Valuable resources include tools for analyzing source code.
(Note: Tools that I have personally utilized and recommend are marked with a heart)
Here are some recommended tools for source code analysis:
- Force.com Code Scanner Portal: This is a free tool provided by Salesforce in collaboration with Checkmarx. You can submit a scanning request and receive the results via email. The tool can scan up to 360,000 lines of code in any trailing 12 month period.
- Apex PMD: Apex PMD identifies common programming flaws, such as unused variables, empty catch blocks, and unnecessary object creation. It supports Salesforce Apex and Visualforce and is available as an extension in Visual Studio. The tool is free and there is a related blog post on how to use it to improve code quality.
- Codescan.io: This tool offers a choice between self-hosting or a cloud plan and includes over 500 security and quality rules for Apex, Visualforce, Lightning, and Metadata. It can integrate directly with Salesforce and popular CI/CD pipelines and can also be incorporated into the developer environment. The cost is US$ 2,800/year for 40,000 lines of code.
- Clayton: Clayton scans Apex, Visualforce, Lightning, Process Builder, Flows, object definitions, and more. It can catch OWASP Top 10 vulnerabilities as well as Salesforce-specific security flaws such as CRUD and FLS violations, SOQL-injections, and more. The tool has a free plan with limited features, while paid plans start at US$ 599/month.
- Sonarsource: This tool offers static code analysis for Salesforce Apex with 56 rules. It integrates with CI/CD and Source/Version Control Systems. It is available on cloud with Sonarcloud and on-premise with Sonarqube. It is free and open source.
I hope this information is helpful for you.