Fix: exception by id ignored

Fix Exceptions Issue running via sf cli

Exceptions are now correctly skipped from the CLI when configured. The behavior is now consistent across CLI plugin and VS Code fully resolving #285 reported by @aidandunne1892

CLI version: v6.16.2
VSX Version: v3.1.2

For more information on exceptions, please refer the readme documentation

Improved Rule Messages & Category

Release Notes –Improved Rule Messages & Category

You can now provide a custom message for any rule. This message overrides the default rule description in scan results, making violations clearer and easier for your team to understand.

Action tag: action-v3.3.0
CLI tag: v6.16.0
Core tag: core-v6.16.0
VSX Version: v3.1.0

Custom Rule Messages Feature

When specified, the custom message and url replaces the default rule description and documentation reference in scan results.

Example configuration:

{
  "rules": {
    "dml-in-loop": {
      "message": "Avoid DML inside loops. Bulkify operations instead.",
      "messageUrl": "https://internal.docs.company.com/salesforce/flow-dml-best-practices"
    }
  }
}

Improved default severities

We’ve also updated the default severity levels and descriptions for several rules to better reflect their impact and help prioritize:

• ActionCallsInLoop → now Warning (was Error)
• ProcessBuilder → now Error (was Warning)
• MissingMetadataDescription → now Warning (was Error)
• RecordIdAsString → now Warning (was Error)

Custom Rule Messages(Url Patch)

Release Notes –Custom Rule Messages

You can now provide a custom message for any rule. This message overrides the default rule description in scan results, making violations clearer and easier for your team to understand.

Action tag: action-v3.2.1
CLI tag: v6.15.1
Core tag: core-v6.15.1
VSX Version: v3.0.1

Custom Rule Messages Feature

When specified, the custom message and url replaces the default rule description and documentation reference in scan results.

Example configuration:

{
  "rules": {
    "dml-in-loop": {
      "message": "Avoid DML inside loops. Bulkify operations instead.",
      "messageUrl": "https://internal.docs.company.com/salesforce/flow-dml-best-practices"
    }
  }
}

Improved default severities

We’ve also updated the default severity levels and descriptions for several rules to better reflect their impact and help prioritize:

• ActionCallsInLoop → now Warning (was Error)
• ProcessBuilder → now Error (was Warning)
• MissingMetadataDescription → now Warning (was Error)
• RecordIdAsString → now Warning (was Error)

Custom Rule Messages

Release Notes –Custom Rule Messages

You can now provide a custom message for any rule. This message overrides the default rule description in scan results, making violations clearer and easier for your team to understand.

Action tag: action-v3.2.0
CLI tag: v6.15.0
Core tag: core-v6.15.0
VSX Version: v2.10.0

Custom Rule Messages Feature

When specified, the custom message replaces the default rule description in scan results.

Example configuration:

{
  "rules": {
    "invalid-naming-convention": {
      "message": "Flow names should follow the team naming pattern for clarity."
    }
  }
}

Improved default severities

We’ve also updated the default severity levels and descriptions for several rules to better reflect their impact and help prioritize:

• ActionCallsInLoop → now Warning (was Error)
• ProcessBuilder → now Error (was Warning)
• MissingMetadataDescription → now Warning (was Error)
• RecordIdAsString → now Warning (was Error)

Exclude Flows from scanning

Release Notes – Exclude Flows from scanning

Action tag: action-v3.1.0
CLI tag: v6.14.0
Core tag: core-v6.14.0
VSX Version: v2.9.0

New Features

Enhanced Flow Exclusion Options

Lightning Flow Scanner now provides two complementary ways to exclude flows from scanning, offering greater flexibility across different environments and use cases.

