Security Policy for Lightning Flow Scanner

January 3, 2026 ยท View on GitHub

Security Practices

  • All code is open-source and peer-reviewed by the community.
  • Vulnerabilities can be reported privately via GitHub vulnerability reporting.
  • All changes are scanned with Snyk prior to publication.
  • Releases to npm are published using GitHub Actions Trusted Publishing (OIDC).
  • Tags (v*) trigger automated npm publish, providing a full audit trail.

Data Handling

This tool collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.

We temporarily use metadata (e.g., Flow metadata, timestamps) in-memory only for real-time functionality during your session. This data is never stored, logged, or transmitted and is discarded immediately when the session ends.

Note: You may manually save scan results (e.g., reports, CSV, JSON) to your local filesystem. These files are created at your request and remain under your full control. This tool does not access, upload, or retain them.

Dependencies

We actively track and maintain an up-to-date inventory of all third-party dependencies to ensure security and compatibility. Our dependencies include:

Core

PackageLicensePurpose
fast-xml-parserMITValidate XML, Parse XML and Build XML rapidly.

CLI

PackageLicensePurpose
@oclif/coreMITCLI framework core utilities
@salesforce/coreBSD-3-ClauseSalesforce core library for CLI plugins
@salesforce/sf-plugins-coreApache License 2.0Base library for Salesforce CLI plugins
chalkMITTerminal string styling (colors)
cosmiconfigMITConfig file loader for JavaScript/Node
globMITFile pattern matching

VSX

PackageLicensePurpose`
cosmiconfigMITConfig file loader for JavaScript/Node
globMITFile pattern matching
tabulator-tablesMITInteractive tables and data grids for web apps
uuidMITGenerates RFC-compliant UUIDs

Action

PackageLicensePurpose
@actions/coreMITToolkit for developing GitHub Actions
@actions/githubMITInteract with the GitHub API in Actions
cosmiconfigMITConfig file loader for JavaScript/Node