Security |
Checks if PowerShell poses security issues.
Index
| Rule | Description | Type | Severity |
|---|---|---|---|
| SPC029101: Do not use Invoke-Expression | Invoke-Expression allows external text to be run as code. Evaluated code at runtime is a script injection vulnerability. Dynamic code can be executed using PowerShells & operator and splatting to apply the paramaters required. | PoShFile | CriticalWarning |
| SPC029102: Computer name switches on applicable CmdLets shouldn't be hardcoded | Harcoding server names in scripts can expose critical information about the target system.. | PoShFile | CriticalWarning |
| SPC029103: Do not use convert to secure string | Converting to secure string from plain text is insecure and exposes sensative data | PoShFile | CriticalError |
| SPC029104: Do not use direct hardcoded file paths | Exposing directory structure in a script can possibly expose the layout of internal systems. This script may also not work on other machines | PoShFile | CriticalWarning |
| SPC029105: Do not use plain text for passwords | Using plain text passwords directly compromises your system security | PoShFile | CriticalError |
| SPC029106: Use PSCredential type for credential parameters | PowerShell security best practices state that the PSCredential type should be used to secure credentials correctly. Also the CredentialAttribute has to be applied after the PSCredential attribute to be correctly parsed and secure. | PoShFile | CriticalError |
Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.