hardis:org:diagnose:unsecure-connected-apps
Description
Command Behavior
Detects unsecured Connected Apps in a Salesforce org and generates detailed reports for security analysis.
This command is a critical security diagnostic tool that helps administrators identify Connected Apps that may pose security risks due to improper configuration. It provides comprehensive analysis of OAuth tokens and Connected App security settings to ensure proper access control.
Key functionalities:
- OAuth Token Analysis: Queries all OAuth tokens in the org using SOQL to retrieve comprehensive token information including app names, users, authorization status, and usage statistics.
- Security Status Assessment: Evaluates each Connected App's security configuration by checking the
IsUsingAdminAuthorizationflag to determine if admin pre-approval is required. - Unsecured App Detection: Identifies Connected Apps that allow users to authorize themselves without admin approval, which can pose security risks.
- Detailed Reporting: Generates two comprehensive CSV reports:
- OAuth Tokens Report: Lists all OAuth tokens with security status, user information, and usage data
- Connected Apps Summary: Aggregates unsecured Connected Apps with counts of associated OAuth tokens
- Visual Indicators: Uses status icons (❌ for unsecured, ✅ for secured) to provide immediate visual feedback on security status.
- Security Recommendations: Provides actionable guidance on how to secure Connected Apps through proper configuration.
- Notifications: Sends alerts to configured channels (Grafana, Slack, MS Teams) with security findings and attached reports.
This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.
Technical explanations
The command's technical implementation involves:
- SOQL Query Execution: Executes a comprehensive SOQL query on the
OauthTokenobject, joining withAppMenuItemandUserobjects to gather complete security context. - Security Analysis Logic: Analyzes the
AppMenuItem.IsUsingAdminAuthorizationfield to determine if a Connected App requires admin pre-approval for user authorization. - Data Transformation: Processes raw SOQL results to add security status indicators and reorganize data for optimal reporting and analysis.
- Aggregation Processing: Groups OAuth tokens by Connected App name to provide summary statistics and identify the most problematic applications.
- Report Generation: Uses
generateCsvFileto create structured CSV reports with proper formatting and metadata for easy analysis and sharing. - Notification Integration: Integrates with the
NotifProviderto send security alerts with detailed metrics, including the number of unsecured Connected Apps and associated OAuth tokens. - File Management: Generates multiple output formats (CSV, XLSX) and manages file paths using
generateReportPathfor consistent report organization. - Connection Management: Uses
setConnectionVariablesto ensure proper authentication context for notification providers that require org connection details.
Parameters
| Name | Type | Description | Default | Required | Options |
|---|---|---|---|---|---|
| debug -d |
boolean | Activate debug mode (more logs) | |||
| flags-dir | option | undefined | |||
| json | boolean | Format output as json. | |||
| outputfile -f |
option | Force the path and name of output report file. Must end with .csv | |||
| skipauth | boolean | Skip authentication check when a default username is required | |||
| target-org -o |
option | undefined | |||
| websocket | option | Websocket host:port for VsCode SFDX Hardis UI integration |
Examples
$ sf hardis:org:diagnose:unsecure-connected-apps