# Salesforce AppExchange Code Analyzer reports before review attempt > Run Code Analyzer with the AppExchange and Recommended:Security rules before submitting, so the first paid review attempt is checking your package rather than discovering preventable noise. - Canonical HTML: https://growth.iangoh.com/growth-ideas/salesforce-appexchange-code-analyzer-reports-before-review-attempt/ - Source: [developer.salesforce.com](https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/appexchange.html) - GrowthDex source hub: [Salesforce Code Analyzer: Produce Code Analyzer Reports for AppExchange Security Review](/sources/salesforce-code-analyzer-produce-code-analyzer-reports-for-appexchange-s/) - Last checked: 2026-06-05T04:02:18Z - Rarity: rare - Budget: free - Channels: Marketplaces, Trust, Engineering - Stages: security review, submission prep, code scanning, launch risk ## Why this can grow Security Review is part of distribution on AppExchange, not a side quest after product work is done. Salesforce requires partners to upload Code Analyzer scan reports with the submission and says the right move is to run the scans, fix what you can, rerun them, and then submit. That does two things. It lowers the odds that the first review attempt is spent on obvious issues, and it forces the package team to turn security review into a repeatable preflight instead of a launch-week surprise. ## Ian's take From scaling consumer platforms across MENA and Southeast Asia, my default is to distrust growth work that only looks good in a slide. My bias is to treat this as a small market test first. Make the audience narrow, make the promise concrete, and let the first real response decide whether it deserves more work. I would run it small enough to learn quickly, then only scale the parts that real users repeat, save, reply to, or buy from. For this tactic, I would watch one clear growth signal before putting more time or budget behind it. ## Action plan 1. Define one narrow startup segment where salesforce appexchange code analyzer reports before review attempt can create a measurable lift. 2. Turn the tactic into one offer, page, campaign, or workflow for the Marketplaces and Trust channel. 3. Use the evidence from developer.salesforce.com to set the first version of the message, format, and audience. 4. Launch a small test for 7 to 14 days with one success metric: one measurable growth signal. 5. Review the result, keep the winning message, remove weak variants, and turn the learning into a repeatable growth playbook. ## Source-backed example Salesforce's Code Analyzer guide says AppExchange partners must scan code with Code Analyzer, using the AppExchange and Recommended:Security rule selectors, upload the reports with the submission, and rerun after fixing what they can. ## Adjacent tactics in the same lane - [HubSpot agent tool scope only for the context you use](/growth-ideas/hubspot-agent-tool-scope-only-for-the-context-you-use/) - 3 shared channels - [monday marketplace partner page with installs, ratings, and support](/growth-ideas/monday-marketplace-partner-page-with-installs-ratings-and-support/) - 2 shared channels - [HubSpot agent tool config describes the run you can prove](/growth-ideas/hubspot-agent-tool-config-describes-the-run-you-can-prove/) - 2 shared channels - [HubSpot agent tool three-minute review video before approval](/growth-ideas/hubspot-agent-tool-three-minute-review-video-before-approval/) - 2 shared channels ## Read GrowthDex essays Browse the plain-English essay index at [GrowthDex Blog](/blog/). ## Related GrowthDex essays - [The AppExchange listing should survive the trial handoff](/blog/the-appexchange-listing-should-survive-the-trial-handoff/) - marketplaces, brand trust, onboarding ## Advisory If you want help turning this into a working growth system, Ian Goh offers advisory at https://iangoh.com/advisory.