From 7be3a6e3a63984912858585cefb855b3412c9218 Mon Sep 17 00:00:00 2001
From: Josh Feingold <jfeingold@salesforce.com>
Date: Thu, 12 Dec 2024 14:42:07 -0600
Subject: [PATCH] CHANGE @W-17312010@ Adding PMD AppExchange rule docs to keep
 links functional (#1697)

---
 pmd-appexchange/docs/AvoidApiSessionId.md     | 18 ++++++++++
 .../docs/AvoidApiSessionIdInXML.md            | 18 ++++++++++
 .../docs/AvoidAuraAppWithLockerDisabled.md    | 18 ++++++++++
 .../docs/AvoidAuraCmpWithLockerDisabled.md    | 18 ++++++++++
 .../docs/AvoidChangeProtectionUnprotected.md  | 18 ++++++++++
 .../docs/AvoidCreateElementScriptLinkTag.md   | 28 ++++++++++++++++
 .../docs/AvoidDisableProtocolSecurity.md      | 18 ++++++++++
 .../docs/AvoidDisableProtocolSecurityInXML.md | 18 ++++++++++
 .../docs/AvoidGetInstanceWithTaint.md         | 20 +++++++++++
 .../AvoidGlobalInstallUninstallHandlers.md    | 23 +++++++++++++
 .../docs/AvoidHardCodedCredentialsInAura.md   | 18 ++++++++++
 .../docs/AvoidHardCodedSecretsInVFAttrs.md    | 18 ++++++++++
 .../AvoidHardcodedCredentialsInFieldDecls.md  | 19 +++++++++++
 .../AvoidHardcodedCredentialsInHttpHeader.md  | 17 ++++++++++
 .../AvoidHardcodedCredentialsInSetPassword.md | 18 ++++++++++
 .../AvoidHardcodedCredentialsInVarAssign.md   | 23 +++++++++++++
 .../AvoidHardcodedCredentialsInVarDecls.md    | 19 +++++++++++
 .../AvoidInsecureHttpRemoteSiteSetting.md     | 18 ++++++++++
 ...AvoidInsecureHttpRemoteSiteSettingInXML.md | 18 ++++++++++
 .../AvoidInvalidCrudContentDistribution.md    | 33 +++++++++++++++++++
 .../docs/AvoidJavaScriptCustomObject.md       | 18 ++++++++++
 .../docs/AvoidJavaScriptHomePageComponent.md  | 18 ++++++++++
 .../docs/AvoidJavaScriptWeblink.md            | 18 ++++++++++
 .../docs/AvoidJsLinksInCustomObject.md        | 18 ++++++++++
 .../docs/AvoidJsLinksInWebLinks.md            | 18 ++++++++++
 pmd-appexchange/docs/AvoidLmcIsExposedTrue.md | 18 ++++++++++
 .../docs/AvoidLmcIsExposedTrueInXML.md        | 18 ++++++++++
 .../docs/AvoidLwcBubblesComposedTrue.md       | 18 ++++++++++
 pmd-appexchange/docs/AvoidSControls.md        | 18 ++++++++++
 .../AvoidSecurityEnforcedOldApiVersion.md     | 18 ++++++++++
 .../docs/AvoidSystemModeInFlows.md            | 18 ++++++++++
 .../AvoidUnauthorizedApiSessionIdInApex.md    | 18 ++++++++++
 .../AvoidUnauthorizedApiSessionIdInFlows.md   | 18 ++++++++++
 ...voidUnauthorizedApiSessionIdVisualforce.md | 18 ++++++++++
 .../AvoidUnauthorizedGetSessionIdInApex.md    | 18 ++++++++++
 ...idUnauthorizedGetSessionIdInVisualforce.md | 18 ++++++++++
 pmd-appexchange/docs/AvoidUnescapedHtml.md    | 18 ++++++++++
 .../docs/AvoidUnsafePasswordManagementUse.md  | 18 ++++++++++
 .../docs/LimitConnectedAppScope.md            | 19 +++++++++++
 pmd-appexchange/docs/LoadCSSApexStylesheet.md | 26 +++++++++++++++
 pmd-appexchange/docs/LoadCSSLinkHref.md       | 26 +++++++++++++++
 .../docs/LoadJavaScriptHtmlScript.md          | 26 +++++++++++++++
 .../docs/LoadJavaScriptIncludeScript.md       | 26 +++++++++++++++
 pmd-appexchange/docs/ProtectSensitiveData.md  | 16 +++++++++
 .../docs/UpgradeLwcLockerSecuritySupport.md   | 18 ++++++++++
 pmd-appexchange/docs/UseHttpsCallbackUrl.md   | 18 ++++++++++
 pmd-appexchange/docs/UseLwcDomManual.md       | 27 +++++++++++++++
 47 files changed, 924 insertions(+)
 create mode 100644 pmd-appexchange/docs/AvoidApiSessionId.md
 create mode 100644 pmd-appexchange/docs/AvoidApiSessionIdInXML.md
 create mode 100644 pmd-appexchange/docs/AvoidAuraAppWithLockerDisabled.md
 create mode 100644 pmd-appexchange/docs/AvoidAuraCmpWithLockerDisabled.md
 create mode 100644 pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md
 create mode 100644 pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md
 create mode 100644 pmd-appexchange/docs/AvoidDisableProtocolSecurity.md
