ServiceNow coding best practice rules
The below table shows the list of ServiceNow coding best practices that are checked by Quality Clouds.
The severity, area of impact and affected element for each best practice validation are also detailed.
The update set scan feature includes a sub-set of these checks.
Our new development report is out and features insights into how ServiceNow platforms evolved over the last year.
Description | Severity | Area of impact | Affected element | Included in Instance Scan | Included in Live Check Scan | Included in Update Set Scan |
|---|---|---|---|---|---|---|
Business Rules defined on the Global table | High | Scalability | Business Rule |
|
|
|
Unused Inactivity Monitors | High | Performance | Inactivity Monitors |
|
|
|
Potential Recursive Business Rules | High | Performance | Business Rule |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in Client Scripts | High | Performance | Client Script |
|
|
|
GlideRecord usage on Client Scripts | High | Performance | Client Script / Portal Widget |
|
|
|
Too many fields in a Form Section | Medium | Performance | Form Section |
|
|  |
Business Rules using GlideRecord and getRowCount | Medium | Scalability | Business Rule |
|
|
|
High Security Settings plugin disabled | High | Security | Plugin |
|
|
|
Client Scripts with the console.log debugging method | Medium | Performance | Client Script |
|
|
|
Client Scripts without function | Medium | Scalability | Client Script |
|
|
|
Document Object Model (DOM) manipulation in Client Scripts | High | Manageability | Client Scripts |
|
|
|
Document Object Model (DOM) manipulation in Client Scripts | High | Manageability | Portal Widget - Client Script |
|
|
|
Modules pointing to big tables without filter | Medium | Performance | Module |
|
|
|
Document Object Model (DOM) manipulation in Client UI Actions | High | Manageability | UI Action |
|
|
|
The default system User Preference "Rows per Page" set above 100 | Medium | Performance | User Preference |
|
|
|
JDBC Data Sources with "Use last run datetime" option unchecked | Warning | Performance | Data Source |
|
|
|
Transform Maps with "Run business rules" option enabled | Low | Performance | Transform Map |
|
|
|
Business Rules with debugging statements in production | Low | Scalability | Business Rule |
|
|
|
Business Rules using eval function | Low | Security | Business Rule |
|
|
|
The "Log/trace level of TaskSLAController" System Property not set to "notice" | Low | Performance | System Property |
|
|
|
UI Policy Actions without field effects | Low | Performance | UI Policy Action |
|
|
|
Client Scripts defined on the Global table | High | Scalability | Client Script |
|
|
|
Business Rules using the SOAP getResponse method | High | Performance | Business Rule |
|
|
|
Contextual Security Plugin disabled | High | Security | Plugin |
|
|
|
The "Update on Iterate" System Property enabled | Medium | Performance | System Property |
|
|
|
The "Go To search" System Property set to "contains" operator | Low | Performance | System Property |
|
|
|
Debugging properties enabled in production environments | Low | Performance | System Property |
|
|
|
The "Security Manager" System Property default behaviour set to "Allow Access" | High | Security | System Property |
|
|
|
Client Scripts with empty script field | Low | Performance | Client Script |
|
|
|
Document Object Model (DOM) manipulation in UI Policies | High | Manageability | UI Policy |
|
|
|
Server UI Actions using | Medium | Scalability | UI Action |
|
|
|
Script Includes using GlideRecord and getRowCount | Medium | Scalability | Script Include |
|
|
|
Client UI Actions using GlideRecord | High | Performance | UI Action |
|
|
|
UI Policies using GlideRecord | High | Performance | UI Policy |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in UI Policies | High | Performance | UI Policy |
|
|
|
| Synchronous AJAX call (getReference, getXMLWait) in Catalog UI Policies | High | Performance | Catalog UI Policy |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in Client UI Actions | High | Performance | UI Action |
