What are Apex code review tools?
Salesforce Apex code review tools are software utilities used to analyze and review the quality, security, and performance of Apex code (Salesforce’s proprietary programming language). Examples include PMD, CodeScan, and Clayton, which help ensure best practices, identify vulnerabilities, and maintain code health in Salesforce development environments.
Here’s a quick review on the benefits of the Apex programming language
The Salesforce Apex programming language is designed for their Lighting platform. It allows developers to add business logic to most events in their system, including button clicks and record updates. We can sum up the benefits as:
- Easily Tested
- Built-in Support
- Easy Updates
- Secure Platform
- Access to the Backend
There have been conversations about code review process and tools for Salesforce Apex Code changes. Code reviews ensure that multiple members of your team have at least seen each line of code in your Salesforce application. The reviewers are looking at several perspectives. They can look at logic errors and code quality, missing acceptance criteria and test coverage.
The Apex code review in the most simplistic terms means that Salesforce teams can rest assured. The greater quality of code, the greater baseline understanding by teams, increased security and in general greater efficiency, are some of the benefits for these reviews.
How Apex code reviews enable developers
Beyond understanding the benefits of Apex code reviews this article aims at equipping admins and developers with the experts’ view on code review processes and tools for Salesforce Apex code changes. We posed a question to leading Salesforce gurus and here is what they had to say.
Our first response comes from Enrico Murru, Solution & Technical Architect @ WebResults (Engineering group), Creator of ORGanizer for Salesforce. Enrico is a Salesforce MVP with a great blog for all salesforce IT.
In Enrico’s blog, Salesforce/VCS, The team factor or how a business analyst can affect the overall delivery speed, he touches on the topic of Apex code reviews and writes, “having your development reviewed has too many benefits to skip it. It prevents you from introducing a bad design crippling the project in the long run for short term success. Insights are shared within the team so there are no surprises. And you become a better developer through feedback.”
Here is Enrico Murru’s response to our question: What are your favorite well documented code review processes and tools for Salesforce Apex code changes?
When I hear about code reviews I think of my first days as an (Apex) programmer, about 10 years ago. At that time, we were a small company with few highly skilled developers but no time/budget for code quality reviews and the only reviews I got were pair programming with senior developers: projects were absolutely bigger than us but we were not scared and we acquired such a level of professionality and skills, with a certain dose of ingenuousness.
Time went by, we grew up (more than 10x in 10 years!) and we understood that we need code/configuration quality review in our projects. We started building an internal tool for:
- Apex test automatic coverage calculation and notifications
- Daily inspection of new classes / triggers / pages / lightning components / metadata components to see if they followed naming conventions (sometimes junior devs have deep fantasy in naming things)
- Async jobs monitoring
- Apex jobs error message
But this was not enough, manual inspections on commits were expensive and error prone, we needed automatic Apex code analysis to help us on daily and repetitive tasks.
With automatic Apex code analysis programmers’ life became easier, the anxiety levels had decreased at decent levels (although I believe for programmers like me anxiety is like a fuel) and we can concentrate on the best part of coding, that is creativity!
I cannot suggest you the best way to promote code analysis on your company, it depends on coders experience, project size and type, but the only suggestion is do it with whatever mean you want but do it to promote a good coding culture.
Our next response comes from Abhilasha Singh. Abhilasha is a Salesfroce MVP and Salesforce developer at Dazeworks. She has an active twitter feed and shares a lot of good tips on the world of salesforce dev.
Salesforce development is unique because of its “clicks not code”. Code reviews will still benefit features which are created through the Salesforce UI. Git is the one of the best tools for code reviews. Code reviews work best when it’s possible to create branches for your code which are separate from the master branch. Git makes this really easy. It also makes it easy to compare a previous branch with the new branch.
A few tools I recommend using for the Salesforce Apex code changes
It is useful when you need to migrate the metadata between related organizations. In changeset you need Deployment connection between the orgs.
This is browser based developing environment which is used to create, test and debug application in salesforce org. We can also write and edit SOQL and SOSL queries.
