@flow-scanner/lightning-flow-scanner-core 6.16.2 → 6.17.0

package/README.md

@@ -70,20 +70,27 @@ Executing DML operations (insert, update, delete) inside a loop is a high-risk a
 **Class Name:** _[DMLStatementInLoop](https://github.com/Flow-Scanner/lightning-flow-scanner/blob/main/packages/core/src/main/rules/DMLStatementInLoop.ts)_
 **Severity:** 🔴 *Error*
 
-#### Hardcoded Id
+#### Hardcoded Salesforce Id
 Avoid hard-coding record IDs, as they are unique to a specific org and will not work in other environments. Instead, store IDs in variables—such as merge-field URL parameters or a **Get Records** element—to make the Flow portable, maintainable, and flexible.
 
 **Rule ID:** `hardcoded-id`
 **Class Name:** _[HardcodedId](https://github.com/Flow-Scanner/lightning-flow-scanner/blob/main/packages/core/src/main/rules/HardcodedId.ts)_
 **Severity:** 🔴 *Error*
 
-#### Hardcoded Url
+#### Hardcoded Salesforce Url
 Avoid hard-coding URLs, as they may change between environments or over time. Instead, store URLs in variables or custom settings to make the Flow adaptable, maintainable, and environment-independent.
 
 **Rule ID:** `hardcoded-url`
 **Class Name:** _[HardcodedUrl](https://github.com/Flow-Scanner/lightning-flow-scanner/blob/main/packages/core/src/main/rules/HardcodedUrl.ts)_
 **Severity:** 🔴 *Error*
 
+#### Hardcoded Secret ![Beta](https://img.shields.io/badge/status-beta-yellow)
+Avoid hardcoding secrets, API keys, tokens, or credentials in Flows. These should be stored securely in Named Credentials, Custom Settings, Custom Metadata, or external secret management systems.
+
+**Rule ID:** `hardcoded-secret`
+**Class Name:** _[HardcodedSecret](https://github.com/Flow-Scanner/lightning-flow-scanner/blob/main/packages/core/src/main/rules/HardcodedSecret.ts)_
+**Severity:** 🔴 *Error*
+
 #### Process Builder
 Process Builder is retired. Continuing to use it increases maintenance overhead and risks future compatibility issues. Migrating automation to Flow reduces risk and improves maintainability.
 

package/main/config/RegexAdapter.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Adapter functions to convert between core models (Flow, Violation)
+ * and regex-scanner models (MetadataFile, RegexViolation).
+ *
+ * This allows core rules to delegate to regex-scanner while maintaining
+ * backward compatibility with existing consumers.
+ */
+import type { MetadataFile, MetadataElement, RegexViolation } from "@flow-scanner/regex-scanner";
+import { Flow } from "../models/Flow";
+import { FlowElement } from "../models/FlowElement";
+import { Violation } from "../models/Violation";
+/**
+ * Convert a Flow object to a MetadataFile for regex-scanner.
+ */
+export declare function toMetadataFile(flow: Flow): MetadataFile;
+/**
+ * Convert Flow elements to MetadataElements for element-level scanning.
+ */
+export declare function toMetadataElements(flow: Flow): MetadataElement[];
+/**
+ * Convert a RegexViolation to a core Violation.
+ * Creates the appropriate FlowElement subclass based on metaType.
+ */
+export declare function toViolation(rv: RegexViolation): Violation;
+/**
+ * Convert a core FlowElement to a regex-scanner MetadataElement.
+ */
+export declare function flowElementToMetadataElement(element: FlowElement): MetadataElement;
+/**
+ * Convert multiple RegexViolations to core Violations.
+ */
+export declare function toViolations(violations: RegexViolation[]): Violation[];

