Conversation
CREDERA
IN
Last activity: 11 Aug 2025 12:14 EDT
Security Best Practices for Pega Custom Components and Deployment
1) What are the recommended security measures and best practices from Pega for developing custom DX components? 2) Does Pega provide automated security scanning or code validation for custom component vulnerabilities during the deployment (publish) process? 3) Are there any built-in tools or checks in the Pega deployment pipeline that help enforce secure coding standards? 4) Can we have any custom checklist before deployment ? 5) Does Pega recommend or restrict the use of any third-party libraries (e.g., react-icons, @mui/material, e.t.c) from a security standpoint? ( We are using npm audit. Do you recommend any others ?)
Pegasystems Inc.
GB
@Akhilesh.Madala creating a DX component is no different to introducing custom code into UI Kit applications. Things like custom controls, rule-file-text with javascript or CSS, non-auto section, HTML rules.
Anything custom that you introduce should analyzed for accessibility, security and performance. We cover this in the Design requirements for Constellation DX Components section of the relevant Pega Documentation. There's nothing specific for DX components, per se.
It is an interesting question on the hooks for deployment and publishing, to ensure coding standards. Will investigate and come back on those
Pegasystems Inc.
CH
@Akhilesh.Madala Assume question 2 is targeting publishing of DX component process and not application deployment using PDM? I am not aware of any OOTB vulnerability checks as part of publish component process, where you could adopt any best of breed industry standard tool, following SDLC policies and standards of your organization for implementation of non-Pega components.
If you are addressing application deployment using Pega Deployment Manager, I would recommend implementation of security checklist, execution of rule security analyzer (can be automated through the pipeline for customers using Pega Deployment Manager aaS, otherwise manual runs before deployments), validation of development standards, enriched with custom guardrails if required.
We don't have any task supporting custom checklists, which would be a great product enhancement for the future having a task like security checklist, accepting guideline to validate as parameter. As a workaround, custom checklist could be completed as part of the peer review and before the branch merge or application deployment, ideally embraced as part of your DoD.