From 5fef2ee8064c1dc0c42f5cfb2e04f28fe97c2f4c Mon Sep 17 00:00:00 2001 From: Xelu86 Date: Mon, 1 Jun 2026 14:30:10 -0400 Subject: [PATCH 1/2] Freshness --- .../Rules/AvoidUsingCmdletAliases.md | 38 ++++++++----------- .../Rules/AvoidUsingComputerNameHardcoded.md | 24 ++++++------ ...UsingConvertToSecureStringWithPlainText.md | 25 ++++++------ .../AvoidUsingDeprecatedManifestFields.md | 18 ++++----- ...AvoidUsingDoubleQuotesForConstantString.md | 18 ++++----- 5 files changed, 59 insertions(+), 64 deletions(-) diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingCmdletAliases.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingCmdletAliases.md index 9a33149..d2d33ec 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingCmdletAliases.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingCmdletAliases.md @@ -1,6 +1,6 @@ --- description: Avoid Using Cmdlet Aliases or omitting the 'Get-' prefix. -ms.date: 06/28/2023 +ms.date: 06/01/2026 ms.topic: reference title: AvoidUsingCmdletAliases --- @@ -10,35 +10,29 @@ title: AvoidUsingCmdletAliases ## Description -An alias is an alternate name or nickname for a cmdlet or for a command element, such as a function, -script, file, or executable file. You can use the alias instead of the command name in any -PowerShell commands. +An alias is an alternate name or nickname for a cmdlet or command element, such as a function, +script, file, or executable file. While you can use aliases instead of the full command name, +doing so reduces code readability and maintainability. -There are also implicit aliases. When PowerShell cannot find the cmdlet name, it will try to append -`Get-` to the command as a last resort. Therefore using the command `verb` will execute `Get-Verb`. +PowerShell also supports implicit aliases. When a cmdlet name isn't found, PowerShell appends +`Get-` to the command as a fallback. For example, typing `verb` executes `Get-Verb`. -Every PowerShell author learns the actual command names, but different authors learn and use -different aliases. Aliases can make code difficult to read, understand and impact availability. +Aliases create inconsistency across codebases because different authors learn and use different +aliases. Aliases can potentially make code difficult to read and understand in collaborative +environments. It can also cause issues with script portability and availability. -Using the full command name makes it easier to maintain your scripts in the the future. +Using full cmdlet names improves code clarity, makes scripts easier to maintain, and enables proper +syntax highlighting in code editors and platforms like GitHub and Visual Studio Code. Always use the +full cmdlet name instead of aliases. -Using the full command names also allows for syntax highlighting in sites and applications like -GitHub and Visual Studio Code. +## Configure rule -## How to Fix - -Use the full cmdlet name and not an alias. - -## Alias Allowlist - -To prevent `PSScriptAnalyzer` from flagging your preferred aliases, create an allowlist of the +To prevent `PSScriptAnalyzer` from flagging your preferred aliases, create an allow list of the aliases in your settings file and point `PSScriptAnalyzer` to use the settings file. For example, to disable `PSScriptAnalyzer` from flagging `cd`, which is an alias of `Set-Location`, set the settings file content to the following. ```powershell -# PSScriptAnalyzerSettings.psd1 - @{ 'Rules' = @{ 'PSAvoidUsingCmdletAliases' = @{ @@ -50,13 +44,13 @@ file content to the following. ## Example -### Wrong +### Noncompliant ```powershell gps | Where-Object {$_.WorkingSet -gt 20000000} ``` -### Correct +### Compliant ```powershell Get-Process | Where-Object {$_.WorkingSet -gt 20000000} diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingComputerNameHardcoded.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingComputerNameHardcoded.md index 83a60c9..bc45b54 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingComputerNameHardcoded.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingComputerNameHardcoded.md @@ -1,6 +1,6 @@ --- description: Avoid Using ComputerName Hardcoded -ms.date: 06/28/2023 +ms.date: 06/01/2026 ms.topic: reference title: AvoidUsingComputerNameHardcoded --- @@ -10,25 +10,23 @@ title: AvoidUsingComputerNameHardcoded ## Description -The names of computers should never be hard coded as this will expose sensitive information. The -`ComputerName` parameter should never have a hard coded value. - -## How - -Remove hard coded computer names. +Hard-coded computer names can expose sensitive information and reduce script portability. The +`ComputerName` parameter should always be parameterized or dynamically assigned to ensure scripts +are flexible and secure. Use parameters, environment variables, or dynamic values instead of +hard-coded computer names. ## Example 1 -### Wrong +### Noncompliant ```powershell Function Invoke-MyRemoteCommand () { - Invoke-Command -Port 343 -ComputerName hardcoderemotehostname + Invoke-Command -Port 343 -ComputerName HardcodedRemoteHostname } ``` -### Correct +### Compliant ```powershell Function Invoke-MyCommand ($ComputerName) @@ -39,16 +37,16 @@ Function Invoke-MyCommand ($ComputerName) ## Example 2 -### Wrong +### Noncompliant ```powershell Function Invoke-MyLocalCommand () { - Invoke-Command -Port 343 -ComputerName hardcodelocalhostname + Invoke-Command -Port 343 -ComputerName HardcodedLocalHostname } ``` -### Correct +### Compliant ```powershell Function Invoke-MyLocalCommand () diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md index d25fce1..d7ab6af 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md @@ -1,6 +1,6 @@ --- description: Avoid Using