Banner background image
Studio User Guide
Last updated Apr 3, 2024

ST-SEC-009 - SecureString Misusage

Rule ID: ST-SEC-009

Scope: Workflow


This rule checks whether the SecureString type is misused in the workflow. This string type is used when avoiding to store potentially sensitive strings as plain text. If certain activities accept sensitive information as input but do not support the SecureString type, you can exclude them from this rule.


The SecureString type should not be used for any purpose other than the intended one. Therefore, attempting to cast SecureString to String may be viewed as a security risk.

According to the official Microsoft documentation, if a String object contains any sensitive information, it raises the risk of the data being revealed after it is used.

In addition, the scope of SecureString type variables should be very limited, ideally in the same scope where they were created.

Modifying the Rule

In the Project Settings window, select the Workflow Analyzer tab. Find and select the rule.

You can exclude activities that do not support the SecureString type by adding their namespaces separated by a comma in the Excluded Activities field.

Reset to Default

To reset the value to default, right-click the rule in the Project Settings window, and then click Reset to default.

  • Description
  • Recommendation
  • Modifying the Rule
  • Reset to Default

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.