 create mode 100644 pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md
 create mode 100644 pmd-appexchange/docs/AvoidGetInstanceWithTaint.md
 create mode 100644 pmd-appexchange/docs/AvoidGlobalInstallUninstallHandlers.md
 create mode 100644 pmd-appexchange/docs/AvoidHardCodedCredentialsInAura.md
 create mode 100644 pmd-appexchange/docs/AvoidHardCodedSecretsInVFAttrs.md
 create mode 100644 pmd-appexchange/docs/AvoidHardcodedCredentialsInFieldDecls.md
 create mode 100644 pmd-appexchange/docs/AvoidHardcodedCredentialsInHttpHeader.md
 create mode 100644 pmd-appexchange/docs/AvoidHardcodedCredentialsInSetPassword.md
 create mode 100644 pmd-appexchange/docs/AvoidHardcodedCredentialsInVarAssign.md
 create mode 100644 pmd-appexchange/docs/AvoidHardcodedCredentialsInVarDecls.md
 create mode 100644 pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSetting.md
 create mode 100644 pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSettingInXML.md
 create mode 100644 pmd-appexchange/docs/AvoidInvalidCrudContentDistribution.md
 create mode 100644 pmd-appexchange/docs/AvoidJavaScriptCustomObject.md
 create mode 100644 pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md
 create mode 100644 pmd-appexchange/docs/AvoidJavaScriptWeblink.md
 create mode 100644 pmd-appexchange/docs/AvoidJsLinksInCustomObject.md
 create mode 100644 pmd-appexchange/docs/AvoidJsLinksInWebLinks.md
 create mode 100644 pmd-appexchange/docs/AvoidLmcIsExposedTrue.md
 create mode 100644 pmd-appexchange/docs/AvoidLmcIsExposedTrueInXML.md
 create mode 100644 pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md
 create mode 100644 pmd-appexchange/docs/AvoidSControls.md
 create mode 100644 pmd-appexchange/docs/AvoidSecurityEnforcedOldApiVersion.md
 create mode 100644 pmd-appexchange/docs/AvoidSystemModeInFlows.md
 create mode 100644 pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md
 create mode 100644 pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md
 create mode 100644 pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md
 create mode 100644 pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md
 create mode 100644 pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md
 create mode 100644 pmd-appexchange/docs/AvoidUnescapedHtml.md
 create mode 100644 pmd-appexchange/docs/AvoidUnsafePasswordManagementUse.md
 create mode 100644 pmd-appexchange/docs/LimitConnectedAppScope.md
 create mode 100644 pmd-appexchange/docs/LoadCSSApexStylesheet.md
 create mode 100644 pmd-appexchange/docs/LoadCSSLinkHref.md
 create mode 100644 pmd-appexchange/docs/LoadJavaScriptHtmlScript.md
 create mode 100644 pmd-appexchange/docs/LoadJavaScriptIncludeScript.md
 create mode 100644 pmd-appexchange/docs/ProtectSensitiveData.md
 create mode 100644 pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md
 create mode 100644 pmd-appexchange/docs/UseHttpsCallbackUrl.md
 create mode 100644 pmd-appexchange/docs/UseLwcDomManual.md

diff --git a/pmd-appexchange/docs/AvoidApiSessionId.md b/pmd-appexchange/docs/AvoidApiSessionId.md
new file mode 100644
index 000000000..97a2490a5
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidApiSessionId.md
@@ -0,0 +1,18 @@
+AvoidApiSessionId[](#avoidapisessionid)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Session ID use may not be approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidApiSessionIdInXML.md b/pmd-appexchange/docs/AvoidApiSessionIdInXML.md
new file mode 100644
index 000000000..a8b810832
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidApiSessionIdInXML.md
@@ -0,0 +1,18 @@
+AvoidApiSessionIdInXML[](#avoidapisessionidinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Session ID use is not approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidAuraAppWithLockerDisabled.md b/pmd-appexchange/docs/AvoidAuraAppWithLockerDisabled.md