SecureString With Plain Text -ms.date: 01/28/2025 +ms.date: 06/01/2026 ms.topic: reference title: AvoidUsingConvertToSecureStringWithPlainText --- @@ -10,31 +10,34 @@ title: AvoidUsingConvertToSecureStringWithPlainText ## Description -The use of the `AsPlainText` parameter with the `ConvertTo-SecureString` command can expose secure -information. +The use of the `AsPlainText` parameter with the `ConvertTo-SecureString` command bypasses encryption +and exposes sensitive information in memory as plain text, defeating the purpose of +[SecureString][01]. -## How - -Use a standard encrypted variable to perform any SecureString conversions. +Instead, retrieve secure credentials through encrypted channels or use secure input methods like +`Read-Host -AsSecureString` to ensure sensitive data remains encrypted throughout its lifecycle. ## Recommendations -If you do need an ability to retrieve the password from somewhere without prompting the user, -consider using the +If you need to retrieve passwords programmatically without user interaction, consider using the [SecretStore](https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretStore) -module from the PowerShell Gallery. +module from the PowerShell Gallery, which provides encrypted credential storage and retrieval. ## Example -### Wrong +### Noncompliant ```powershell $UserInput = Read-Host 'Please enter your secure code' $EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force ``` -### Correct +### Compliant ```powershell $SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString ``` + + + +[01]: /dotnet/api/system.security.securestring?view=net-10.0 diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDeprecatedManifestFields.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDeprecatedManifestFields.md index 802304d..51c22b9 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDeprecatedManifestFields.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDeprecatedManifestFields.md @@ -1,6 +1,6 @@ --- description: Avoid Using Deprecated Manifest Fields -ms.date: 06/28/2023 +ms.date: 06/01/2026 ms.topic: reference title: AvoidUsingDeprecatedManifestFields --- @@ -10,17 +10,17 @@ title: AvoidUsingDeprecatedManifestFields ## Description -In PowerShell 5.0, a number of fields in module manifest files (`.psd1`) have been changed. +PowerShell 5.0 deprecated several fields in module manifest files (`.psd1`) in favor of new +alternatives. This rule detects the usage of deprecated manifest fields that should be replaced with +their modern equivalents. -The field `ModuleToProcess` has been replaced with the `RootModule` field. - -## How - -Replace `ModuleToProcess` with `RootModule` in the module manifest. +The `ModuleToProcess` field, which was used to specify the module script file to load, has been +replaced with the `RootModule` field. The `RootModule` field provides the same functionality and is +the recommended approach for new modules. ## Example -### Wrong +### Noncompliant ```powershell ModuleToProcess ='psscriptanalyzer' @@ -28,7 +28,7 @@ ModuleToProcess ='psscriptanalyzer' ModuleVersion = '1.0' ``` -### Correct +### Compliant ```powershell RootModule ='psscriptanalyzer' diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDoubleQuotesForConstantString.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDoubleQuotesForConstantString.md index 19c83fa..0407ded 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDoubleQuotesForConstantString.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingDoubleQuotesForConstantString.md @@ -1,6 +1,6 @@ --- description: Avoid using double quotes if the string is constant. -ms.date: 06/28/2023 +ms.date: 06/01/2026 ms.topic: reference title: AvoidUsingDoubleQuotesForConstantString --- @@ -12,24 +12,24 @@ title: AvoidUsingDoubleQuotesForConstantString Single quotes should be used when the value of a string is constant. A constant string doesn't contain variables or expressions intended to insert values into the string, such as -`"$PID-$(hostname)"`). +`"$PID-$(hostname)"`. -This makes the intent clearer that the string is a constant and makes it easier to use some special -characters such as `$` within that string expression without needing to escape them. +Using single quotes makes the intent clearer that the string is constant and allows you to use +special characters such as `$` without needing to escape them. -There are exceptions to that when double quoted strings are more readable. For example, when the -string value itself must contain a single quote or other special characters, such as newline -(`` "`n" ``), are already being escaped. The rule does not warn in these cases. +However, there are exceptions. Double-quoted strings are preferred when the string contains single +quotes, embedded escape sequences like newline (``"`n"``), or other special characters that require +escaping. The rule doesn't warn in these cases. ## Example -### Wrong +### Noncompliant ```powershell $constantValue = "I Love PowerShell" ``` -### Correct +### Compliant ```powershell $constantValue = 'I Love PowerShell' From 484e2b32d75cc504c028e31eaa36ef8abdccd857 Mon Sep 17 00:00:00 2001 From: Xelu86 Date: Mon, 1 Jun 2026 14:41:14 -0400 Subject: [PATCH 2/2] Fix validation --- .../Rules/AvoidUsingConvertToSecureStringWithPlainText.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md index d7ab6af..844170b 100644 --- a/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md +++ b/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md @@ -40,4 +40,4 @@ $SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString -[01]: /dotnet/api/system.security.securestring?view=net-10.0 +[01]: /dotnet/api/system.security.securestring