This is one of the web-based suite of tools designed for salesforce admins and developers to interact with https://Salesforce.com org with the https://Force.com APIs. Using this admins and developers can easily view their data into the org. It can also perform SOQL, SOSL, test, deploy, session settings and troubleshoot their own application.
For this, first we need to install Eclipse (a developer tool used by all types of developers across the world), then only we can install https://Force.com IDE. Based on the Eclipse platform and built on the Tooling API, the https://Force.com IDE provides a comfortable environment for programmers familiar with integrated Salesforce development environments, letting you code, compile, test, package, and deploy all from within the IDE.
ANT Migration Tool
This toolkit is similar to Eclipse IDE except that it is intended to be used as a Salesforce deployment tool which can be scripted and automated without requiring UI interactions. This makes ant migration toolkit ideal for things like continuous integration and automatic deployment.Follow Abhilasha on Twitter
Our third response comes from Paarth Jolly, CEO & Founder at YVExperts. Paarth, has been an active blogger, and We Both Code, and leader in the Salesforce Community since 2013, and has been working with Salesforce.com, for developing Sales and Service cloud applications. This includes both standard and custom functionalities. Here is what Paarth had to add to our blog:
Code review is an important part of Salesforce Implementation. Sometimes we write Apex code which works perfectly fine according to business aspect but has some syntax error which can cause trouble while promoting the package/code to AppExchange. Two key process for Apex code reviews are code optimization and using the secure coding guidelines provided by Salesforce.
Code optimization is the initial step after you are done with coding. While Salesforce is an amazing platform, there are tons of limitations. Developers must always keep in mind the limits in the backend system and try to always to write code in dynamic way so in the future it can be used in various places accordingly.
When developing and writing the Apex code I always focus on the following things:
- Avoid SOQL Queries or DML statements inside FOR Loops
- Bulky/triggers your Code
- Bulky your Helper Methods
- Using Collections, Streamlining Queries, and Efficient for Loops (Use maps and avoid nested for/do-while loops)
- Comments, lots of comments to easy understandable to any another developer
- Use of the Limits Apex Methods to Avoid Hitting Governor Limits
Secure Coding Guidelines
Secure coding guidelines is essential for any developer. You can find a complete guide provided by Salesforce which explains how to ensure your code/package pass a security review process, so you can have your app available on AppExchange.
Next we have Meighan Brodkey, Senior Consultant Community Specialist at GearsCRM and the Seattle Women in Tech User Group Leader. Since 2008, Meighan has been sharing Salesforce experiences, tips, tricks, and best practices with Admins everywhere on her blog. Here is what Meighan had to say.
Making sure you have checks and balances in a project is essential. One thing that I do on every project is keep a backup of your metadata as we continue to build, having some form of source control. This lets you have that reference to go back to if need be and make sure everyone is being tracked for changes and reviewed before your deployment.
As you troubleshoot or enhance your code, bugs can happen, this will let you go back to that previous version to see what was working so you can find out where problems started. Not only your code like lightning components, classes, etc. should be included, but also all metadata, objects, your flows, etc, so you can always go back vs re-doing everything from scratch.
It is important to have a single location (GithUb, BitBucket, etc) that everyone branches from for a feature branch or a single branch everyone works with. As each component is approved, merging into the master lets you ensure that you have the approved work vs in progress work separated.
A great way to do this is with pull request, having each developer complete their work and submit when complete. This can’t be the only check in place. Having a developer that didn’t write the code, or the TA on a project complete a code review on each item ensures you have that second set of eyes and don’t miss best practices or a requirement. Even as the architect on projects, I have a developer review my code vs myself to make sure I didn’t miss something.
Our fifth response comes from Abhi Tripathi, Salesforce Developer at Homestar Financial Corporation and Salesforce Evangelist. Abhi’s blog, Cloudyabhi covers topics Salesforce best practices offering top tips to dev and admins to get their jobs done. Read Abhi’s suggestions for code review processes and tools for Salesforce Apex code changes.
