Before you can audit your Salesforce org, you need its metadata. Every field, flow, profile, permission set, automation rule, and custom object exists as metadata — and you need a copy of it to find the problems hiding in your configuration.
This guide walks you through three ways to export your Salesforce metadata, from simplest to most full-featured. Choose the method that matches your comfort level and access.
Need the audit done for you? Upload your metadata to OrgPilot and get a complete health assessment in 60 seconds.
What is Salesforce Metadata?
Metadata is everything in your Salesforce org that isn't the actual data in your records. Think of it as the "configuration layer" — the structure, rules, and permissions that govern how your org behaves.
Your metadata includes:
- Objects — Custom objects (like Project__c) and standard objects (Account, Contact, Opportunity)
- Fields — Every custom field you've created, plus field-level security settings
- Automation — Flows, Process Builder, Workflow Rules, and Apex Triggers
- Security — Profiles, Permission Sets, Role Hierarchy, Sharing Rules
- User Interface — Page Layouts, Record Types, List Views, Lightning Pages
- Business Logic — Validation Rules, Apex Classes, Visualforce Pages
When auditors talk about "running a Salesforce org audit," they mean analyzing your metadata to find configuration risks, technical debt, and compliance gaps. You can't do that without a metadata export.
Related: See the complete 18-point audit checklist for what to check once you have your export.
Method 1: Salesforce Setup UI (Easiest)
If you have System Administrator access and just need a quick look at one or two things, Salesforce's Setup UI can export certain metadata types directly.
What you can export from Setup:
- Object Manager → Export (CSV of object/field definitions)
- Profiles → Clone (gives you a copy of profile settings)
- Permission Sets → Export Settings
- Individual Flow definitions (via Flow Manager)
Limitations: This method is manual, one-type-at-a-time, and produces formats that aren't easy to analyze in bulk. Not practical for a full org audit.
When to use Method 1:
✓ Quick spot-check on a single object or profile
✓ When you can't install any tools or extensions
✓ Exporting a few specific items to share with a consultant
Method 2: Salesforce Workbench (No Setup Required)
Salesforce Workbench is a web-based tool that lets you query and retrieve your metadata using Salesforce's API — without installing anything.
How to export metadata with Workbench:
- Go to workbench.developerforce.com and log in with your Salesforce credentials
- Select your environment (Production or Sandbox)
- Approve the API access request
- Go to Migration → Retrieve
- Enter a
package.xmlthat specifies what to retrieve (see below) - Click Retrieve and wait for the ZIP to build
- Download the ZIP file containing your metadata
Sample package.xml for full org export:
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<members>*</members>
<name>ApexClass</name>
</types>
<types>
<members>*</members>
<name>CustomField</name>
</types>
<types>
<members>*</members>
<name>Flow</name>
</types>
<types>
<members>*</members>
<name>PermissionSet</name>
</types>
<types>
<members>*</members>
<name>Profile</name>
</types>
<types>
<members>*</members>
<name>ValidationRule</name>
</types>
<types>
<members>*</members>
<name>WorkflowRule</name>
</types>
<version>60.0</version>
</Package>
Replace the types with whatever you need. The * wildcard retrieves all items of that type. For a full audit, include CustomObject, CustomField, Flow, Profile, PermissionSet, ApexClass, ValidationRule, WorkflowRule, and SharingRules.
When to use Method 2:
✓ You want a manual export without installing tools
✓ You're comfortable with the API and XML
✓ Need metadata from a specific subset of components
Method 3: VS Code + Salesforce CLI (Recommended)
The most powerful and reproducible method uses Visual Studio Code with the Salesforce Extensions and Salesforce CLI. This is how professional admins and developers export metadata for audits.
Prerequisites:
- Visual Studio Code installed
- Salesforce CLI (sfdx) installed
- VS Code Salesforce Extensions
Step-by-step:
- Authenticate to your org:
sf force:auth:web:login -d -a MyOrg
This opens a browser window. Log in and approve. - Create a project:
sf project create -n my-audit-project - Retrieve metadata:
Create a package.xml in your project's root (use the sample from Method 2 above), then run:sf force:source:retrieve -x package.xml - Or retrieve everything:
If you want the full org without specifying types:sf force:source:retrieve -m BundleName -o MyOrg
Where BundleName is CustomObject, CustomField, Flow, Profile, PermissionSet, etc. - Your metadata is now local:
The retrieved files live in theforce-app/main/default/folder. Each component type gets its own subfolder. You can open, search, and analyze these files with any text editor or IDE.
When to use Method 3:
✓ Full org audit with complete metadata coverage
✓ You want to use VS Code's search and navigation tools
✓ Need reproducible, scriptable exports for regular audits
✓ You'll connect to OrgPilot for automated analysis
What to Do After Exporting
Congratulations — you now have a complete picture of your Salesforce org's configuration. Here's what comes next:
Option A: Manual Audit (Time-Intensive)
Use the 18-point checklist to manually review each component. This works but takes 4–8 hours for a thorough review.
Option B: Automated Audit with OrgPilot (60 Seconds)
Upload your metadata export to OrgPilot and get:
- A 0–100 health score for your org
- Security findings (profiles with excessive permissions, inactive users)
- Data model issues (unused fields, field limit warnings)
- Automation risks (flows without fault paths, deprecated tools)
- AI-generated fix recommendations for each finding
Ready? Upload your metadata to OrgPilot for a free instant audit →
Summary: Which Method Should You Use?
| Method | Best For | Complexity |
|---|---|---|
| Setup UI | Single-component spot checks | ⭐ Low |
| Workbench | Quick exports without installing tools | ⭐⭐ Medium |
| VS Code + CLI | Full org audits, automation, OrgPilot integration | ⭐⭐⭐ Higher |
If you're serious about understanding your org's health — and especially if you're preparing for a compliance audit, migration, or cleanup project — Method 3 with VS Code gives you the most complete export. Then upload it to OrgPilot and get your audit results in under a minute.
Already have your export? Run your free audit now →
Audit Your Salesforce Org in 60 Seconds
Upload your metadata export and get an instant health assessment with prioritized findings and AI-generated fix recommendations. No setup, no login required.
Upload Metadata for Free →Works with exports from Workbench, VS Code, or Data Loader