Expand Minimize


Checks if PowerShell poses security issues.


Rule Description Type Severity
SPC029101: Do not use Invoke-Expression Invoke-Expression allows external text to be run as code. Evaluated code at runtime is a script injection vulnerability. Dynamic code can be executed using PowerShells & operator and splatting to apply the paramaters required. PoShFile CriticalWarning
SPC029102: Computer name switches on applicable CmdLets shouldn't be hardcoded Harcoding server names in scripts can expose critical information about the target system.. PoShFile CriticalWarning
SPC029103: Do not use convert to secure string Converting to secure string from plain text is insecure and exposes sensative data PoShFile CriticalError
SPC029104: Do not use direct hardcoded file paths Exposing directory structure in a script can possibly expose the layout of internal systems. This script may also not work on other machines PoShFile CriticalWarning
SPC029105: Do not use plain text for passwords Using plain text passwords directly compromises your system security PoShFile CriticalError
SPC029106: Use PSCredential type for credential parameters PowerShell security best practices state that the PSCredential type should be used to secure credentials correctly. Also the CredentialAttribute has to be applied after the PSCredential attribute to be correctly parsed and secure. PoShFile CriticalError
Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.