Salesforce is an awesome platform, and has an incredible community that helps their developer and admins to grow in their careers. With Salesforce’s communities we get a lot of great tools which make developer and admin life easy. One of the important practices in project implementation is code review, as it insures your team has visibility into your applications code. Here is the list of few tools which I have found to help review apex codes:
Checkmarx provides a great tool to secure your apex and visualforce code. It’s easy to integrate with your salesforce org and provides you with a whole report. This report has the points of changes and what to change. I personally recommend this tool for your application and code security.
Code Analysis Tools for Salesforce. This AppExchange tool is really easy to use and install in your salesforce org. It helps developers to identify bugs and increase the quality of your code. This tool provides incredible UI to analyze your orgs apex code.
Clayton is a next gen tool that does everything you need for your Salesforce application to be the best. It’s very easy to setup and use. Clayton integrates into your code repositories and enforces quality and security standards across your organization, at all times, while your apps are built. It provides you analyses on not only apex but lightning component code as well.
This tool automates code review for test coverage, maintainability and more so that you can save time. It provides you real time feedback of your code to help maintain good code as you go. It also provides test coverage line by line, integrated with your GitHub repo, run analysis locally and team management with permission visibility.
See more by Abhi
Our last response comes from Alex Sutherland. Alex is a Salesforce Solution lead architect with long-time experience designing & delivering unique enterprise solutions on the Salesforce platform for the public sector. Follow Alex on Twitter to gain more insights from a leading technologist, strategist, and Salesforce advocate. Here is what Alex had to say about his code review process.
The most important tool set for tracking and reviewing changes to metadata and code is a robust distributed version control solution with a web UI likeGithub, Gitlab, or BitBucket. I currently use Github and have usedBitBucketin the past for other projects. Using a Git repository system that has a web UI lets you visually track what’s going in the repo with all the branches and commits and diffs in the code. Being able to visually compare the differences in the code and metadata is a huge advantage. More Salesforce customers need to adopt distributed version control systems, particularly those anticipating implementing Salesforce DX in their development process.
In addition to Git, in a collaborative development team it is absolutely essential to have a development environment that make it easy for your team members to commit to their changes to the repo. My current favorite is Illuminated Cloud which is a plugin for JetBrains IntelliJ and WebStorm IDEs. Having tight integration with the Git repo will dramatically increase the consistency and quality of commits to the repo by the Salesforce development team.
Lastly, I would also suggest using a static code analysis tool like Checkmarx, PMD or Panaya. Static code analysis helps to identify problematic design patterns and security flaws in the code. Catching these gaps in the code base early in the development cycle will increase the likelihood that they are resolved while it is still cost effective to do so.
One final thing I believe is crucially important for the Salesforce dev community to embrace is the importance of unit test coverage and the benefits of robust test cases and test suites. Some members of the Salesforce community are unhappy with the mandate that they need to write unit tests for their code in order to deploy it to production. However, they underestimate the value of proper unit testing and how much effort and expense these tests can save them down the road if implemented properly. Unit tests should be the final insurance that changes to the environment are producing the expected results, and are an essential part of a robust release management process.
We also posed this same question to our in-house salesforce expert Ira Dizengof. Ira added one last element to a successful Salesforce Apex code review processes, and that was the importance of adding impact analysis to any change you want to make to your code. With impact analysis, business analysts, dev and admins can understand the impact of all code developed before they begin to develop anything. By viewing a list of all impacted components as well as their usage statistics, teams can better prioritize any change.
In Ira’s case she relies on Panaya ForeSight for Salesforce to not only ensure quality code, but also quality releases. With Panaya ForeSight, teams gain real time visibility and control of all SFDC projects and releases. With a detailed Risk Cockpit teams have a holistic view of the entire project or release and its risk covering areas such as requirements completion, development, test plan coverage as well as tests and defects execution progress. Learn more about our Demo Jam winning solution Panaya ForeSight here in our eBook – Salesforce Housekeeping for Admins – The Expert Guide to Organizing your Org.