new file mode 100644
index 000000000..8c01d3458
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidAuraAppWithLockerDisabled.md
@@ -0,0 +1,18 @@
+AvoidAuraAppWithLockerDisabled[](#avoidauraappwithlockerdisabled)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the apiVersion to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidAuraCmpWithLockerDisabled.md b/pmd-appexchange/docs/AvoidAuraCmpWithLockerDisabled.md
new file mode 100644
index 000000000..998cc0ef1
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidAuraCmpWithLockerDisabled.md
@@ -0,0 +1,18 @@
+AvoidAuraCmpWithLockerDisabled[](#avoidauracmpwithlockerdisabled)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the apiVersion to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md b/pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md
new file mode 100644
index 000000000..c66a30f3d
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md
@@ -0,0 +1,18 @@
+AvoidChangeProtectionUnprotected[](#avoidchangeprotectionunprotected)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Ensure appropriate authorization checks are in-place before invoking FeatureManagement.changeProtection called with 'UnProtected' argument.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects potential misuse of FeatureManagement.changeProtection.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md b/pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md
new file mode 100644
index 000000000..0e07ad64a
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md
@@ -0,0 +1,28 @@
+AvoidCreateElementScriptLinkTag[](#avoidcreateelementscriptlinktag)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load JavaScript/CSS only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+Detects dynamic creation of script or link tags
+Note: This rule identifies the `<script>` block where `createElement` is detected; but can only show the line number where the `<script>` tag begins and not the line number for `createElement`.
+That means if there are multiple `createElement` calls with `script` as input, you'll see multiple issues reported with the line number of the `<script>` tag. This is a known issue; developers are expected to go through the `<script>` block to identify the use of `createElement`
+
+**Example(s):**
+
+   
+
+```
+<script src="{!$Resource.jquery}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+
diff --git a/pmd-appexchange/docs/AvoidDisableProtocolSecurity.md b/pmd-appexchange/docs/AvoidDisableProtocolSecurity.md
new file mode 100644
index 000000000..f20687cd1
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidDisableProtocolSecurity.md
@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurity[](#avoiddisableprotocolsecurity)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md b/pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md
new file mode 100644
index 000000000..0047df6a6
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md
@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurityInXML[](#avoiddisableprotocolsecurityinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidGetInstanceWithTaint.md b/pmd-appexchange/docs/AvoidGetInstanceWithTaint.md
new file mode 100644
index 000000000..ee47c89c1
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidGetInstanceWithTaint.md
@@ -0,0 +1,20 @@
+AvoidGetInstanceWithTaint[](#avoidgetinstancewithtaint)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   getInstance() is invoked with a potentially tainted parameter.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of getInstance(userId)/getInstance(profileId). Hierarchy Custom Settings return the record owned by the current user when `getInstance()` is invoked without any parameters.
