Back to Scan

🛡️ Security Assessment Report

Salesforce Aura Security Scanner — Automated Analysis

{% set rl = risk_label | lower %}
{{ risk_score }}/100 {{ risk_label }}
Generated {{ generated_at }}
{% if scanner_names %} {% endif %}
Target URL{{ scan.target_url }}
Scan Type{% if scan.scan_type == 'auth' %}Authenticated (Cookie Session){% else %}Guest (Unauthenticated){% endif %}
Scan ID#{{ scan.id }}
Scanners{{ scanner_names | join(', ') }}
{% if scan.completed_at %} {% endif %}
Started{{ scan.created_at.strftime('%Y-%m-%d %H:%M UTC') }}
Completed{{ scan.completed_at.strftime('%Y-%m-%d %H:%M UTC') }}
Analyst{{ user.username }}
Total Findings{{ findings | length }}
Risk Score {{ risk_score }}/100 — {{ risk_label }}

Executive Summary

{% if scan.ai_analysis and scan.ai_analysis.risk_summary %}

{{ scan.ai_analysis.risk_summary }}

{% if scan.ai_analysis.critical_patterns %}

Key Risk Patterns Identified

{% endif %} {% else %}

Automated security scan of {{ scan.target_url }} completed on {{ generated_at }}. {% if counts.critical > 0 or counts.high > 0 %} The scan identified {{ counts.critical + counts.high }} high-severity finding(s) requiring immediate remediation — {{ counts.critical }} Critical and {{ counts.high }} High. Unauthenticated access to sensitive Salesforce objects or API endpoints may expose consumer data and violate GDPR / CCPA / PDPA obligations. {% elif counts.medium > 0 %} The scan identified {{ counts.medium }} medium-severity finding(s) requiring timely remediation. {% else %} No high or medium-severity findings were detected. Review low/info findings for defence-in-depth improvements. {% endif %}

{% endif %}

Findings Summary

{% for sev, label, color in [('critical','Critical','#c62828'),('high','High','#e65100'),('medium','Medium','#6a1fa8'),('low','Low','#1565c0'),('info','Info','#2e7d32')] %}
{{ counts[sev] }}
{{ label }}
{% endfor %}

{{ findings | length }} total finding(s) across {{ scanner_names | length }} scanner module(s). Computed risk score: {{ risk_score }}/100 ({{ risk_label }}). {% if scan.ai_analysis and scan.ai_analysis.risk_score %}AI-assessed: {{ scan.ai_analysis.risk_score }}/100.{% endif %}

{% if affected_objects_list %}

Affected Salesforce Objects

Salesforce sObjects referenced in findings, sorted by maximum severity. Objects exposed to guest users without appropriate sharing rules may allow bulk data extraction.

{% for obj in affected_objects_list %} {% endfor %}
Salesforce Object Max Severity Associated Finding(s)
{{ obj.name }} {{ obj.severity }} {{ obj.finding_titles | join('; ') }}
{% endif %}

Detailed Findings

{% for finding in findings %} {% set rem = remediation_by_finding.get(finding.id) %}
{{ finding.severity }} {% if finding.owasp_ref %} {{ finding.owasp_ref }} {% endif %} {% if finding.scanner %} {{ finding.scanner }} {% endif %} {{ finding.title }}

{{ finding.description }}

{% if finding.affected_objects %}

Affected Objects

{% for obj in finding.affected_objects %} {{ obj }} {% endfor %}
{% endif %} {% if finding.evidence %}

Technical Evidence

{{ finding.evidence }}
{% endif %} {% if finding.remediation %}

Remediation Note

{{ finding.remediation }}

{% endif %} {% if rem %}
► Salesforce Fix Guide — {{ rem.owasp }} {{ rem.title }}

Salesforce Setup Steps

    {% for step in rem.setup_steps %}
  1. {{ step }}
  2. {% endfor %}
{% if rem.apex_example %}

Apex Code Fix

{{ rem.apex_example }}
{% endif %}

Post-Fix Verification (SOQL / Command)

{% set owasp_key = (rem.owasp or '').split(':')[0] %} {% if owasp_key == 'API1' %} Run in Developer Console: SELECT SObjectType, PermissionsRead, PermissionsCreate FROM ObjectPermissions WHERE Parent.Name='[Guest Profile Name]' AND PermissionsRead=true → must return 0 rows for sensitive objects. {% elif owasp_key == 'API3' %} Run in Developer Console: SELECT Field, PermissionsRead FROM FieldPermissions WHERE Parent.Name='[Guest Profile Name]' AND PermissionsRead=true AND SObjectType='[SObject API Name]' → sensitive fields must return 0 rows. {% elif owasp_key == 'API5' %} Test the Aura endpoint unauthenticated: curl -X POST "{{ scan.target_url }}/s/sfsites/aura" -d 'message=...' → privileged controllers must return 403 or AuraHandledException. {% elif owasp_key == 'API8' %} Verify HTTPS enforcement: curl -I http://{{ scan.target_url | replace('https://','') | replace('http://','') }} → must return HTTP 301 redirect to HTTPS. {% else %} Re-run this scan after applying the fix. The finding must no longer appear in results. {% endif %}

{% endif %}
{% else %}

No findings recorded for this scan.

