How to Automate Salesforce Flow Quality Checks

Within the Salesforce ecosystem, Flow stands out as a powerful automation engine, enabling faster productivity and greater operational agility. Flow’s declarative approach empowers organizations to automate even complex business processes without writing code, but as they grow in complexity, maintaining quality and performance becomes challenging.

The accessibility of flows as an intuitive, low-code tool democratizes automation and encourages non-developers who did not fully grasp flow’s intricacies to create automations, potentially introducing risk or inefficiency.  Unlike Apex code, flows can’t be reviewed using traditional static code analysis tools such as PMD or SonarQube, while resorting to a manual review can be cumbersome, time-consuming, and prone to oversight, especially as automations scale in complexity.

Fortunately, a growing set of “static flow analysis” tools has emerged to address these challenges. This article sheds light on the Lightning Flow Scanner which is a powerful tool that can help you identify and address common issues in your flows.

Understanding the Lightning Flow Scanner

The Lightning Flow Scanner is an open-source Salesforce CLI plugin designed to analyze Flow definitions in your org and to highlight deviations from industry best practices. It helps you to identify and address:

• Performance issues such as inefficient loops and large collections.
• Security risks like hardcoded credentials or missing field-level security (FLS) checks.
• Best practice violations including missing error handling, unused variables, and hardcoded IDs.
• Deprecated features that may impact maintainability or compatibility.

After scanning, the tool outputs a comprehensive report, enabling you to proactively optimize and secure flows before issues arise in production.

The Secret to Flawless Flow Quality

Adopting the Lightning Flow Scanner empowers your team to build more reliable, maintainable, and efficient Flows by catching issues early and enforcing standards consistently.

Key benefits:

1. Prevent Flow Failures in Production
   • Catch common mistakes before deployment.
   • Reduce debugging time by identifying anti-patterns early.
2. Enforce Best Practices at Scale
   • Ensure consistency across large teams.
   • Automate governance without manual reviews.
3. Optimize Performance
   • Detect inefficient queries or loops.
   • Identify overly complex Flows that may need refactoring.
4. Integrate with DevOps Pipelines
   • Run scans in GitHub Actions, Jenkins, or Bitbucket.
   • Block deployments if critical issues are found.

CI/CD Integration: Your Ticket to Effortless Governance

Integrating the Lightning Flow Scanner into your CI/CD pipelines allows you to automatically scan Salesforce Flows for best practice violations, performance bottlenecks, and security risks as part of your deployment process. 

This proactive approach provides several key benefits: 

• Early detection of Flow issues before production.
• Automated enforcement of best practices and security standards.
• Reduced manual review effort and improved deployment reliability
• Optimization of the overall automation quality.

You can also run the scanner manually or via scheduled jobs, ensuring continuous enforcement of Flow standards throughout your development lifecycle.

Roll up your sleeves and let’s build a GitHub pipeline that leverages the Lightning Flow Scanner plugin to automatically review and enforce best practices for Salesforce Flows.

Hands-On Lab: Build Your Scanner Pipeline

Create a GitHub account: Log in to your account and create a private repository as shown below:

Collect the Org authentication URL: With Salesforce CLI installed in your terminal, connect to your org and extract the authentication URL by executing the following steps:

• $ sf force:auth:web:login –alias <OrgAlias> –instance-url <OrgURL>  –set-default

• A prompt to login to the targeted org is shown on a new browser tab, enter your credentials and once successfully authorized close the browser tab.

• Then run this command: $ sf org display  –target-org <OrgAlias> –verbose

• Maintain a copy of the Authentication URL displayed immediately after: “Sfdx Auth Url”.

In your GitHub repository, go to Settings → Secrets and Variables → Actions and add the following secret variables to your repository:

Secret Name	Description
ORG_SFDX_URL	SFDX authentication URL for the target Salesforce org.
MAIL_USERNAME	Email address or username for the SMTP server.
MAIL_PASSWORD	Password or app-specific password for the SMTP server.

Grant rights for actions and reusable workflows.

Deploying the Pipeline

Putting this all together, let’s configure our workflow:

The basic setup of our GitHub Pipeline requires creating a file called “Scan Flows.yml” and placing it under “/.github/workflows/”.

Go to Actions and press Configure a Simple Workflow:

Copy the code snippet below into this file and commit the changes:

name: Scan Flows

on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * 1'  # Weekly on Monday at midnight

env:
  ORG_ALIAS: org_alias
  REPORT_RECIPIENT: "[email protected]"
  
jobs:
  scan_org_flows:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4

      - name: 'Install Node.js'
        uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: 'Install Salesforce CLI'
        run: npm install @salesforce/cli --global

      - name: 'Install lightning-flow-scanner Plugin'
        run: echo "Y" | sf plugins install lightning-flow-scanner

      - name: 'Authorize to the Org'
        run: echo "${{ secrets.ORG_SFDX_URL }}" | sf org login sfdx-url --alias $ORG_ALIAS --set-default --sfdx-url-stdin

      - name: 'Run Flow Scanner'
        continue-on-error: true
        run: |
          mkdir -p scanResult
          sf flow scan --targetusername $ORG_ALIAS > scanResult/flow-scan.txt