+But if a tainted/end-user controlled `userId` or `profileId` is passed as a parameter to `getInstance()` that will allow the code to access records owned by other users on the org.
+Protected Custom Settings are the recommended approach to store subscriber owned secrets. Passing `userId` or `proileId` parameters to `getInstance()` could allow a user access to secrets that belong other other users on the org.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidGlobalInstallUninstallHandlers.md b/pmd-appexchange/docs/AvoidGlobalInstallUninstallHandlers.md
new file mode 100644
index 000000000..bfa185203
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidGlobalInstallUninstallHandlers.md
@@ -0,0 +1,23 @@
+AvoidGlobalInstallUninstallHandlers[](#avoidglobalinstalluninstallhandlers)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Install and Uninstall handlers should be public and not global
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects Install and Uninstall handlers declared as global. Install and Uninstall Handlers don't need to be global classes. 
+Using `global` for these handlers means global methods in these classes act as controllers and can be invoked by untrusted code outside the context of post-install/uninstall scenarios.
+Depending on the logic in these handlers, there could potentially unintended consequences. 
+For ex: Sometimes post install handlers are used to generate an encryption key to be stored in a protected custom settings object. But if the classes are global, then other untrusted code in the org can invoke the global method and the encryption key may be over-written.
+Or
+Helper classes for post-install handlers are recommended to be used "without sharing" - which is acceptable in the context of post-install exectution; but could lead to potential security concerns if "without sharing" classes are invoked by untrusted code.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidHardCodedCredentialsInAura.md b/pmd-appexchange/docs/AvoidHardCodedCredentialsInAura.md
new file mode 100644
index 000000000..05afc565d
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardCodedCredentialsInAura.md
@@ -0,0 +1,18 @@
+AvoidHardCodedCredentialsInAura[](#avoidhardcodedcredentialsinaura)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected use of hard coded credentials in Aura component
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detected use of hard coded credentials in Aura component
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidHardCodedSecretsInVFAttrs.md b/pmd-appexchange/docs/AvoidHardCodedSecretsInVFAttrs.md
new file mode 100644
index 000000000..c36fd9961
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardCodedSecretsInVFAttrs.md
@@ -0,0 +1,18 @@
+AvoidHardCodedSecretsInVFAttrs[](#avoidhardcodedsecretsinvfattrs)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard coded secrets detected in attributes
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects Hard coded secrets in VF attributes
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidHardcodedCredentialsInFieldDecls.md b/pmd-appexchange/docs/AvoidHardcodedCredentialsInFieldDecls.md
new file mode 100644
index 000000000..cbbf68cd8
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardcodedCredentialsInFieldDecls.md
@@ -0,0 +1,19 @@
+AvoidHardcodedCredentialsInFieldDecls[](#avoidhardcodedcredentialsinfielddecls)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard-coded credentials found in source code.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.
+Protected custom setttings or protected custom metadata should be used to store secrets.
+Refer to the [Protect Secrets Using Platform Features](https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features) Trailhead module for more guidance.
+  
+
+**Example(s):**
+
diff --git a/pmd-appexchange/docs/AvoidHardcodedCredentialsInHttpHeader.md b/pmd-appexchange/docs/AvoidHardcodedCredentialsInHttpHeader.md
new file mode 100644
index 000000000..de823b24d
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardcodedCredentialsInHttpHeader.md
@@ -0,0 +1,17 @@
+AvoidHardcodedCredentialsInHttpHeader[](#avoidhardcodedcredentialsinhttpheader)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard-coded credentials found in source code.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.
+Protected custom setttings or protected custom metadata should be used to store secrets.
+Refer to the [Protect Secrets Using Platform Features](https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features) Trailhead module for more guidance.
