Helps to facilitate SAST scan and secure code reviews
What do you like best?
It's specific to Salesforce Apex. There aren't many tools out there for this language. And it does it well with SonarCloud integration so you have the ability to see what aspect of OWASP Top 10 the vulnerability falls under. Recently, they included security hotspots, to give you more insight to areas your organisation's code needs more security improvement.
CodeScan is very understanding about your business needs, and try to fit into your budget as much as they can. They also value customer loyalty and they listen to their customers. They provide hands-on help as needed and do not leave you hanging.
The pricing for CodeScan eliminates any general SonarCloud languages. It only includes programming languages specific to Salesforce - i.e. lightning pages, aura component, apex classes, visualforce pages (excluding js files which is included with SonarCloud].
What do you dislike?
There isn't much to dislike about the product, although it does not integrate with a ticketing system, it does the job. It will be helpful if it integrated with a ticketing system, to create a ticket for security or quality bugs. It also results in a lot of false positives but you may modify this as you please in the administrative part of SonarCloud.
You cannot get a specific report for newer codes in your repository or Salesforce org. The security report generated is for collated code from your org or repository.
I would also appreciate more help with working in SonarCloud for those who are not versatile with the application. Although, CodeScan provides hands- on help. The team needs to consider writing up a manual for specific operations in SonarCloud that organisations might be interested in.
Recommendations to others considering the product:
CodeScan does the job for security vulnerabilities and quality assessment more than most high-end commercial tools. It is just as good as the very expensive tools and integrates well with your CI/CD process.
The company ensures their clients are satisfied and always check in with their customers. They do not leave you hanging like some other organisations do.
Lots of opportunities to ask for help if you are stuck. Overall, for secure code reviews, it is brilliant! We do not currently use if for SAST but it does a great job with overall reporting of your code-base - projects.
What problems are you solving with the product? What benefits have you realized?
We currently use CodeScan to facilitate in our internal secure code reviews and it does well with in-depth information regarding new and existing code security.
It also provides more than Security vulnerabilities or hotspots, it is very beneficial for Quality bugs relating to Salesforce Apex. We do not currently use this aspect of CodeScan.
We have used it to improve our deployment process by 50%, and SonarCloud is easily integrated with our CI/CD process, which automates CodeScan scans for our teams.
