Why Avoid Hard-Coded Values in Salesforce?
Hard-coding values like record types, usernames, passwords, or other metadata references in Salesforce configuration or code (flows, Apex, Visualforce) is considered an anti-pattern in Salesforce's Well-Architected framework and poses serious challenges:
Security Risk: Hard-coding sensitive information such as usernames or passwords in readable formats exposes the system to potential security vulnerabilities.
Maintenance Overhead: Every time a record type, user, or other metadata changes, you must manually locate and update all occurrences of the hard-coded reference.
Error-Prone: As organizations scale, hard-coded references can easily become outdated, resulting in broken processes or unintended behaviors.
Avoiding hard-coded values ensures that your Salesforce architecture is adaptable, secure, and easy to maintain.
When to Use Elements.cloud to Identify Hard-Coded References?
This solution applies when:
You are refactoring legacy Salesforce system where hard-coded references may have accumulated over time.
Security audits are being conducted to eliminate any risks related to hard-coded credentials or sensitive information.
You are preparing for a release and need to ensure no hard-coded values exist that might break functionality post-deployment.
Prerequisites
Salesforce Metadata Management license
A Salesforce Org synced into Metadata Dictionary (can be Production or a Sandbox, provided the Sandbox was refreshed rather recently)
Editor permissions for the Metadata dictionary to use the metadata search feature
Steps to find all hard-coded references
Elements.cloud instantly identifies all hard-coded references across your Salesforce org in a single search, eliminating the need for manual code reviews. You don't even need to know which reference to look for, we will find any hardcoded reference anyway.
You can then create tasks for all found hard-coded references with a click of a button, ensuring all required updates are tracked and prioritized in your backlog.
Here is how to do it step-by-step:
Step 1: Find hard-coded references in all code
Navigate to the Salesforce Metadata Dictionary. Right-click / open context menu for the top-level component in the metadata dictionary. Click on 'Find hard-coded references in all code'.
Then from the dropdown select 'Find all hardcoded IDs'. The search will initialize.
The search will go through Apex classes, Apex triggers, Flows, Formulas, Validation rules, Aura component bundles, Lightning Web Components and identify hardcoded references to users, records, and metadata components.
You will see a list of all found references with details about in which metadata component the reference was found. If the hard-coded value belongs to a metadata component (e.g. ID of a record type), we will match it to specific metadata component in your Org.
Step 2: Find hard-coded email addresses
The automatic search through hard-coded values will not bring back hard-coded passwords or email addresses. For this, you need to use the 2nd option, which is to do a complete search, across all of your code and automations, for specific string.
Again, navigate to the Salesforce Metadata Dictionary. Right-click / open context menu for the top-level component in the metadata dictionary. Click on 'Find hard-coded references in all code'.
Then from the dropdown select 'Find specific string'. Provide input in the form of @[yourdomain], e.g. '@gmail.com' or '@salesforce.com' etc.
The search will go through Apex classes, Apex triggers, Flows, Formulas, Validation rules, Aura component bundles, Lightning Web Components and identify any string that matches your provided input.
You will see a list of all found strings that match your input with details about in which metadata component the reference was found.
Step 3: Find hard-coded passwords
The automatic search through hard-coded values will not bring back hard-coded passwords or email addresses. For this, you need to use the 2nd option, which is to do a complete search, across all of your code and automations, for specific string.
Again, navigate to the Salesforce Metadata Dictionary. Right-click / open context menu for the top-level component in the metadata dictionary. Click on 'Find hard-coded references in all code'.
Then from the dropdown select 'Find specific string'.
To identify hard-coded passwords in code, you would typically search for patterns or keywords commonly associated with passwords or authentication data rather than the actual password string. Here are some effective search terms to use one-by-one to identify potential hardcoded passwords:
Common password variable names:
passwordpwdpasswduserPasswordadminPasswordsecret
Keywords related to sensitive information storage or authentication:
tokenkeysecretKeyapiKeyauthTokenauth
Step 5: Take action
Hard-coded search results are actionable through bulk operations. You can raise user stories and document tasks to remove the hardcoded references from your apex classes, flows, and other components.
The description for each created story will be auto-populated with the results of the search!
Multi-select search results, and then right-click / open context menu. From the options select 'Add change: story per node'. This will create one story per found hard-coded reference.
You can then pick up those stories from your backlog and deliver then when there is capacity.