      - name: 'Create Job Summary'
        if: always()
        run: |
          echo "### Flows Scan Results" >> $GITHUB_STEP_SUMMARY
          cat scanResult/flow-scan.txt >> $GITHUB_STEP_SUMMARY

      - name: 'Email Scan Report'
        uses: dawidd6/action-send-mail@v3
        with:
          server_address: smtp.gmail.com
          server_port: 587
          username: ${{ secrets.MAIL_USERNAME }}
          password: ${{ secrets.MAIL_PASSWORD }}
          subject: "Org Flows Scan Report"
          to: ${{ env.REPORT_RECIPIENT }}
          from: "[email protected]"
          body: |
            Flows scan completed with status: ${{ job.status }}
            Attached are the scan results.
          attachments: scanResult/flow-scan.txt

Run the GitHub workflow manually and visualize the output generated:

Code Breakdown

This workflow automates the scanning of the flows in a specified org and delivers the results via email. Here’s a detailed analysis: 

• Workflow Triggers
  • Manual: Can be initiated manually through the GitHub UI or API.
  • Scheduled: Runs weekly on Mondays at midnight (UTC) using a cron job.
• Environment Variables
  • ORG_ALIAS: The alias of the org.
  • REPORT_RECIPIENT: The email recipient for the scan report.
• Job: scan_org_flows
  • Check out the repository to access the repo’s code.
  • Install the required components: Node, Salesforce CLI, and the plugin.
  • Authenticate to the selected Salesforce org.
  • Scan the org flows and save output to “scanResult/flow-scan.txt”. 
    Continue the job, even if the scan fails.
  • Append the scan results to the GitHub workflow summary for visibility.
  • Sends the scan report via email using Gmail’s SMTP server.        

Decoding the Scan Report

Let’s analyze the generated scan reports for a particular showcasing flow:

Based on the scan results, this auto-launched flow has several issues that should be addressed. Let me break down each finding and provide recommendations:

Problem	Impact	Solution
Outdated API Version	Older API versions may lack security updates and modern features.	Update the flow’s API version to 49 or higher.
Missing Flow Description	Makes maintenance and collaboration more difficult.	Add a clear description for the flow.
Unconnected Element	This element will never execute, potentially breaking expected functionality.	Connect the element to the flow’s logic path or remove it if intentionally unused.

Considerations of the Lightning Flow Scanner

While the Lightning Flow Scanner is a powerful tool for enforcing Flow quality, it has certain limitations that teams should consider: 

1. Limited Flow Type Support 
   • The scanner currently focuses on Auto-Launched Flows (e.g., scheduled, platform event-triggered flows) with limited coverage to Screen Flows or Record-Triggered Flows, leaving gaps for orgs relying heavily on these types. 
   • Mitigation: Prioritize manual reviews for unsupported Flow types or supplement with complementary tools like Salesforce Code Analyzer.
2. Rule Coverage and Customization 
   • The predefined ruleset may not align perfectly with every organization’s standards. Custom rules or exceptions (e.g., org-specific security policies) cannot be added natively. 
   • Mitigation: Combine the scanner with tools like PMD or ESLint for broader rule customization.
3. False Positives/Negatives 
   • Some issues (e.g., “missing error handling”) may be flagged even if handled outside the Flow (e.g., via Apex). Conversely, complex logic errors might go undetected. 
   • Mitigation: Consider scan results as a starting point, not a definitive audit. Validate critical findings manually.

4. Scalability Constraints 
   • Scanning orgs with hundreds of Flows may result in long execution times or memory issues due to the CLI’s single-threaded architecture. 
   • Mitigation: Split scans by Flow type/folder or schedule incremental scans for smaller batches.

5. No Real-Time Feedback 
   • The scanner operates post-development (CLI-based) and does not integrate with the Salesforce Flow Builder UI for real-time guidance. 
   • Mitigation: Train developers to run scans locally during development and enforce pre-commit hooks in repositories.

Tackling Flow Quality Gaps

Automated Flow scanning delivers the greatest value when combined with deliberate processes designed to guarantee consistency, security, and sustainable maintainability over time. The following actionable practices are recommended to seamlessly incorporate Flow quality checks into your development lifecycle and governance framework:

• Run Scans Early and Often: Perform Flow scans during development, not just before deployment, to catch issues promptly and reduce costly fixes later.
• Enforce Quality Gates in CI/CD Pipelines: Configure your continuous integration process to fail builds or block deployments when critical Flow issues are detected, ensuring only compliant automations are promoted.
• Monitor and Track Progress Over Time: Maintain historical records of scan results to identify trends, measure improvements, and prioritize technical debt remediation across releases.
• Integrate with Complementary Tools: Combine Flow scanning with other static analysis tools like PMD, ESLint, or Salesforce Code Analyzer to achieve comprehensive code quality and security coverage.

Final Thoughts

Remember, the cost of fixing an issue increases the closer it gets to production. Therefore, the lightning-flow-scanner plugin is a must-have for Salesforce teams serious about Flow quality.

Embracing tools like the Lightning Flow Scanner supports a culture of continuous improvement, empowering consultants and developers to collaboratively enhance their Flow development practices through open-source solutions.