Governance Rule Playbooks
73 governance rules across 9 categories, each with severity rating, detection scope, and step-by-step remediation guidance. Rules are applied automatically on every workflow upload.
Credentials & Secrets
5 rulesFC-ANY-CRED-001FC-ANY-CRED-001: Hardcoded connection string
Hardcoded connection string with embedded password detected.
FC-ANY-CRED-002FC-ANY-CRED-002: Hardcoded API key or credential variable
Credential-related activity contains a hardcoded literal value.
PA-002PA-002: Power Automate hardcoded secret
An action input contains a literal credential value (password, API key, bearer token, or client secret) instead of a parameter or Key Vault reference.
FC-UIP-HCD-007FC-UIP-HCD-007: Hardcoded port
Activity attribute contains a literal port number, making the workflow brittle across environments.
FC-UIP-HCD-008FC-UIP-HCD-008: Hardcoded database name
Activity attribute embeds a literal database / catalog name, making the workflow tied to a specific environment.
Error Handling
10 rulesFC-ANY-EXC-001FC-ANY-EXC-001: Swallowed exception
Catch block does not log or rethrow the exception - error is silently swallowed.
FC-ANY-HTTP-001FC-ANY-HTTP-001: Missing try/catch around external call
HTTP or web service call is not wrapped in a Try/Catch block.
FC-ANY-RETRY-001FC-ANY-RETRY-001: Infinite retry without limit
RetryScope has no NumberOfRetries limit and may retry indefinitely.
FC-ANY-RETRY-002FC-ANY-RETRY-002: Missing retry scope
Activity has no surrounding Retry Scope.
FC-UIP-RETRY-001FC-UIP-RETRY-001: Try/catch inside retry scope
TryCatch nested inside a RetryScope suppresses the failure that RetryScope would retry on.
FC-UIP-UI-001FC-UIP-UI-001: Unguarded UI action
UI interaction activity lacks error handling.
PA-001PA-001: Power Automate HTTP action without failure handler
HTTP or connector action has no downstream failure handler (runAfter: Failed/TimedOut).
PA-003PA-003: Power Automate retries disabled on external call
An HTTP or connector action sets retryPolicy to "none", removing the platform's default resilience against transient failures.
PA-004PA-004: Power Automate Do Until loop without a limit
A Do Until loop has no count or timeout limit, so a never-true exit condition runs until the platform's hard ceiling.
FC-UIP-STOP-001FC-UIP-STOP-001: Stop workflow activity
Workflow uses TerminateWorkflow / Stop activities to abort execution.
Observability
2 rulesPII Handling
3 rulesFC-ANY-PII-001FC-ANY-PII-001: PII access without audit log
Workflow processes PII-named variable but contains no Log Message activity.
FC-ANY-PII-002FC-ANY-PII-002: PII value in log message
Log Message activity references a PII-named variable - PII may be written to plain logs.
FC-ANY-PII-003FC-ANY-PII-003: PII hardcoded default
Variable with a PII-related name is initialized to a hardcoded literal instead of an asset.
Governance
6 rulesFC-UIP-PKG-002FC-UIP-PKG-002: Restricted package
Package on the configured disallow list is declared in project.json.
FC-UIP-PKG-003FC-UIP-PKG-003: Required package
Required package or package version is missing from project.json.
FC-UIP-USG-026FC-UIP-USG-026: Restricted activity
Workflow uses an activity outside the configured allow or prohibit list.
FC-UIP-AH-001FC-UIP-AH-001: Automation Hub URL
Project is not linked to an Automation Hub idea.
FC-UIP-TAG-001FC-UIP-TAG-001: Required tag
Project is missing one or more required organizational tags.
FC-UIP-TPL-001FC-UIP-TPL-001: Invoked file template
Project contains template provenance markers indicating a workflow was created from a file template.
Maintainability
40 rulesPA-009PA-009: Power Automate Initialize variable inside a loop
An `Initialize variable` action is nested inside a Foreach or Do Until scope. Variables must be initialized at the top level of the flow; nesting them inside a loop either fails at design-time or silently resets the value on each iteration.
FC-UIP-ANA-002FC-UIP-ANA-002: Empty workflow
Workflow has no executable activities.
FC-UIP-ARG-001FC-UIP-ARG-001: High argument count
Workflow declares more arguments than the configured maintainability threshold.
FC-UIP-ARG-003FC-UIP-ARG-003: Undefined output argument
An Out or InOut argument is declared on the workflow but no activity in the body assigns a value to it. Callers will receive the type's default value.
FC-UIP-CODE-001FC-UIP-CODE-001: Invoke code size limit
InvokeCode body exceeds the configured maximum number of lines.
FC-UIP-DBP-010FC-UIP-DBP-010: Multiple workflow or test case markers
Workflow file contains more than one [Workflow] or [TestCase] marker.
FC-UIP-DLY-001FC-UIP-DLY-001: Hard-coded delay activity
Hard-coded Delay activity detected.
FC-UIP-FLOW-001FC-UIP-FLOW-001: Nested flowchart
Flowchart is nested inside another flowchart.
FC-UIP-FLOW-002FC-UIP-FLOW-002: Large flowchart
Flowchart contains more nodes than the configured maintainability threshold.
FC-UIP-FLOW-005FC-UIP-FLOW-005: Unreachable flowchart activity
Flowchart node cannot be reached from the flowchart's start node.
FC-UIP-MRD-007FC-UIP-MRD-007: Nested If clauses
If activity is nested more than three levels deep.
