Docs

PA-002: Power Automate hardcoded secret

An action input contains a literal credential value (password, API key, bearer token, or client secret) instead of a parameter or Key Vault reference.

criticalcredentialspowerautomate

What it detects

An action input contains a literal credential value (password, API key, bearer token, or client secret) instead of a parameter or Key Vault reference. Flowcerta surfaces this finding from the active validation pipeline for supported file types and platforms.

Why it matters

Credentials and secret-handling findings matter because workflow files often travel through source control, export bundles, backups, and admin access paths. A secret in source quickly becomes a secret with a large blast radius.

Example violation

A Send an HTTP Request action stores an API key directly in the Authorization header as a plain string literal instead of an environment variable reference.

Fix guidance

Power Automate

  • Move the secret to an environment variable or Azure Key Vault and reference it with @parameters() or the Key Vault connector.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

Related rules

FC-ANY-CRED-001FC-ANY-CRED-002FC-UIP-HCD-007

This page is generated from the canonical Flowcerta rule registry used by validation scoring.

Browse all rule playbooks