+
+**Example(s):**
diff --git a/pmd-appexchange/docs/AvoidHardcodedCredentialsInSetPassword.md b/pmd-appexchange/docs/AvoidHardcodedCredentialsInSetPassword.md
new file mode 100644
index 000000000..a4187d5ad
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardcodedCredentialsInSetPassword.md
@@ -0,0 +1,18 @@
+AvoidHardcodedCredentialsInSetPassword[](#avoidhardcodedcredentialsinsetpassword)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using hard-coded credentials with setPassword
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects hard-coded credentials in the call to setPassword().
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarAssign.md b/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarAssign.md
new file mode 100644
index 000000000..6764aee7a
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarAssign.md
@@ -0,0 +1,23 @@
+AvoidHardcodedCredentialsInVarAssign[](#avoidhardcodedcredentialsinvarassign)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard-coded credentials found in source code.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.
+Protected custom setttings or protected custom metadata should be used to store secrets.
+Refer to the [Protect Secrets Using Platform Features](https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features) Trailhead module for more guidance.
+
+**Example(s):**
+```
+
+
+
+        
+
diff --git a/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarDecls.md b/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarDecls.md
new file mode 100644
index 000000000..2f69e5f83
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidHardcodedCredentialsInVarDecls.md
@@ -0,0 +1,19 @@
+AvoidHardcodedCredentialsInVarDecls[](#avoidhardcodedcredentialsinvardecls)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard-coded credentials found in source code.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.
+Protected custom setttings or protected custom metadata should be used to store secrets.
+Refer to the [Protect Secrets Using Platform Features](https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features) Trailhead module for more guidance.
+
+
+**Example(s):**
+
diff --git a/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSetting.md b/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSetting.md
new file mode 100644
index 000000000..834bf28b3
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSetting.md
@@ -0,0 +1,18 @@
+AvoidInsecureHttpRemoteSiteSetting[](#avoidinsecurehttpremotesitesetting)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using insecure http urls in Remote Site Settings.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSettingInXML.md b/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSettingInXML.md
new file mode 100644
index 000000000..2bb991552
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSettingInXML.md
@@ -0,0 +1,18 @@
+AvoidInsecureHttpRemoteSiteSettingInXML[](#avoidinsecurehttpremotesitesettinginxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using insecure http urls in Remote Site Settings.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidInvalidCrudContentDistribution.md b/pmd-appexchange/docs/AvoidInvalidCrudContentDistribution.md
new file mode 100644
index 000000000..d73152f65
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidInvalidCrudContentDistribution.md
@@ -0,0 +1,33 @@
+AvoidInvalidCrudContentDistribution[](#avoidinvalidcrudcontentdistribution)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Do not use Schema.DescribeSObjectResult methods to enforce CRUD check on ContentDistribution
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   
+Detects the use of `Schema.DescribeSObjectResult` methods to enforce CRUD check on `ContentDistribution`.
+Developers should use `USER MODE` operations or use the custom below to enforce CRUD check against the `ContentDistribution` object.
