Using S4 with IntelliJ
To set up S4 CLI, please follow these setup steps:
- First, please install the Salesforce CLI, visit https://developer.salesforce.com/tools/sfdxcli to download and install the CLI tool
- To install the S4 plugin, please open a terminal window and run the command
Linux or Macecho 'y' | sfdx plugins:install https://github.com/S4DigitSec/S4SFDX.git
Windowssfdx plugins:install https://github.com/S4DigitSec/S4SFDX.git
This will add the command digitsec:s4 to your SFDX CLI - Next, use the terminal to set the present working directory to the folder you wish to scan.
- Please set up an s4creds.json file in the current working directory. It should match the format below. You can find the S4 OrgID by visiting the Scan Results Detail page for your org and examining the URL. It is the string of alphanumeric characters in the URL after the last slash.
{
"username": "email@gmail.com",
"password": "password!",
"orgid": "604806695f5b663f280144b6"
}When the s4creds.json file is present, the CLI will use the values in the file when you create a scan request and you will not have to include the values in your command.
- Once the Salesforce CLI, S4 plugin and s4creds.json file are all setup, we can run a scan with default parameters by entering this command in the terminal: "sfdx digitsec:s4"
If you would prefer to not use a s4creds.json file or you would like to override the defaults, you can pass command line arguments using the following flags:
-u=username
-p=password
-f=Location_of_Source_Code
-o=orgid (S4 Org Id)
Optional:
-s=s4Url
-a=addAuth
-n=newOrgName (After adding an org, the terminal will print out the new orgid
to use to run scans against the new org) - For additional information on ways to utilize this CLI tool, you can type "sfdx digitsec:s4 -h" to get information on utilization and flag information.
F.A.Q.:
- Q: When I try to zip a folder to send to the scan, it seems like the zipping folder function is hanging, how can we resolve this?
A: If the folder zipping portion is hanging, please make sure to double check that you are not zipping a parent directory into a child directory. This will create an infinite loop and keep zipping itself indefinitely.
If you are working in /foo and the directory that you use to scan is /foo/bar, your s4creds.json file should be stored at /foo/s4creds.json and your command should include "-f=/foo/bar"
Also, please note that the -f flag is expecting a directory. Specifying a single file is not supported. - Q: I see the optional flag for -n, what would be a good use case for this?
A: If you are testing offline code, use the -n "<newOrgName>" flag to create a new Org in your account. You could also use this option to scan an existing codebase in an online Org, but put the results into a new S4 Org for later use. - Q: I see the optional flag for -s, when is that used?
A: When you are using S4 in a private installation, use this parameter to specify the host system that will execute the scan. Customers that run S4 as a SaaS solution will not use this flag. - Q: What does the -a flag do for me?
A: This flag allows you to pass a -u, -p, -o with it to create an API key to use. If you use a shared computer or are concerned about plain-text login information being stored locally, you can pass this flag with the other parameters to get an encrypted token for login instead of the s4creds.json file as shown above. - Q: I am unable to find where to get my S4 OrgId, where can I find this information?
A: To find your OrgId, please head to https://s4.digitsec.com and sign in. From there we will click on the Org we want our findings to be saved to. Then in the URL bar we will copy the final string of characters.
