However, there are no hard-coded secrets in my app. The flagged line is simply a <fw-input> element where the admin can enter their Freshdesk API key during app installation:
<fw-input
id="fd_api_key"
label="Freshdesk API key"
warning-text="Please enter API key"
error-text="Invalid Api key"
placeholder="Enter your Freshdesk API key"
required
clear-input
>
</fw-input>
This is not a secret stored in the source. The actual values are saved securely using __meta.secure in postConfigs() like this:
This appears to be a false positive due to the field name and placeholder text resembling a secret.
There are no credentials or secrets hardcoded in the file or anywhere in the repo.
Could you please confirm if this can be marked as a false positive so I can proceed with publishing?
Thanks a lot! Jaba
App: Freshdesk–ClickUp Integration
If the app doesn’t have any hard-coded values entered in the app code, please inform the app reviewer of the same via the same email thread and submit the app again.
If there are any other errors or warning, please fix them before submitting the app.
Can you please send a reply in the same thread where you get communication related to your app submission and the security report?
The other threads to this email will be ignored. Only the app submission-related email thread will be followed.
I will also request our team to check your app and respond.
From the backend I can see your app has been successfully submitted for review. I see the changes include addition of two request templates fdAccountDetails and createItemInDataHub
Could you please confirm if the submission is the same one?
hey Thakur, so yes its the same and its still under review today i submitted a new one, i renamed some IDs which ChatGPT suggested could be the culprit why the Fresh test automation is giving us this feedback, the latest report say no errors anymore so lets wait for approval
So in general i guess naming even an UI input field with an ID called something like fd_api_key or clickUpApiKey is kinda a flag for the test