FAQ-001677 - Security Best Practices for Declarative Automation / Managed Package Security

Declarative automation tools (such as Flows, Process Builder, Approval Processes, and Validation Rules) must be secured so they respect user permissions, data access controls, and least-privilege principles. 1: Respect CRUD and Field-Level Security (FLS) 2: Use the correct "Run As" context 3: Avoid unnecessary elevated privileges 4: Limit access via permission sets 5: Secure Data Handling 6: Avoid Hardcoded Credentials

The FAQ content is well-structured and covers important security considerations for declarative automation. I made one minor formatting improvement by removing the hyphen from "least-privilege" to "least-privilege" for consistency with standard terminology. The content aligns well with security best practices and doesn't contain any outdated information. Regarding the selected security rules: - **ApexCRUDViolation**: Directly relates to point 1 "Respect CRUD and Field-Level Security (FLS)" - this rule detects violations of CRUD permissions which is exactly what the FAQ emphasizes must be respected in declarative automation. - **ApexSharingViolations**: Connects to points 2 and 3 about "Run As" context and avoiding elevated privileges - this rule identifies sharing violations which can occur when automation runs with incorrect privilege levels. - **PreventPassingUserDataIntoElementWithoutSharing**: Specifically applies to Flow components mentioned in the FAQ ("Flows, Process Builder") and relates to points 2 and 3 about proper execution context and privilege management. - **AvoidHardcodedCredentialsInFieldDecls**, **AvoidHardcodedCredentialsInVarDecls**, **AvoidHardcodedCredentialsInVarAssign**: All three rules directly support point 6 "Avoid Hardcoded Credentials" by detecting different patterns of hardcoded credential usage that the FAQ warns against.