive scans
   - Monthly deep analysis
   - Quarterly penetration tests

2. **Risk-Based Approach**
   - Focus on critical systems first
   - Prioritize compliance requirements
   - Address high-risk findings immediately
   - Track remediation progress

3. **Continuous Improvement**
   - Update scan rules regularly
   - Learn from incidents
   - Benchmark against standards
   - Share security knowledge

4. **Documentation**
   - Document all findings
   - Track remediation efforts
   - Maintain security baselines
   - Report to stakeholders

This utility ensures your Salesforce implementation maintains the highest
security standards.