Salesforce rules
Action Pollers should not use short polling intervals
Avoid Catch Block with just logs
Avoid configuration elements without "description"
Avoid custom fields without Description or Help text
Avoid defining more than one Trigger per Object - Medium
Avoid defining multiple triggers per object
Avoid displaying the results of unbounded queries on a page
Avoid excessive sharing rules on an object
Avoid excessive validation rules
Avoid Formula Fields with JavaScript code
Avoid free entry Custom Fields with no data restrictions
Avoid hardcoded URLs
Avoid having more than one Apex Trigger per Object
Avoid importing css and javascript files from sources other than static resources
Avoid importing images from sources other than static resources
Avoid importing multiple CSS files individually
Avoid importing multiple JavaScript files individually
Avoid inactive validation rules
Avoid maintaining legacy code with outdated API versions
Avoid objects without indexed fields
Avoid objects without picklist fields
Avoid picklist fields with too many values
Avoid return statements in try/catch finally blocks
Avoid unreachable code
Avoid using <apex:includeScript>
Avoid using an excessive number of images
Avoid using data grids
Avoid using function SObjectType.getDescribe in FLS checks
Avoid using HTML tags which will be removed by the VisualForce page
Avoid using more than one <apex:form> tag per page
Avoid using outdated API versions in new code
Avoid using the Attachments Object
Avoid using the File Download Servlet to reference static resources
Bounded relative date values should be used whenever appropriate
Clickjack protection for customer Visualforce pages with standard headers turned off is disabled
Clickjack protection for customer Visualforce pages with standard headers turned on is disabled
Clickjack protection for non-setup Salesforce pages is disabled
Clickjack protection for setup pages is disabled
Component id must be unique
Configuration elements
Convert Attachments to Files
Coverage of Unit Tests is less than 75%
Cross-domain session information is exchanged using a GET request instead of a POST request
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled
Details should not be shown by default
HTTPS is not required to log in to or access Salesforce
Inactivity Time Warning
Include JavaScript code from Static Resources
Naming Convention for Salesforce
Optimize HTML by removing unnecessary HTML
Optimize Java Script
Page names should always begin with an upper case character
Password Policy: Obfuscate the Secret Answer
Password Policy: Obfuscate the Secret Answer for password resets
Password Policy: Password question requirement set to None
Password policy complexity too weak - Alphanumeric restriction only
Password policy complexity too weak - No restrictions
Password Policy Expiration too weak - Never
Password Policy Expiration too weak - Non-expiring passwords
Password Policy Expiration too weak - One year
Password Policy Expiration too weak - Password lifetime over 90 days
Password Policy Expiration too weak - Six months
Password Policy Max Login Attempts too wide
Password Policy Max Login Attempts - Unlimited
Password Policy Minimum Password Length too weak
Password Policy Password Hint contains password
Password Policy Repetition too weak
Prevent Unauthorized used of session ID
Protection against reflected cross-site scripting attacks is disabled
Ratio Custom Fields to total Fields in Standard Objects - High
Ratio Custom Fields to total Fields in Standard Objects - Low
Ratio Custom Fields to total Fields in Standard Objects - Medium
Ratio of Custom Objects to Standard Objects - High
Ratio of Custom Objects to Standard Objects - Low
Ratio of Custom Objects to Standard Objects - Medium
Session Policy - Enable Content Security Policy
Static Resources should be used to serve JavaScript, CSS and images
The "contains" and "does not contain" filter operators should not be used
The "or" operator should not be used
The browser is not prevented from inferring the MIME type from the document content and from executing malicious files
The instance has more than 5.000 lines od APEX code
The IP addresses in Login IP Ranges are enforced only when a user logs in
The number of fields on a report should be kept to a minimum
The percentage of asynchronous classes is too high
There are free entry Custom Fields with no data restriction
There is no sessions time out for inactive users
The show filter should not contain the "All" option
The trusted IP range is too wide
Too many Apex Classes (Over 50 - Does not include Test Classes or Downloaded Apps)
Too many branches on Role Hierarchy
Too many Custom Reports over used objects
Too many Profiles and Permission Sets
Too many Reports and Dashboards without folder assigned
Too many Roles (over 20)
Too much Dashboards over used objects
Unbounded time intervals should not be used
Unused report: Last run from 1 to 2 years
Unused report: Last run from 90 days to 1 year
Unused report: Last run over two years
Use custom components to lazy load data in APEX pages
Use of Open Source Javascript framework
Use the render attribute to update the component
Visualforce, Salesforce sites, or Communities must use HTTPS
See also the PMD rules included in Salesforce analysis.