False Positive: "Hard-coded credentials" warning in iparams.html during app upload

Jaba_Balkhamishvili · June 23, 2025, 7:44am

Hi Freshworks team,

I’m uploading a custom Freshdesk app and during the validation step, I received the following OWASP scan warning:

File: config/iparams.html:L462  
Rule: secrets.generic.api-key.string.string  
Severity: WARNING  
Message: Hard-coded credentials (validity unknown) found

However, there are no hard-coded secrets in my app. The flagged line is simply a <fw-input> element where the admin can enter their Freshdesk API key during app installation:

<fw-input
  id="fd_api_key"
  label="Freshdesk API key"
  warning-text="Please enter API key"
  error-text="Invalid Api key"
  placeholder="Enter your Freshdesk API key"
  required
  clear-input
>
</fw-input>

This is not a secret stored in the source. The actual values are saved securely using __meta.secure in postConfigs() like this:

return {
  __meta: {
    secure: ["fdApiKey", "clickUpApiKey"],
  },
  fdApiKey: fd_api_key.value,
  clickUpApiKey: click_up_api_key.value,
  ...
};

Clarification

This appears to be a false positive due to the field name and placeholder text resembling a secret.
There are no credentials or secrets hardcoded in the file or anywhere in the repo.

Could you please confirm if this can be marked as a false positive so I can proceed with publishing?

Thanks a lot!
Jaba
App: Freshdesk–ClickUp Integration

Raviraj · June 25, 2025, 7:30am

HI @Jaba_Balkhamishvili,

If the app doesn’t have any hard-coded values entered in the app code, please inform the app reviewer of the same via the same email thread and submit the app again.

If there are any other errors or warning, please fix them before submitting the app.

Jaba_Balkhamishvili · June 25, 2025, 8:21am

No one is answering there im getting this Mail and answering: support@sudodev.freshdesk.com

but no one is answering there ever

Raviraj · June 25, 2025, 12:06pm

Hi @Jaba_Balkhamishvili,

Can you please send a reply in the same thread where you get communication related to your app submission and the security report?

The other threads to this email will be ignored. Only the app submission-related email thread will be followed.
I will also request our team to check your app and respond.

Thakur_Ganeshsingh · June 26, 2025, 4:02pm

Hi @Jaba_Balkhamishvili ,

From the backend I can see your app has been successfully submitted for review. I see the changes include addition of two request templates fdAccountDetails and createItemInDataHub
Could you please confirm if the submission is the same one?

Regards,
Thakur

Jaba_Balkhamishvili · June 27, 2025, 10:57am

hey Thakur, so yes its the same and its still under review today i submitted a new one, i renamed some IDs which ChatGPT suggested could be the culprit why the Fresh test automation is giving us this feedback, the latest report say no errors anymore so lets wait for approval

So in general i guess naming even an UI input field with an ID called something like fd_api_key or clickUpApiKey is kinda a flag for the test

is this correct ?

Thakur_Ganeshsingh · July 2, 2025, 9:36am

It is done via SAST Scan, which at times can flag such issues