Security Review (AppExchange)
Salesforce's mandatory review, static and dynamic analysis plus manual checks, that a package must pass before AppExchange listing.
Definition
The AppExchange Security Review is Salesforce's mandatory assessment of a package before it can be listed on AppExchange, combining automated static and dynamic code analysis with manual review for vulnerabilities like SOQL injection, cross-site scripting, insecure sharing, and hardcoded credentials. It applies to both managed and unlocked packages headed for public or private AppExchange listing.
Reviewers also check sharing and field-level security configuration, since a package that exposes more data than intended is a common finding. Review time typically ranges from a few days to several weeks, depending on submission volume and how many rounds of feedback a package needs before it passes.
Most first submissions come back with findings that require code changes, so ISVs that budget review time into their release calendar, rather than treating it as an afterthought right before a launch date, tend to have a much smoother path to listing.
How it works in Serpent
Serpent's AI code review checks for the same class of issues, SOQL injection, sharing violations, hardcoded secrets, and missing field-level security, on every task before merge, so a package heading toward AppExchange submission has already caught its obvious findings long before the formal review. Combined with native 2GP builds and full version tracking, ISVs get a cleaner submission without hiring a dedicated security reviewer, and fewer rounds of feedback per release.

Security Review (AppExchange), answered
Start free. No credit card, no install, no commitment.
Set up in under 15 minutes. No DevOps hire needed.