+
+```
+ Boolean userCanCreatePublicLinks = 0 <
+        [SELECT COUNT() FROM PermissionSetAssignment
+        WHERE PermissionSet.PermissionsDistributeFromPersWksp = TRUE
+        AND AssigneeId = :UserInfo.getUserId()];
+if(userCanCreatePublicLinks){
+//had CRUD permissions 
+}
+else{
+//handle error
+}
+```
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidJavaScriptCustomObject.md b/pmd-appexchange/docs/AvoidJavaScriptCustomObject.md
new file mode 100644
index 000000000..ea0ba6222
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidJavaScriptCustomObject.md
@@ -0,0 +1,18 @@
+AvoidJavaScriptCustomObject[](#avoidjavascriptcustomobject)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using JavaScript to execute custom button actions.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in custom rules.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md b/pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md
new file mode 100644
index 000000000..ec8373665
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md
@@ -0,0 +1,18 @@
+AvoidJavaScriptHomePageComponent[](#avoidjavascripthomepagecomponent)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid JavaScript in a home page component body.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in home page components.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidJavaScriptWeblink.md b/pmd-appexchange/docs/AvoidJavaScriptWeblink.md
new file mode 100644
index 000000000..fee204a03
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidJavaScriptWeblink.md
@@ -0,0 +1,18 @@
+AvoidJavaScriptWeblink[](#avoidjavascriptweblink)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using JavaScript in web links.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in web links.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidJsLinksInCustomObject.md b/pmd-appexchange/docs/AvoidJsLinksInCustomObject.md
new file mode 100644
index 000000000..16278a288
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidJsLinksInCustomObject.md
@@ -0,0 +1,18 @@
+AvoidJsLinksInCustomObject[](#avoidjslinksincustomobject)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid clickable JavaScript-style URLs.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of JavaScript-style URLs (javascript:) in custom objects, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidJsLinksInWebLinks.md b/pmd-appexchange/docs/AvoidJsLinksInWebLinks.md
new file mode 100644
index 000000000..7e615114d
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidJsLinksInWebLinks.md
@@ -0,0 +1,18 @@
+AvoidJsLinksInWebLinks[](#avoidjslinksinweblinks)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid clickable JavaScript-style URLs.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of JavaScript-style URLs (javascript:) in custom objects, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidLmcIsExposedTrue.md b/pmd-appexchange/docs/AvoidLmcIsExposedTrue.md
new file mode 100644
index 000000000..0bff1ea43
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidLmcIsExposedTrue.md
@@ -0,0 +1,18 @@
+AvoidLmcIsExposedTrue[](#avoidlmcisexposedtrue)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected Lightning Message Channel with isExposed set to `true`.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects a Lightning Message Channel with `isExposed=true`,which isn’t allowed in managed packages.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidLmcIsExposedTrueInXML.md b/pmd-appexchange/docs/AvoidLmcIsExposedTrueInXML.md
new file mode 100644
index 000000000..7ee0ea63f
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidLmcIsExposedTrueInXML.md
@@ -0,0 +1,18 @@
+AvoidLmcIsExposedTrueInXML[](#avoidlmcisexposedtrueinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected Lightning Message Channel with isExposed set to true.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects a Lightning Message Channel with isExposed=true,which isn’t allowed in managed packages.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md b/pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md
new file mode 100644
index 000000000..d3d7d675c
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md
@@ -0,0 +1,18 @@
+AvoidLwcBubblesComposedTrue[](#avoidlwcbubblescomposedtrue)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid setting both Lightning Web component bubbles and composed=true at the same time.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects Lightning Web Component event configurations where bubbles and composed are both set to true. To avoid sharing sensitive information unintentionally, use this configuration with caution.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidSControls.md b/pmd-appexchange/docs/AvoidSControls.md
new file mode 100644
index 000000000..96b723714
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidSControls.md
@@ -0,0 +1,18 @@
+AvoidSControls[](#avoidscontrols)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected SControls
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   S-Controls should not be used in managed packages.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidSecurityEnforcedOldApiVersion.md b/pmd-appexchange/docs/AvoidSecurityEnforcedOldApiVersion.md
new file mode 100644
index 000000000..260482def
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidSecurityEnforcedOldApiVersion.md
@@ -0,0 +1,18 @@
+AvoidSecurityEnforcedOldApiVersion[](#avoidsecurityenforcedoldapiversion)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   WITH SECURITY_ENFORCED is used with API version lower than 48.0
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of WITH SECURITY_ENFORCED in API version less than 48.0. More guidance available in the [WITH SECURITY_ENFORCED](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_with_security_enforced.htm#apex_classes_with_security_enforced) documentation.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidSystemModeInFlows.md b/pmd-appexchange/docs/AvoidSystemModeInFlows.md
new file mode 100644
index 000000000..78d97092d
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidSystemModeInFlows.md
@@ -0,0 +1,18 @@
