1

I am currently developing a PowerShell script with 10k lines of code connecting to a SQL DB. While it is considered a best practice to use plug-ins in the IDE for example for Java or C# to scan the code (Resharper/ Fortify or Sonarcube plugin) and during the build process, perform a SAST analysis, I cannot find any tool suited for PowerShell code except the PSScriptAnalyzer which is good for bad smells but not so much considered a SAST tool.

Is such a tool currently simply not available for PowerShell or do you know any useful tools?

KR Chris

Improve this question
2
  • 1
    "but not so much considered a SAST tool." - by whom? PSSA is meant to analyze and optimize for correctness - which is exactly the first property you'd want from a SAST tool :) Commented Aug 20, 2021 at 13:59
  • Yeah, it's for sure a static code scanner but to my knowledge it does not really scan security issues / OWASP like fortify would do. A few rules related to security are there like if you name a string $Credential it would be recognized but the rules are rather on a basic level... Commented Aug 20, 2021 at 14:38

1 Answer 1

Reset to default
1

NIST keeps a regularly updated list of SAST tool examples (not recommendations) here. As of August 20, 2021, the only tool that lists Powershell as a supported language is Atlassian's Static Reviewer:

Provides security checks in compliance with OWASP, CWE, CVE, CVSS, MISRA, CERT. Available as a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries

Personally, I just use the PSScriptAnalyzer module with Microsoft's InjectionHunter ruleset. These days, you can add them to VSCode's powershell plugin rules.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.