Exclude by File Path (ignore)

• Added support for glob pattern-based exclusion during flow discovery phase
• Enables efficient exclusion of entire directories or specific file patterns
• Most performant option for excluding large numbers of flows
• Environment compatibility: Available in CLI Plugin, VS Code Extension, and GitHub Action (requires Node.js/file system access)

Example configuration:

{
  "ignore": [
    "**/testing/**",
    "**/*_Deprecated.flow-meta.xml"
  ]
}

Exclude by Flow API Name (ignoreFlows)

• Added support for excluding flows by their unique API names
• Works regardless of file system location or directory structure
• Provides precise control for excluding specific flows
• Environment compatibility: Works in all environments including browser/web distributions

Example configuration:

{
  "ignoreFlows": [
    "My_Legacy_Flow",
    "Temporary_Test_Flow",
    "Deprecated_Process_Builder"
  ]
}

These options can be used independently or together to create flexible exclusion strategies that work across different deployment scenarios and development environments.

Action V3: Branch Auto-Detection + New Flags

Release Notes

This release updates and expands the available inputs for the Lightning Flow Scan GitHub Action.

Changes

• Branches can now be selected and auto-detection is no longer limited to main or master branches
• outputMode has been removed
  • The action now always generates SARIF output.
• threshold now has a default
  • Default severity threshold is warning.
  • Set threshold: never to never fail the action based on findings.

New Flags

• config — Provide a path to a configuration file (JSON or YAML).
• branch — Specify which branch to scan for scheduled or manual runs.
• betaMode — Enable experimental rules.
• sarif-only — Fail the action if any violations are found, regardless of severity.

Behavior Notes

• All inputs are optional.
• SARIF output is always generated.

Rule ID Matching with Centralized Registry

Release Notes – Rule Registry Refactor

Action tag: action-v2.7.0
Core tag: core-v6.12.0
CLI tag: v6.12.0
VSX Version: v2.6.0

New in this release: Centralized Rule Registry

• Replaces the old DefaultRuleStore / BetaRuleStore with a modern RuleRegistry.

Key improvements

• Cleaner, more maintainable code: all rules registered explicitly in one place.
• Easier to add new rules: just import and call registry.register().
• Full control over rule metadata: ID, legacy name, beta status.
• Encapsulated rule selection logic: merged/isolated mode, beta handling, config overrides.

New feature: Rule IDs in configuration

• Use kebab-case rule IDs (e.g., action-call-in-loop) in config files and getRules() for selection and exceptions.
• Legacy CamelCase names (e.g., ActionCallsInLoop) still work for full backward compatibility.

This provides consistent, predictable rule identifiers while preserving all existing configurations.
No breaking changes to public API or behavior.

Rule: RecordIdAsString

Release Notes

Action tag: action-v2.6.0
Core tag: core-v6.10.0
CLI tag: v6.10.0
VSX Version: v2.4.0

New Rule: RecordIdAsString

Detects flows using a String variable named recordId as input when they could receive the entire record object instead. Since recent Salesforce releases, record pages and quick actions can pass the complete record, eliminating the need for an additional Get Records query and improving performance. This optimization saves a SOQL query and reduces flow execution time.

Severity: 🔵 Note

Example violation:

<variables>
    <name>recordId</name>
    <dataType>String</dataType>
    <isInput>true</isInput>
</variables>
<recordLookups>
    <name>Get_Account</name>
    <filters>
        <field>Id</field>
        <operator>EqualTo</operator>
        <value>
            <elementReference>recordId</elementReference>
        </value>
    </filters>
</recordLookups>

Recommended fix:
Change the variable to receive the full record object:

<variables>
    <name>recordId</name>
    <dataType>SObject</dataType>
    <objectType>Account</objectType>
    <isInput>true</isInput>
</variables>

Applies to: Screen Flows and AutoLaunched Flows (not record-triggered flows)

Credits

Thank you to @fkramer690 for suggesting this optimization in issue #237

Core: fix CWE-94

See Security Advisory "Code Injection via Unsafe Use of new Function() in APIVersion Rule"

Rule: Transform Instead Of Loop

Release Notes

Action tag: action-v2.5.0
Core tag: core-v6.90
CLI tag: v6.9.0
VSX Version: v2.3.0

New Rule: Transform Instead of Loop

TransformInsteadOfLoop – Detects Loop elements that directly connect to Assignment elements. Transform elements handle collection manipulation in bulk operations, providing significant performance improvements over iterative loop-assignment patterns.
Severity: 🔵 Note