|
|
|
Business Rules with hard-coded sys_ids | Medium | Manageability | Business Rule |
|
|
|
Users with too many rows per page | Medium | Performance | User Preference |
|
|
|
Client Scripts with hard-coded sys_ids | Medium | Manageability | Client Script |
|
|
|
Script Includes with hard-coded sys_ids | Medium | Manageability | Script Include |
|
|
|
UI Policies with hard-coded sys_ids | Medium | Manageability | UI Policy |
|
|
|
UI Actions with hard-coded sys_ids | Medium | Manageability | UI Action |
|
|
|
Transform Maps with hard-coded sys_ids | Medium | Manageability | Table Transform Map |
|
|
|
Transform Scripts with hard-coded sys_ids | Medium | Manageability | Transform Script |
|
|
|
The "Items per Page" System Property includes options over 100 | Medium | Performance | System Property |
|
|
|
The "Database Rotation" Plugin disabled | Medium | Manageability | Plugin |
|
|
|
ACL Rules using GlideRecord | Medium | Performance | Access Control |
|
|
|
The "Database Rotation with Default Tables" Plugin disabled | Medium | Manageability | Plugin |
|
|
|
SOAP Timeout Value over 500 minutes | High | Performance | System Property |
|
|
|
The "Auto-Complete Wait Time" System Property exceeds 750ms | Medium | Performance | System Property |
|
|
|
Forms with too many sections | Low | Performance | Forms |
|
|
|
The "Auto-complete Search" System Property set to "contains" operator | Low | Manageability | System Property |
|
|
|
Script Includes with debugging statements in production | Low | Scalability | Script Include |
|
|
|
UI Actions with debugging statements | Low | Scalability | UI Action |
|
|
|
Business Rules without function | High | Scalability | Business Rule |
|
|
|
Synchronous Business Rules making SOAP or REST calls | High | Performance | Business Rule |
|
|
|
Synchronous Business Rules making SOAP or REST calls | High | Performance | Portal Widget - Server Script |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in Catalog Client Scripts | High | Performance | Catalog Client Script |
|
|
|
GlideRecord usage on Catalog Client Scripts | High | Performance | Catalog Client Script |
|
|
|
Catalog Client Scripts with the console.log debugging method | Medium | Performance | Catalog Client Script |
|
|
|
Catalog Client Scripts without function | Medium | Scalability | Catalog Client Script |
|
|
|
Document Object Model (DOM) manipulation in Catalog Client Scripts | High | Manageability | Catalog Client Script |
|
|
|
Catalog Client Scripts with empty script field | Low | Performance | Catalog Client Script |
|
|
|
Catalog Client Scripts with hard-coded sys_ids | Medium | Manageability | Catalog Client Script |
|
|
|
Notification Email Scripts with hard-coded sys_ids | Medium | Manageability | Notification Email Scripts |
|
|
|
Portal Widgets with hard-coded sys_ids | Medium | Manageability | Portal Widget - Client and Server Scripts |
|
|
|
Angular Providers with hard-coded sys_ids | Medium | Manageability | Angular Providers |
|
|
|
Workflows with over 50 activities | Medium | Performance | Workflow |
|
|
|
Workflows with over 10 Timer activities | Medium | Performance | Workflow |
|
|
|
UI Scripts with hard-coded sys_ids | Medium | Manageability | UI Script |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in UI Scripts | High | Performance | UI Script |
|
|
|
GlideRecord usage on UI Scripts | High | Performance | UI Script |
|
|
|
Workflows with Notification Activities | Medium | Manageability | Workflow |
|
|
|
UI Scripts with the console.log debugging method | Medium | Performance | UI Script |
|
|
|
UI Scripts without function | Medium | Scalability | UI Script |
|
|
|
Document Object Model (DOM) manipulation in UI Scripts | High | Manageability | UI Script |
|
|
|
| onBefore Business Rules should not update records on other tables. | High | Performance | BusinessRule |
|
|
|
| onBefore Transform Scripts should only update the target table. | High | Performance | Transform Script |
|
|
|