{% endfor %}
{% if findings %}

Business Impact Assessment

{% if counts.critical > 0 %} {% endif %} {% if counts.critical > 0 %} {% endif %} {% if counts.high > 0 %} {% endif %} {% if counts.medium > 0 %} {% endif %} {% if counts.low > 0 or counts.info > 0 %} {% endif %}
Impact Area Description Risk Level
Data Exposure {{ counts.critical }} critical finding(s) indicate unauthenticated read access to Salesforce objects via Aura/LWC endpoints. Consumer PII or sensitive business records may be accessible without login and extractable via the Salesforce REST/SOAP/GraphQL API. CRITICAL
Regulatory Exposure Unauthenticated PII access may constitute a personal data breach under GDPR Art. 33/34 (72-hour DPA notification), CCPA, PDPA (Thailand), LGPD (Brazil), or other applicable regulations. DPO assessment is mandatory. CRITICAL
Access Control {{ counts.high }} high-severity finding(s) indicate broken object-level or function-level authorization. Attackers may enumerate, read, or manipulate records beyond their intended scope, including via automated bulk API extraction. HIGH
API Surface Exposure {{ counts.medium }} medium-severity finding(s) relating to excessive data returned by Aura controllers, missing authentication guards on Apex endpoints, or exposed org metadata that aids reconnaissance. MEDIUM
Security Posture {{ counts.low + counts.info }} low/info finding(s) including missing HTTP security headers (HSTS, CSP, X-Frame-Options), insecure session cookie flags, or open redirect vectors that weaken defence-in-depth. LOW
{% endif %} {% if remediation_sections %}

Remediation Checklist

Apply fixes in priority order (Critical → High → Medium → Low). Tick each item only after the post-fix verification query confirms the issue is resolved. All Apex / metadata changes should follow the standard DevSecOps pipeline: feature branch → SIT → UAT → Production.

{% for section in remediation_sections %} {% set owasp_key = (section.owasp or '').split(':')[0] %} {% else %} {% endfor %}
# OWASP Category Salesforce Setup Steps Priority
ST-{{ loop.index }} {{ section.title }} {{ section.owasp }}
    {% for step in section.setup_steps[:4] %}
  1. {{ step }}
  2. {% endfor %} {% if section.setup_steps | length > 4 %}
  3. +{{ section.setup_steps | length - 4 }} more steps — expand finding above.
  4. {% endif %}
{% if section.apex_example %}
► View Apex Fix
{{ section.apex_example }}
{% endif %}
Verify: {% if owasp_key == 'API1' %} SELECT SObjectType, PermissionsRead FROM ObjectPermissions WHERE Parent.Name='[Guest Profile]' AND PermissionsRead=true → 0 rows {% elif owasp_key == 'API3' %} SELECT Field, PermissionsRead FROM FieldPermissions WHERE Parent.Name='[Guest Profile]' AND PermissionsRead=true AND SObjectType='[Object]' → 0 rows {% elif owasp_key == 'API5' %} Unauthenticated call to privileged Apex controller must return AuraHandledException or HTTP 403. {% elif owasp_key == 'API8' %} curl -I http://[site-domain] → HTTP 301 redirect to HTTPS; security headers present. {% else %} Re-run scan — this finding must not reappear after fix is deployed. {% endif %}
{% if owasp_key in ('API1', 'API2') %} P1 Immediate {% elif owasp_key in ('API3', 'API5') %} P2 0–7 days {% elif owasp_key in ('API4', 'API6') %} P3 7–14 days {% else %} P4 14–30 days {% endif %}
No remediation items available.
{% endif %} {% if scan.ai_analysis and scan.ai_analysis.priority_actions %}

Priority Action Plan AI-Generated

{% for action in scan.ai_analysis.priority_actions %} {% endfor %}
#ActionUrgencyType
{{ loop.index }} {{ action.action }} {{ action.urgency | upper }} {{ action.type | title }}
{% endif %}