+AvoidSystemModeInFlows[](#avoidsystemmodeinflows)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Reconfigure to avoid running flows in system mode.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects where default mode must be used in flows instead of system mode.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md
new file mode 100644
index 000000000..94cec4ec0
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md
@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdInApex[](#avoidunauthorizedapisessionidinapex)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of Session Id might not be authorized.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of ${API.Session_Id} to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md
new file mode 100644
index 000000000..ab7888631
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md
@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdInFlows[](#avoidunauthorizedapisessionidinflows)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   $Api.Session_ID usage is not approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of session ID in SOAP API calls in flows. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md
new file mode 100644
index 000000000..90705b060
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md
@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdVisualforce[](#avoidunauthorizedapisessionidvisualforce)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Retrieval of session ID using API.Session_ID is not authorized.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID in Visualforce code. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md b/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md
new file mode 100644
index 000000000..7d5f30297
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md
@@ -0,0 +1,18 @@
+AvoidUnauthorizedGetSessionIdInApex[](#avoidunauthorizedgetsessionidinapex)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of Session Id might not be authorized.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of UserInfo.getSessionId() to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md b/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md
new file mode 100644
index 000000000..33b13c876
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md
@@ -0,0 +1,18 @@
+AvoidUnauthorizedGetSessionIdInVisualforce[](#avoidunauthorizedgetsessionidinvisualforce)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of session ID with GETSESSIONID is not authorized.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of GETSESSIONID() to retrieve a session ID in Visualforce code. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnescapedHtml.md b/pmd-appexchange/docs/AvoidUnescapedHtml.md
new file mode 100644
index 000000000..abdd4a9d8
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnescapedHtml.md
@@ -0,0 +1,18 @@
+AvoidUnescapedHtml[](#avoidunescapedhtml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Potential XSS due to the use of unesapedHtml
+
+
+**Priority:** High (2)
+
+**Description:**
+
+Detected use of aura:unescapedHtml. This should be used cautiously. Developers should ensure that the unescapedHtml should not use tainted input to protect against XSS
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/AvoidUnsafePasswordManagementUse.md b/pmd-appexchange/docs/AvoidUnsafePasswordManagementUse.md
new file mode 100644
index 000000000..e3b0986d7
--- /dev/null
+++ b/pmd-appexchange/docs/AvoidUnsafePasswordManagementUse.md
@@ -0,0 +1,18 @@
+AvoidUnsafePasswordManagementUse[](#avoidunsafepasswordmanagementuse)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Before invoking password related methods in Apex, perform necessary authorization checks.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects where System.setPassword() exists in Apex code. Use this method with caution.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/LimitConnectedAppScope.md b/pmd-appexchange/docs/LimitConnectedAppScope.md
new file mode 100644
index 000000000..20584bedc
--- /dev/null
+++ b/pmd-appexchange/docs/LimitConnectedAppScope.md
@@ -0,0 +1,19 @@
+LimitConnectedAppScope[](#limitconnectedappscope)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Update the connected app request to limited scope instead of full scope.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if a connected app uses full scope. Explain this use case in your AppExchange security review submission.
+		
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/LoadCSSApexStylesheet.md b/pmd-appexchange/docs/LoadCSSApexStylesheet.md
new file mode 100644
index 000000000..6e0cb2f21
--- /dev/null
+++ b/pmd-appexchange/docs/LoadCSSApexStylesheet.md
@@ -0,0 +1,26 @@
+LoadCSSApexStylesheet[](#loadcssapexstylesheet)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load JavaScript only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Determines where CSS must be loaded as a static resource
+
+**Example(s):**
+
+   
+
+```
+<apex:stylesheet value="{!$Resource.mycssresource}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+
diff --git a/pmd-appexchange/docs/LoadCSSLinkHref.md b/pmd-appexchange/docs/LoadCSSLinkHref.md
new file mode 100644
index 000000000..b5b8aa92a
--- /dev/null
+++ b/pmd-appexchange/docs/LoadCSSLinkHref.md
@@ -0,0 +1,26 @@
+LoadCSSLinkHref[](#loadcsslinkhref)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load CSS only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Determines where CSS must be loaded as a static resource
+
+**Example(s):**
+
+   
+
+```
+<link rel="stylesheet" src="{!$Resource.mycustomcss}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+
diff --git a/pmd-appexchange/docs/LoadJavaScriptHtmlScript.md b/pmd-appexchange/docs/LoadJavaScriptHtmlScript.md
new file mode 100644
index 000000000..0d51761b2
--- /dev/null
+++ b/pmd-appexchange/docs/LoadJavaScriptHtmlScript.md
@@ -0,0 +1,26 @@
+LoadJavaScriptHtmlScript[](#loadjavascripthtmlscript)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load JavaScript only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Determines HTML script locations where JavaScript code must be loaded as static resources.