UI Scripts with empty script field | Low | Performance | UI Script |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Script Include |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Business Rule |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Portal Widget - Server side script |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Access Control |
|
|
|
| Scripts should not use gs.sql | High | Manageability | UI Action |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Transform Map |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Transform Script |
|
|
|
| Scripts should not use gs.sql | High | Manageability | Record Producer |
|
|
|
Catalog UI Policy Actions without field effects | Low | Performance | Catalog Ui Policy Action |
|
|
|
Document Object Model (DOM) manipulation in Catalog UI Policies | High | Manageability | Catalog UI policy |
|
|
|
Catalog UI Policies using GlideRecord | High | Performance | Catalog UI policy |
|
|
|
Synchronous AJAX call (getReference, getXMLWait) in Catalog UI Policies | High | Performance | Catalog UI policy |
|
|
|
Catalog UI Policies with hard-coded sys_ids | Medium | Manageability | Catalog UI policy |
|
|
|
| Inbound Email Actions with hard-coded sys_ids. | Medium | Manageability | Inbound Email Action |
|
|
|
| Inbound Email Actions using GlideRecord and getRowCount. | Medium | Scalability | Inbound Email Action |
|
|
|
| Event Script Action with hard-coded sys_ids. | Medium | Manageability | Script Action |
|
|
|
| Event Script Action using GlideRecord and getRowCount. | Medium | Scalability | Script Action |
|
|
|
| SOAP Request Strict Security should be enabled | High | Security | System Property |
|
|
|
| Java Package Collection mode and Collection mode override properties should be disabled | High | Security | System Property |
|
|
|
| Client Generated Scripts Sandbox should be enabled | High | Security | System Property |
|
|
|
| Cookies – HTTP Only should be enabled | High | Security | System Property |
|
|
|
| Escape HTML should be enabled | High | Security | System Property |
|
|
|
| CSV Request Authorization should be enabled | High | Security | System Property |
|
|
|
| SSLv2/SSLv3 should be disabled | High | Security | System Property |
|
|
|
| AJAXGlideRecord ACL Checking should be enabled | High | Security | System Property |
|
|
|
| SLA logging level should be set to "notice" | High | Performance | System Property |
|
|
|
| Basic Auth SOAP Requests setting should be enabled | High | Security | System Property |
|
|
|
| Old UI enabled or being used | High | Security | System Property |
|
|
|
| Script Request Authorization should be enabled | High | Security | System Property |
|
|
|
| Escape Jelly should be enabled | High | Security | System Property |
|
|
|
| Allow Javascript tags in Embedded HTML property should be disabled | High | Security | System Property |
|
|
|
| Enable AJAXEvaluate should be disabled | High | Security | System Property |
|
|
|
| Anti-CSRF Token setting should be enabled | High | Security | System Property |
|
|
|
| Escape XML should be enabled | High | Security | System Property |
|
|
|
| HTML Sanitizer property should be enabled | High | Security | System Property |
|
|
|
| Check UI Action Conditions check before Execution should be enabled | High | Security | System Property |
|
|
|
Client Scripts should not use unsupported | High | Manageability | Client Scripts |
|
|
|
| Catalog Client Scripts should not use unsupported scripting APIs | High | Manageability | Catalog Client Scripts |
|
|
|
| Creating custom tables in the global scope should be avoided. | Warning | Manageability | Tables |
|
|
|
| GlideRecord API usage in Scripted REST API Resource. | High | Security | Scripted REST API Resource |
|
|
|
| REST API Resource modifying data without Authentication check. | High | Security | Scripted REST API Resource |
|
|
|
| REST API Resource modifying data without Authorization check. | High | Security | Scripted REST API Resource |
|
|
|
| Modified Out of the Box Element | Warning | Manageability | All elements |
|
|
|
