Try Serpent Free
← Salesforce DevOps Glossary

Security Review (AppExchange)

Salesforce's mandatory review, static and dynamic analysis plus manual checks, that a package must pass before AppExchange listing.

Definition

The AppExchange Security Review is Salesforce's mandatory assessment of a package before it can be listed on AppExchange, combining automated static and dynamic code analysis with manual review for vulnerabilities like SOQL injection, cross-site scripting, insecure sharing, and hardcoded credentials. It applies to both managed and unlocked packages headed for public or private AppExchange listing.

Reviewers also check sharing and field-level security configuration, since a package that exposes more data than intended is a common finding. Review time typically ranges from a few days to several weeks, depending on submission volume and how many rounds of feedback a package needs before it passes.

Most first submissions come back with findings that require code changes, so ISVs that budget review time into their release calendar, rather than treating it as an afterthought right before a launch date, tend to have a much smoother path to listing.

In practice

How it works in Serpent

Serpent's AI code review checks for the same class of issues, SOQL injection, sharing violations, hardcoded secrets, and missing field-level security, on every task before merge, so a package heading toward AppExchange submission has already caught its obvious findings long before the formal review. Combined with native 2GP builds and full version tracking, ISVs get a cleaner submission without hiring a dedicated security reviewer, and fewer rounds of feedback per release.

Approval and audit traceability in Serpent
Common questions

Security Review (AppExchange), answered

How long does the AppExchange Security Review usually take?
It varies with submission volume and how clean the initial submission is, ranging from a few days for a straightforward resubmission to several weeks for a first-time package with multiple rounds of findings.
Does the security review apply to unlocked packages too?
Yes. Any package, managed or unlocked, headed for public or private AppExchange listing has to pass the same security review before it can be listed.
What are the most common reasons a package fails on first submission?
SOQL injection, cross-site scripting, insecure sharing configuration, and hardcoded credentials or API keys are the most frequent findings in first-round security review feedback.

Start free. No credit card, no install, no commitment.

Set up in under 15 minutes. No DevOps hire needed.

Curious about faster shipping before you dive in? Let's talk

Commitment free!