Hello,

We are a Salesforce AppExchange Partner developing an application that integrates with the WhatsApp Cloud API (https://graph.facebook.com) to facilitate business-to-customer communication.

Publishing on AppExchange requires passing the Salesforce Security Review, which involves two parts: reviewing our internal Salesforce code and the integrated server (WhatsApp in this case).

We've successfully addressed the first part using the "Salesforce Code Analyzer." However, for the second part, Salesforce requires an API scan report for the WhatsApp API. While Salesforce suggests using the ZAP or Burp Suit tool, we need your guidance on to run ZAP scans on the https://graph.facebook.com API using a test number provided by WhatsApp (or with your guidance on obtaining one). We are not sure if we can directly run ZAP tool on test number or we need any special permission from Meta. If yes please guid us how we can request for such permission.

Our focus will be on scanning the Create Message Template and Send WhatsApp Message APIs.

For your reference, we've included relevant documentation URLs:

1. Security Scanners on the Partner Security Portal: https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_partner_security_portal.htm

2. Zed Attack Proxy (ZAP) Browser Setup: https://security.my.salesforce-sites.com/security/tools/webapp/zaprunningscan

Sincerely, Purushottam