Salesforce rules

Action Pollers should not use short polling intervals

Avoid custom fields without Description or Help text

Avoid defining more than one Trigger per Object - Low

Avoid defining more than one Trigger per Object - Medium

Avoid displaying the results of unbounded queries on a page

Avoid excessive sharing rules on an object

Avoid excessive validation rules

Avoid Formula Fields with JavaScript code

Avoid free entry Custom Fields with no data restrictions

Avoid hardcoded URLs

Avoid having more than one Apex Trigger per Object

Avoid importing css and javascript files from sources other than static resources

Avoid importing images from sources other than static resources

Avoid importing multiple CSS files individually

Avoid importing multiple JavaScript files individually

Avoid inactive validation rules

Avoid maintaining legacy code with outdated API versions

Avoid objects without indexed fields

Avoid objects without picklist fields

Avoid unreachable code

Avoid using <apex:includeScript>

Avoid using an excessive number of images

Avoid using data grids

Avoid using function SObjectType.getDescribe in FLS checks

Avoid using HTML tags which will be removed by the VisualForce page

Avoid using more than one <apex:form> tag per page

Avoid using outdated API versions in new code

Avoid using the Attachments Object

Avoid using the File Download Servlet to reference static resources

Bounded relative date values should be used whenever appropriate

Clickjack protection for customer Visualforce pages with standard headers turned off is disabled

Clickjack protection for customer Visualforce pages with standard headers turned on is disabled

Clickjack protection for non-setup Salesforce pages is disabled

Clickjack protection for setup pages is disabled

Component id must be unique

Configuration element

Convert Attachments to Files

Coverage of Unit Tests is less than 75%

Cross-domain session information is exchanged using a GET request instead of a POST request

Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled

Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled

Details should not be shown by default

HTTPS is not required to log in to or access Salesforce

Impact area

Inactivity Time Warning

Include JavaScript code from Static Resources

Optimize HTML by removing unnecessary HTML

Optimize Java Script

Page names should always begin with an upper case character

Password Policy: Obfuscate the Secret Answer

Password Policy: Obfuscate the Secret Answer for password resets

Password Policy: Password question requirement set to None

Password policy complexity too weak - Alphanumeric restriction only

Password policy complexity too weak - No restrictions

Password Policy Expiration too weak - Never

Password Policy Expiration too weak - Non-expiring passwords

Password Policy Expiration too weak - One year

Password Policy Expiration too weak - Password lifetime over 90 days

Password Policy Expiration too weak - Six months

Password Policy Max Login Attempts too wide

Password Policy Max Login Attempts - Unlimited

Password Policy Minimum Password Length too weak

Password Policy Password Hint contains password

Password Policy Repetition too weak

Prevent Unauthorised used of session ID

Protection against reflected cross-site scripting attacks is disabled

Ratio Custom Fields to total Fields in Standard Objects - High

Ratio Custom Fields to total Fields in Standard Objects - Low

Ratio Custom Fields to total Fields in Standard Objects - Medium

Ratio of Custom Objects to Standard Objects - High

Ratio of Custom Objects to Standard Objects - Low

Ratio of Custom Objects to Standard Objects - Medium

Session Policy - Enable Content Security Policy

Static Resources should be used to serve JavaScript, CSS and images

The "contains" and "does not contain" filter operators should not be used

The "or" operator should not be used

The browser is not prevented from inferring the MIME type from the document content and from executing malicious files

The instance has more than 5.000 lines od APEX code

The IP addresses in Login IP Ranges are enforced only when a user logs in

The number of fields on a report should be kept to a minimum

The percentage of asynchronous classes is too high

There are free entry Custom Fields with no data restriction

There is no sessions time out for inactive users

The show filter should not contain the "All" option

The trusted IP range is too wide

Too many Apex Classes (Over 50 - Does not include Test Classes or Downloaded Apps)

Too many branches on Role Hierarchy

Too many Custom Reports over used objects

Too many Profiles and Permission Sets

Too many Reports and Dashboards without folder assigned

Too many Roles (over 20)

Too much Dashboards over used objects

Unbounded time intervals should not be used

Unused report: Last run from 1 to 2 years

Unused report: Last run from 90 days to 1 year

Unused report: Last run over two years

Use custom components to lazy load data in APEX pages

Use of Open Source Javascript framework

Use the render attribute to update the component

Visualforce, Salesforce sites, or Communities must use HTTPS

See also the PMD rules included in Salesforce analysis.