Docs

FC-ANY-CRED-002: Hardcoded API key or credential variable

Credential-related activity contains a hardcoded literal value.

criticalcredentialsuipath / powerautomate / blueprism / automationanywhere

What it detects

Credential-related activity contains a hardcoded literal value. Flowcerta surfaces this finding from the active validation pipeline for supported file types and platforms.

Why it matters

Credentials and secret-handling findings matter because workflow files often travel through source control, export bundles, backups, and admin access paths. A secret in source quickly becomes a secret with a large blast radius.

Example violation

Credential-related activity contains a hardcoded literal value.

Fix guidance

UiPath

  • Use GetAsset/GetCredential to retrieve secrets at runtime.
  • Use platform-native assets, credentials, bounded retries, and Log Message checkpoints instead of hardcoded literals or silent failure paths.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Power Automate

  • Use GetAsset/GetCredential to retrieve secrets at runtime.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Blue Prism

  • Use GetAsset/GetCredential to retrieve secrets at runtime.
  • Use release metadata, data items, and process/page references intentionally so reviewers can trace ownership and fix paths quickly.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Automation Anywhere

  • Use GetAsset/GetCredential to retrieve secrets at runtime.
  • Move sensitive values into credential vaults or externalized configuration and keep task-bot calls explicit and reviewable.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

Related rules

FC-ANY-CRED-001FC-UIP-HCD-007FC-UIP-HCD-008

This page is generated from the canonical Flowcerta rule registry used by validation scoring.

Browse all rule playbooks