FAQ-000355 - Code Quality vs Security Vulnerabilities / Specific Security Recommendations and Requirements

Using Named Credentials isn't mandatory to pass the AppExchange Security Review, even when the code analyzer suggests it. The "ApexSuggestUsingNamedCred" finding is a suggestion, not a strict requirement for the AppExchange Security Review. While Named Credentials is the recommended method for securely storing and managing authentication credentials, you can use alternatives like protected custom metadata to securely store secrets and credentials.

The current answer is accurate and well-structured but contains minor phrasing improvements. I made these refinements: (1) Changed "is not mandatory" to "isn't mandatory" for a more conversational tone per the brand guidelines, (2) Removed "also" from "you can also use alternatives" to make the sentence more direct and concise, and (3) Changed "is a recommended method" to "is the recommended method" to be more definitive about Named Credentials being the primary recommendation. The core technical content remains unchanged and accurate. I selected the ApexSuggestUsingNamedCred rule because this FAQ directly addresses the "ApexSuggestUsingNamedCred" finding mentioned in the answer. The FAQ explains what this specific security rule means, whether it's mandatory for AppExchange Security Review, and provides guidance on how to handle this finding. The rule's purpose of suggesting Named Credentials usage directly matches what the FAQ is teaching developers about.