+
+**Example(s):**
+
+   
+
+```
+<script src="{!$Resource.jquery}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+
diff --git a/pmd-appexchange/docs/LoadJavaScriptIncludeScript.md b/pmd-appexchange/docs/LoadJavaScriptIncludeScript.md
new file mode 100644
index 000000000..bd63ec795
--- /dev/null
+++ b/pmd-appexchange/docs/LoadJavaScriptIncludeScript.md
@@ -0,0 +1,26 @@
+LoadJavaScriptIncludeScript[](#loadjavascriptincludescript)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load JavaScript only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Determines include script locations where JavaScript code must be loaded as static resources.
+
+**Example(s):**
+
+   
+
+```
+<apex:IncludeScript value="{!$Resource.jquery}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+
diff --git a/pmd-appexchange/docs/ProtectSensitiveData.md b/pmd-appexchange/docs/ProtectSensitiveData.md
new file mode 100644
index 000000000..f30fd0524
--- /dev/null
+++ b/pmd-appexchange/docs/ProtectSensitiveData.md
@@ -0,0 +1,16 @@
+ProtectSensitiveData[](#protectsensitivedata)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To store secrets, use Protected Custom settings or Protected Custom metadata.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects where sensitive data must be stored with Protected Custom metadata or Protected Custom settings. Protected custom setttings or protected custom metadata should be used to store secrets. Refer to the [Protect Secrets Using Platform Features](https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features) Trailhead module for more guidance.
+
+**Example(s):**
+
diff --git a/pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md b/pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md
new file mode 100644
index 000000000..a5356eac2
--- /dev/null
+++ b/pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md
@@ -0,0 +1,18 @@
+UpgradeLwcLockerSecuritySupport[](#upgradelwclockersecuritysupport)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the API version to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled. Use API version 40 or greater.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/UseHttpsCallbackUrl.md b/pmd-appexchange/docs/UseHttpsCallbackUrl.md
new file mode 100644
index 000000000..4988aca32
--- /dev/null
+++ b/pmd-appexchange/docs/UseHttpsCallbackUrl.md
@@ -0,0 +1,18 @@
+UseHttpsCallbackUrl[](#usehttpscallbackurl)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Update to secure Oauth callback URL over HTTPS.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of an OAuth callback URL that uses HTTP.Use HTTPS instead.
+
+**Example(s):**
+
+   
+
diff --git a/pmd-appexchange/docs/UseLwcDomManual.md b/pmd-appexchange/docs/UseLwcDomManual.md
new file mode 100644
index 000000000..2b1bacf38
--- /dev/null
+++ b/pmd-appexchange/docs/UseLwcDomManual.md
@@ -0,0 +1,27 @@
+UseLwcDomManual[](#uselwcdommanual)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protect against XSS when using lwc:dom="manual".
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of lwc:dom="manual" that could allow unintentional or malicious user input. Don't allow user input on these elements.
+
+**Example(s):**
+
+```
+<template>
+        <div class="chart slds-var-m-around_medium slds-theme_default cursor" lwc:dom="manual"></div> 
+    </template>
+```
+If template has a direct user input. Then XSS is possible.
+
+
+
+        
+