SAST for PowerShell
Proposal
Ultimate Customer requested support for PowerShell.
Sample Project: https://gitlab.com/gitlab-gold/tpoffenbarger/secure-defend/powershell
# The following uses PSScriptAnalyzer and evaluates
# the gci command and exports it to JSON. It could be
# easily ported into our own JSON format.
job:
image: mcr.microsoft.com/powershell:nanoserver
script:
- Save-Module -Name PSScriptAnalyzer -Path .;
- Import-Module .\PSScriptAnalyzer;
- Invoke-ScriptAnalyzer -ScriptDefinition 'gci' | convertto-json;
tags:
- shared-windowsOutput:
$ Invoke-ScriptAnalyzer -ScriptDefinition 'gci' | convertto-json;
{
"Message": "\u0027gci\u0027 is an alias of \u0027Get-ChildItem\u0027. Alias can introduce possible problems and make scripts hard to maintain. Please consider changing alias to its full content.",
"Extent": {
"File": null,
"StartScriptPosition": {
"File": null,
"LineNumber": 1,
"ColumnNumber": 1,
"Line": "gci",
"Offset": 0
},
"EndScriptPosition": {
"File": null,
"LineNumber": 1,
"ColumnNumber": 4,
"Line": "gci",
"Offset": 3
},
"StartLineNumber": 1,
"StartColumnNumber": 1,
"EndLineNumber": 1,
"EndColumnNumber": 4,
"Text": "gci",
"StartOffset": 0,
"EndOffset": 3
},
"RuleName": "PSAvoidUsingCmdletAliases",
"Severity": 1,
"ScriptName": "",
"ScriptPath": "",
"RuleSuppressionID": "gci",
"SuggestedCorrections": [
{
"File": null,
"Description": "Replace gci with Get-ChildItem",
"StartLineNumber": 1,
"StartColumnNumber": 1,
"EndLineNumber": 1,
"EndColumnNumber": 4,
"Text": "Get-ChildItem",
"Lines": "Get-ChildItem",
"Start": "Microsoft.Windows.PowerShell.ScriptAnalyzer.Position",
"End": "Microsoft.Windows.PowerShell.ScriptAnalyzer.Position"
}
],
"IsSuppressed": false,
"Line": 1,
"Column": 1
}Edited by Tim Poffenbarger