Hi UiPath team,
As part of our governance implementation at an enterprise level, we have come across few finding which we would like to share with you.
Below studio activities are found to be incompatible with the workflow analyzer rule(even in default state) ST-SEC-009(secure string misusage) as these activities doesn’t accept credentials in a secure way and rule ST-SEC-009 aims to identify such patterns and help block them from entering production thus making it impossible for such scenarios to co-exist with governance enabled on this rule:
|Studio Package||Studio Activity||Issue||Assets(credential)|
|UiPath.WebAPI.Activities = 1.7.0||HTTP activity||Headers section under Options in properties panel doesn’t accept API key as secure string||API Key|
|UiPath.WebAPI.Activities = 1.7.0||HTTP activity||Request Body under Options in properties panel doesn’t accept Password as secure string||Password|
|UiPath.Database.Activities =1.4.0||Connect Activity||Connection string doesn’t accept Password as secure string||Password|
|UiPath.Cryptography.Activities = 1.2.0||Encrypt/Decrypt Activity||Key section doesn’t accept Encryption key as secure string||Encryption Key|
Hope this info helps to identify and resolve more of such patterns in studio activities.