package/main/config/RegexAdapter.js

@@ -0,0 +1,86 @@
+/**
+ * Adapter functions to convert between core models (Flow, Violation)
+ * and regex-scanner models (MetadataFile, RegexViolation).
+ *
+ * This allows core rules to delegate to regex-scanner while maintaining
+ * backward compatibility with existing consumers.
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get flowElementToMetadataElement () {
+        return flowElementToMetadataElement;
+    },
+    get toMetadataElements () {
+        return toMetadataElements;
+    },
+    get toMetadataFile () {
+        return toMetadataFile;
+    },
+    get toViolation () {
+        return toViolation;
+    },
+    get toViolations () {
+        return toViolations;
+    }
+});
+const _FlowAttribute = require("../models/FlowAttribute");
+const _Violation = require("../models/Violation");
+function toMetadataFile(flow) {
+    // Handle case where toXMLString may not exist (e.g., in tests with partial Flow objects)
+    let content = "";
+    if (typeof flow.toXMLString === "function") {
+        content = flow.toXMLString();
+    }
+    var _flow_uri_split_pop;
+    return {
+        name: flow.name,
+        fileName: flow.uri ? (_flow_uri_split_pop = flow.uri.split(/[\\/]/).pop()) !== null && _flow_uri_split_pop !== void 0 ? _flow_uri_split_pop : `${flow.name}.flow-meta.xml` : `${flow.name}.flow-meta.xml`,
+        filePath: flow.fsPath,
+        metadataType: "Flow",
+        content,
+        elements: toMetadataElements(flow)
+    };
+}
+function toMetadataElements(flow) {
+    if (!flow.elements || flow.elements.length === 0) {
+        return [];
+    }
+    return flow.elements.map((element)=>{
+        var _element_element;
+        return {
+            name: element.name,
+            type: element.subtype,
+            content: (_element_element = element.element) !== null && _element_element !== void 0 ? _element_element : element
+        };
+    });
+}
+function toViolation(rv) {
+    var _rv_expression;
+    // Create a FlowAttribute to represent the violation
+    // This is the simplest approach that works for all regex rules
+    const flowElement = new _FlowAttribute.FlowAttribute(rv.name, rv.type, (_rv_expression = rv.expression) !== null && _rv_expression !== void 0 ? _rv_expression : rv.matchedText);
+    const violation = new _Violation.Violation(flowElement);
+    // Override line/column from regex violation
+    violation.lineNumber = rv.lineNumber;
+    violation.columnNumber = rv.columnNumber;
+    return violation;
+}
+function flowElementToMetadataElement(element) {
+    var _element_element;
+    return {
+        name: element.name,
+        type: element.subtype,
+        content: (_element_element = element.element) !== null && _element_element !== void 0 ? _element_element : element
+    };
+}
+function toViolations(violations) {
+    return violations.map(toViolation);
+}

package/main/config/RuleRegistry.js

@@ -20,6 +20,7 @@ const _FlowName = require("../rules/FlowName");
 const _GetRecordAllFields = require("../rules/GetRecordAllFields");
 const _HardcodedId = require("../rules/HardcodedId");
 const _HardcodedUrl = require("../rules/HardcodedUrl");
+const _HardcodedSecret = require("../rules/HardcodedSecret");
 const _InactiveFlow = require("../rules/InactiveFlow");
 const _MissingFaultPath = require("../rules/MissingFaultPath");
 const _MissingNullHandler = require("../rules/MissingNullHandler");
@@ -202,4 +203,5 @@ registry.register("missing-metadata-description", _MissingMetadataDescription.Mi
 registry.register("missing-record-trigger-filter", _MissingRecordTriggerFilter.MissingRecordTriggerFilter, "MissingFilterRecordTrigger", true);
 registry.register("transform-instead-of-loop", _TransformInsteadOfLoop.TransformInsteadOfLoop, "TransformInsteadOfLoop", true);
 registry.register("record-id-as-string", _RecordIdAsString.RecordIdAsString, "RecordIdAsString", true);
+registry.register("hardcoded-secret", _HardcodedSecret.HardcodedSecret, "HardcodedSecret", true);
 const ruleRegistry = registry;

package/main/rules/FlowName.d.ts

@@ -1,7 +1,13 @@
 import * as core from "../internals/internals";
 import { RuleCommon } from "../models/RuleCommon";
 import { IRuleDefinition } from "../interfaces/IRuleDefinition";
+/**
+ * Flow naming convention rule.
+ * This is a wrapper around the regex-scanner's NamingConvention rule,
+ * maintaining backward compatibility with the core scanner interface.
+ */
 export declare class FlowName extends RuleCommon implements IRuleDefinition {
+    private regexRule;
     constructor();
     protected check(flow: core.Flow, options: {
         expression?: string;

