Docs

PA-005: Power Automate hardcoded endpoint URL

An HTTP or connector action has a literal endpoint URL (or host) in its inputs instead of a parameter or environment variable reference, making the flow non-portable across dev/test/prod environments.

mediumhardcoded valuepowerautomate

What it detects

An HTTP or connector action has a literal endpoint URL (or host) in its inputs instead of a parameter or environment variable reference, making the flow non-portable across dev/test/prod environments. Flowcerta surfaces this finding from the active validation pipeline for supported file types and platforms.

Why it matters

Hardcoded sensitive values create security and operational debt. Rotating the value now requires code change, retesting, and redeployment instead of a simple secret update.

Example violation

A Power Automate HTTP action hardcodes "https://api.acme.com" directly in the uri field, breaking the flow when it is exported and imported into a different environment.

Fix guidance

Power Automate

  • Move the URL to a Power Platform environment variable or solution parameter and reference it with @parameters() so each environment can supply its own value.
  • Prefer environment-aware connectors, connection references, structured scopes, and explicit run-history logging.
  • Revalidate the workflow after the change and confirm the finding no longer appears.

Verification steps

  1. Run validation again and confirm the rule no longer appears in the finding list.
  2. Review the changed workflow artifact directly to verify the risky pattern is gone.
  3. Capture the new validation result as evidence for the relevant owner or compliance review.

Compliance references

Related rules

FC-UIP-HCD-001

This page is generated from the canonical Flowcerta rule registry used by validation scoring.

Browse all rule playbooks