Glossary

Hardcoded Credentials in Automation Workflows

Hardcoded credentials are passwords, API keys, database connection strings, or other secrets written directly into a workflow file instead of being stored in a dedicated secrets manager or credential store.

Why this is a critical risk

A hardcoded credential inside a .xaml or .json file is effectively a secret stored in plaintext. Anyone with read access to the file, repository, export archive, or backup that contains it can read the credential.

Hardcoded credentials are among the most common causes of automation-related data breaches and audit findings. They are also among the easiest to prevent.

The correct approach

  • UiPath - Store credentials in Orchestrator Assets or CyberArk and retrieve them at runtime.
  • Power Automate - Use Azure Key Vault or environment variables, never embedded secrets.
  • All platforms - Any credential that cannot be rotated without modifying the workflow file is a governance failure.

How Flowcerta addresses this

Flowcerta's HARDCODED_CREDENTIALS check flags embedded passwords, API keys, and connection strings with the specific activity, variable name, and remediation step.

Analyze your workflows free ->
Related terms
Automation GovernanceAutomation Audit TrailWorkflow Health Score