package/main/rules/FlowName.js

@@ -10,6 +10,21 @@ Object.defineProperty(exports, "FlowName", {
 });
 const _internals = /*#__PURE__*/ _interop_require_wildcard(require("../internals/internals"));
 const _RuleCommon = require("../models/RuleCommon");
+const _regexscanner = require("@flow-scanner/regex-scanner");
+const _RegexAdapter = require("../config/RegexAdapter");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
 function _getRequireWildcardCache(nodeInterop) {
     if (typeof WeakMap !== "function") return null;
     var cacheBabelInterop = new WeakMap();
@@ -53,16 +68,14 @@ function _interop_require_wildcard(obj, nodeInterop) {
 }
 let FlowName = class FlowName extends _RuleCommon.RuleCommon {
     check(flow, options, _suppressions) {
-        var _options_expression;
-        const rawRegexp = (_options_expression = options === null || options === void 0 ? void 0 : options.expression) !== null && _options_expression !== void 0 ? _options_expression : "[A-Za-z0-9]+_[A-Za-z0-9]+";
-        var _flow_name;
-        const flowName = (_flow_name = flow.name) !== null && _flow_name !== void 0 ? _flow_name : "";
-        if (new RegExp(rawRegexp).test(flowName)) {
-            return [];
-        }
-        return [
-            new _internals.Violation(new _internals.FlowAttribute(flowName, "name", rawRegexp))
-        ];
+        // Convert Flow to MetadataFile for regex-scanner
+        const metadataFile = (0, _RegexAdapter.toMetadataFile)(flow);
+        // Execute regex rule
+        const regexViolations = this.regexRule.execute(metadataFile, {
+            expression: options === null || options === void 0 ? void 0 : options.expression
+        });
+        // Convert back to core Violations
+        return (0, _RegexAdapter.toViolations)(regexViolations);
     }
     constructor(){
         super({
@@ -81,6 +94,6 @@ let FlowName = class FlowName extends _RuleCommon.RuleCommon {
             supportedTypes: _internals.FlowType.allTypes()
         }, {
             severity: "error"
-        });
+        }), _define_property(this, "regexRule", new _regexscanner.NamingConvention());
     }
 };

package/main/rules/HardcodedId.d.ts

@@ -1,7 +1,13 @@
 import * as core from "../internals/internals";
 import { RuleCommon } from "../models/RuleCommon";
 import { IRuleDefinition } from "../interfaces/IRuleDefinition";
+/**
+ * Hardcoded Salesforce ID detection rule.
+ * This is a wrapper around the regex-scanner's HardcodedId rule,
+ * maintaining backward compatibility with the core scanner interface.
+ */
 export declare class HardcodedId extends RuleCommon implements IRuleDefinition {
+    private regexRule;
     constructor();
     protected check(flow: core.Flow, _options: object | undefined, _suppressions: Set<string>): core.Violation[];
 }