FC-UIP-NEST-001FC-UIP-NEST-001: Excessive nesting
Workflow nesting depth exceeds recommended threshold.
FC-UIP-NMG-005FC-UIP-NMG-005: Variable overrides variable
Variable shadows another variable with the same name in an outer scope.
FC-UIP-NMG-006FC-UIP-NMG-006: Variable overrides argument
Variable has the same name as a workflow argument.
FC-UIP-NMG-017FC-UIP-NMG-017: Class name matches default namespace
Workflow class name matches the project default namespace.
FC-UIP-PERSIST-002FC-UIP-PERSIST-002: Persistence with non-serializable variable
Workflow uses persistence while declaring a variable type that is unlikely to serialize safely across a persisted boundary.
FC-UIP-PMG-002FC-UIP-PMG-002: Windows project incompatible expression
Project uses the C# expression language but a workflow still contains Visual Basic-only expression syntax.
FC-UIP-USG-005FC-UIP-USG-005: Hardcoded activity property
Configured activity property receives a hardcoded literal value.
FC-UIP-VAR-001FC-UIP-VAR-001: Duplicate variable name
Multiple variables declared with the same name.
FC-UIP-ANA-003FC-UIP-ANA-003: Uncommented activities count
Workflow has fewer annotated activities than the configured minimum percentage.
FC-UIP-CMT-001FC-UIP-CMT-001: Commented-out code
Commented-out activity left in the workflow.
FC-UIP-EMPTY-001FC-UIP-EMPTY-001: Empty sequence
Sequence has no executable child activities.
FC-UIP-MRD-002FC-UIP-MRD-002: Activity name defaults
Activity still uses its generated default display name.
FC-UIP-MRD-005FC-UIP-MRD-005: Redundant sequence
Sequence wraps too few executable child activities.
FC-UIP-MRD-006FC-UIP-MRD-006: Unused argument
Argument is declared but never referenced in the workflow body.
FC-UIP-MRD-017FC-UIP-MRD-017: Incomplete If activities
If activity has no executable Then branch.
FC-UIP-NMG-001FC-UIP-NMG-001: Variable naming convention
Variable name does not match the configured naming convention.
FC-UIP-NMG-002FC-UIP-NMG-002: Argument naming convention
Argument name does not match the configured direction-based naming convention.
FC-UIP-NMG-004FC-UIP-NMG-004: Duplicate display name
Multiple activities use the same display name.
FC-UIP-NMG-008FC-UIP-NMG-008: Variable name length exceeded
Variable name exceeds the configured length limit.
FC-UIP-NMG-009FC-UIP-NMG-009: DataTable variable prefix
DataTable variable does not use the dt_ prefix.
FC-UIP-NMG-011FC-UIP-NMG-011: DataTable argument prefix
DataTable argument does not include the dt_ prefix after its direction prefix.
FC-UIP-NMG-012FC-UIP-NMG-012: Argument default value
Argument has no default value.
FC-UIP-NMG-016FC-UIP-NMG-016: Argument name length exceeded
Argument name exceeds the configured length limit.
FC-UIP-PERSIST-001FC-UIP-PERSIST-001: Persistence activity
Workflow uses a long-running orchestration persistence activity (Persist, PersistDelay, TriggerScope, Pick).
FC-UIP-PKG-001FC-UIP-PKG-001: Unused dependency
Package is declared in project.json but no workflow references an assembly from that package.
FC-UIP-PMG-001FC-UIP-PMG-001: Duplicate activity IdRef
Multiple activities share the same `sap2010:WorkflowViewState.IdRef` value. Studio relies on these IDs being unique for designer state and review tooling.
FC-UIP-USG-004FC-UIP-USG-004: Flat folder structure
Project workflow layout is too flat. Too many workflows sit in the project root with no supporting subfolder organization.
FC-UIP-USG-009FC-UIP-USG-009: Unused variable
Variable is declared but never referenced.
PA-006PA-006: Power Automate empty Scope action
A Scope action contains no nested actions; the wrapper has no effect and is likely abandoned scaffolding or dead code.
Hardcoded Values
2 rulesFC-UIP-HCD-001FC-UIP-HCD-001: Hardcoded credential or sensitive value
Hardcoded credential or sensitive value detected.
PA-005PA-005: Power Automate hardcoded endpoint URL
An HTTP or connector action has a literal endpoint URL (or host) in its inputs instead of a parameter or environment variable reference, making the flow non-portable across dev/test/prod environments.
Performance
4 rulesFC-UIP-INVOKE-002FC-UIP-INVOKE-002: Invoke workflow inside loop
InvokeWorkflowFile executed inside a loop - known performance anti-pattern.
PA-007PA-007: Power Automate recurrence trigger fires too frequently
A Recurrence trigger is configured to fire more frequently than once every 5 minutes, which can burn API quota and is rarely necessary for business-event polling.
PA-008PA-008: Power Automate event trigger without conditions filter
A webhook or event-driven trigger has no `conditions` filter, so the flow runs on every event the connector emits — including ones the flow then immediately discards.
PA-010PA-010: Power Automate Foreach with very high concurrency
An Apply-to-Each (Foreach) action sets runtimeConfiguration.concurrency.repetitions above 50, which can overwhelm downstream APIs and hit connector throttling limits without the flow being aware.
Selector Quality
1 ruleRules are applied automatically when you upload a workflow. No configuration required on Starter. Policy packs let you override severity thresholds and add exemptions on Growth and above.