Docs

CRED-001: Hardcoded Connection String

Hardcoded database connection string with embedded credentials

criticalcredentialsuipath • power_automate • aa

What it detects

Hardcoded database connection string with embedded credentials Flowcerta currently surfaces this finding from the active validation pipeline for supported patterns.

Why it matters

Credentials and secret-handling findings matter because workflow files often travel through source control, export bundles, backups, and admin access paths. A secret in source quickly becomes a secret with a large blast radius.

Example violation

A workflow embeds a connection string with username and password directly in source.

Fix guidance

UiPath

  • Move credentials to a secret manager. Never embed passwords in workflow variable defaults.
  • Use platform-native assets, credentials, bounded retries, and Log Message checkpoints instead of hardcoded literals or silent failure paths.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Power Automate

  • Move credentials to a secret manager. Never embed passwords in workflow variable defaults.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Automation Anywhere

  • Move credentials to a secret manager. Never embed passwords in workflow variable defaults.
  • Move sensitive values into credential vaults or externalized configuration and keep task-bot calls explicit and reviewable.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

  • SOC2 CC6.1 — Logical and Physical Access Controls
  • HIPAA 164.312(a)(2)(i) — Unique User Identification
  • GDPR Art.32 — Security of Processing

Related rules

CRED-002CRED-002

This page is generated from canonical rule seed data plus the current runtime validation mapping.

Browse all rule playbooks