package/main/rules/HardcodedId.js

@@ -10,6 +10,21 @@ Object.defineProperty(exports, "HardcodedId", {
 });
 const _internals = /*#__PURE__*/ _interop_require_wildcard(require("../internals/internals"));
 const _RuleCommon = require("../models/RuleCommon");
+const _regexscanner = require("@flow-scanner/regex-scanner");
+const _RegexAdapter = require("../config/RegexAdapter");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
 function _getRequireWildcardCache(nodeInterop) {
     if (typeof WeakMap !== "function") return null;
     var cacheBabelInterop = new WeakMap();
@@ -53,15 +68,19 @@ function _interop_require_wildcard(obj, nodeInterop) {
 }
 let HardcodedId = class HardcodedId extends _RuleCommon.RuleCommon {
     check(flow, _options, _suppressions) {
-        const salesforceIdRegex = /\b[a-zA-Z0-9]{5}0[a-zA-Z0-9]{9}(?:[a-zA-Z0-9]{3})?\b/g;
-        return flow.elements.filter((node)=>salesforceIdRegex.test(JSON.stringify(node))).map((node)=>new _internals.Violation(node));
+        // Convert Flow to MetadataFile for regex-scanner
+        const metadataFile = (0, _RegexAdapter.toMetadataFile)(flow);
+        // Execute regex rule
+        const regexViolations = this.regexRule.execute(metadataFile);
+        // Convert back to core Violations
+        return (0, _RegexAdapter.toViolations)(regexViolations);
     }
     constructor(){
         super({
             ruleId: "hardcoded-id",
             name: "HardcodedId",
             category: "problem",
-            label: "Hardcoded Id",
+            label: "Hardcoded Salesforce Id",
             description: "Avoid hard-coding record IDs, as they are unique to a specific org and will not work in other environments. Instead, store IDs in variables—such as merge-field URL parameters or a **Get Records** element—to make the Flow portable, maintainable, and flexible.",
             summary: "Hardcoded IDs break portability across environments",
             supportedTypes: _internals.FlowType.allTypes(),
@@ -77,6 +96,6 @@ let HardcodedId = class HardcodedId extends _RuleCommon.RuleCommon {
             ]
         }, {
             severity: "error"
-        });
+        }), _define_property(this, "regexRule", new _regexscanner.HardcodedId());
     }
 };

package/main/rules/HardcodedSecret.d.ts

@@ -0,0 +1,13 @@
+import * as core from "../internals/internals";
+import { RuleCommon } from "../models/RuleCommon";
+import { IRuleDefinition } from "../interfaces/IRuleDefinition";
+/**
+ * Hardcoded secrets detection rule.
+ * This is a wrapper around the regex-scanner's HardcodedSecret rule,
+ * maintaining backward compatibility with the core scanner interface.
+ */
+export declare class HardcodedSecret extends RuleCommon implements IRuleDefinition {
+    private regexRule;
+    constructor();
+    protected check(flow: core.Flow, _options: object | undefined, _suppressions: Set<string>): core.Violation[];
+}

package/main/rules/HardcodedSecret.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "HardcodedSecret", {
+    enumerable: true,
+    get: function() {
+        return HardcodedSecret;
+    }
+});
+const _internals = /*#__PURE__*/ _interop_require_wildcard(require("../internals/internals"));
+const _RuleCommon = require("../models/RuleCommon");
+const _regexscanner = require("@flow-scanner/regex-scanner");
+const _RegexAdapter = require("../config/RegexAdapter");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _getRequireWildcardCache(nodeInterop) {
+    if (typeof WeakMap !== "function") return null;
+    var cacheBabelInterop = new WeakMap();
+    var cacheNodeInterop = new WeakMap();
+    return (_getRequireWildcardCache = function(nodeInterop) {
+        return nodeInterop ? cacheNodeInterop : cacheBabelInterop;
+    })(nodeInterop);
+}
+function _interop_require_wildcard(obj, nodeInterop) {
+    if (!nodeInterop && obj && obj.__esModule) {
+        return obj;
+    }
+    if (obj === null || typeof obj !== "object" && typeof obj !== "function") {
+        return {
+            default: obj
+        };
+    }
+    var cache = _getRequireWildcardCache(nodeInterop);
+    if (cache && cache.has(obj)) {
+        return cache.get(obj);
+    }
+    var newObj = {
+        __proto__: null
+    };
+    var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor;
+    for(var key in obj){
+        if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) {
+            var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null;
+            if (desc && (desc.get || desc.set)) {
+                Object.defineProperty(newObj, key, desc);
+            } else {
+                newObj[key] = obj[key];
+            }
+        }
+    }
+    newObj.default = obj;
+    if (cache) {
+        cache.set(obj, newObj);
+    }
+    return newObj;
+}
+let HardcodedSecret = class HardcodedSecret extends _RuleCommon.RuleCommon {
+    check(flow, _options, _suppressions) {
+        // Convert Flow to MetadataFile for regex-scanner
+        const metadataFile = (0, _RegexAdapter.toMetadataFile)(flow);
+        // Execute regex rule
+        const regexViolations = this.regexRule.execute(metadataFile);
+        // Convert back to core Violations
+        return (0, _RegexAdapter.toViolations)(regexViolations);
+    }
+    constructor(){
+        super({
+            ruleId: "hardcoded-secret",
+            name: "HardcodedSecret",
+            category: "problem",
+            label: "Hardcoded Secret",
+            description: "Avoid hardcoding secrets, API keys, tokens, or credentials in Flows. These should be stored securely in Named Credentials, Custom Settings, Custom Metadata, or external secret management systems.",
+            summary: "Hardcoded secrets pose security risks",
+            supportedTypes: _internals.FlowType.allTypes(),
+            docRefs: [
+                {
+                    label: "Salesforce Named Credentials",
+                    path: "https://help.salesforce.com/s/articleView?id=sf.named_credentials_about.htm"
+                },
+                {
+                    label: "OWASP Secrets Management Cheat Sheet",
+                    path: "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
+                }
+            ]
+        }, {
+            severity: "error"
+        }), _define_property(this, "regexRule", new _regexscanner.HardcodedSecret());
+    }
+};

package/main/rules/HardcodedUrl.d.ts

@@ -1,7 +1,13 @@
 import { Flow, Violation } from "../internals/internals";
 import { RuleCommon } from "../models/RuleCommon";
 import { IRuleDefinition } from "../interfaces/IRuleDefinition";
+/**
+ * Hardcoded Salesforce URL detection rule.
+ * This is a wrapper around the regex-scanner's HardcodedUrl rule,
+ * maintaining backward compatibility with the core scanner interface.
+ */
 export declare class HardcodedUrl extends RuleCommon implements IRuleDefinition {
+    private regexRule;
     constructor();
     protected check(flow: Flow, _options: object | undefined, _suppressions: Set<string>): Violation[];
 }

package/main/rules/HardcodedUrl.js

@@ -10,11 +10,29 @@ Object.defineProperty(exports, "HardcodedUrl", {
 });
 const _internals = require("../internals/internals");
 const _RuleCommon = require("../models/RuleCommon");
+const _regexscanner = require("@flow-scanner/regex-scanner");
+const _RegexAdapter = require("../config/RegexAdapter");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
 let HardcodedUrl = class HardcodedUrl extends _RuleCommon.RuleCommon {
     check(flow, _options, _suppressions) {
-        if (!flow.elements || flow.elements.length === 0) return [];
-        const urlRegex = /https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}force\.com/g;
-        return flow.elements.filter((element)=>urlRegex.test(JSON.stringify(element))).map((element)=>new _internals.Violation(element));
+        // Convert Flow to MetadataFile for regex-scanner
+        const metadataFile = (0, _RegexAdapter.toMetadataFile)(flow);
+        // Execute regex rule
+        const regexViolations = this.regexRule.execute(metadataFile);
+        // Convert back to core Violations
+        return (0, _RegexAdapter.toViolations)(regexViolations);
     }
     constructor(){
         super({
@@ -32,11 +50,11 @@ let HardcodedUrl = class HardcodedUrl extends _RuleCommon.RuleCommon {
                     path: "https://admin.salesforce.com/blog/2021/why-you-should-avoid-hard-coding-and-three-alternative-solutions"
                 }
             ],
-            label: "Hardcoded Url",
+            label: "Hardcoded Salesforce Url",
             name: "HardcodedUrl",
             supportedTypes: _internals.FlowType.allTypes()
         }, {
             severity: "error"
-        });
+        }), _define_property(this, "regexRule", new _regexscanner.HardcodedUrl());
     }
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@flow-scanner/lightning-flow-scanner-core",
   "description": "A lightweight engine for Flow metadata in Node.js, and browser environments. Assess and enhance Salesforce Flow automations for best practices, security, governor limits, and performance issues.",
-  "version": "6.16.2",
+  "version": "6.17.0",
   "main": "index.js",
   "exports": {
     ".": {
@@ -20,6 +20,7 @@
     "directory": "packages/core"
   },
   "dependencies": {
+    "@flow-scanner/regex-scanner": "workspace:*",
     "fast-xml-parser": "^5.3.0"
   },
   "homepage": "https://flow-scanner.github.io/lightning-flow-scanner/",