Add new AvoidSecretDisclosure rule#2183
Open
iRon7 wants to merge 3 commits intoPowerShell:mainfrom
Open
Conversation
iRon7
requested review from
a team,
bergmeister,
michaeltlombardi and
sdwheeler
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new built-in PSScriptAnalyzer rule (PSAvoidSecretDisclosure) to flag common patterns that convert secrets (e.g., SecureString) into plaintext, with accompanying tests, localized strings, and documentation.
Changes:
- Introduces
AvoidSecretDisclosurerule implementation to detectConvertFrom-SecureString -AsPlainText,SecureStringTo*calls, and.Passwordmember access. - Adds Pester tests covering violations, compliant examples, and suppression scenarios.
- Updates rule documentation and the rules index, and adds localized strings for name/common name/description/error.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Tests/Rules/AvoidSecretDisclosure.tests.ps1 | Adds Pester coverage for the new rule (violations/compliance/suppression). |
| Rules/Strings.resx | Adds localized strings for the new rule’s name/common name/description/message. |
| Rules/AvoidSecretDisclosure.cs | Implements the new analyzer rule logic and diagnostic creation. |
| docs/Rules/README.md | Registers the rule in the published rules list/table. |
| docs/Rules/AvoidSecretDisclosure.md | Adds the rule’s public documentation page and examples. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6 tasks
sdwheeler
requested changes
May 6, 2026
Collaborator
sdwheeler
left a comment
sdwheeler
left a comment
There was a problem hiding this comment.
Added suggestions for style and one question about the parameter.
Comment on lines
+13
to
+15
| Disclosing a secret might result in security vulnerabilities such as memory trails or logging trails that could | ||
| be exploited by attackers. This rule identifies instances where a secret is being converted to plain text, | ||
| which can lead to unintended exposure of sensitive information. |
Collaborator
There was a problem hiding this comment.
Wrap lines at 100 characters
Suggested change
| Disclosing a secret might result in security vulnerabilities such as memory trails or logging trails that could | |
| be exploited by attackers. This rule identifies instances where a secret is being converted to plain text, | |
| which can lead to unintended exposure of sensitive information. | |
| Disclosing a secret might result in security vulnerabilities such as memory trails or logging trails | |
| that could be exploited by attackers. This rule identifies instances where a secret is being | |
| converted to plain text, which can lead to unintended exposure of sensitive information. |
Comment on lines
+17
to
+20
| > [!IMPORTANT] | ||
| > | ||
| > The general approach of dealing with credentials is to avoid them and instead rely on other means | ||
| > to authenticate, such as certificates or Windows authentication. |
Collaborator
There was a problem hiding this comment.
No blank line after the header of the alert block.
Suggested change
| > [!IMPORTANT] | |
| > | |
| > The general approach of dealing with credentials is to avoid them and instead rely on other means | |
| > to authenticate, such as certificates or Windows authentication. | |
| > [!IMPORTANT] | |
| > The general approach of dealing with credentials is to avoid them and instead rely on other means | |
| > to authenticate, such as certificates or Windows authentication. |
Comment on lines
+24
to
+29
| In general, avoid any code pattern that involves converting secrets to plaintext or accessing plaintext secrets. | ||
|
|
||
| * For `ConvertFrom-SecureString -AsPlainText`: Use `-Credential` parameter instead | ||
| * For `SecureStringTo*` methods: Avoid converting to plaintext | ||
| * For `Password` properties: Use secure credential objects directly or the SecureString equivalent | ||
| `SecurePassword` instead of accessing plaintext passwords. |
Collaborator
There was a problem hiding this comment.
Wrap at 100. Unordered list items start with dash not asterisk.
Suggested change
| In general, avoid any code pattern that involves converting secrets to plaintext or accessing plaintext secrets. | |
| * For `ConvertFrom-SecureString -AsPlainText`: Use `-Credential` parameter instead | |
| * For `SecureStringTo*` methods: Avoid converting to plaintext | |
| * For `Password` properties: Use secure credential objects directly or the SecureString equivalent | |
| `SecurePassword` instead of accessing plaintext passwords. | |
| In general, avoid any code pattern that involves converting secrets to plaintext or accessing | |
| plaintext secrets. | |
| - For `ConvertFrom-SecureString -AsPlainText`: Use `-Credential` parameter instead | |
| - For `SecureStringTo*` methods: Avoid converting to plaintext | |
| - For `Password` properties: Use secure credential objects directly or the SecureString equivalent | |
| `SecurePassword` instead of accessing plaintext passwords. |
Comment on lines
+31
to
+35
| > [!NOTE] | ||
| > | ||
| > For custom properties named "Password", it is recommended to rename them to something that does not imply they | ||
| > contain secrets, or to ensure that they do not actually contain secrets. If renaming is not possible, consider | ||
| > suppressing the warning for those specific cases. |
Collaborator
There was a problem hiding this comment.
Suggested change
| > [!NOTE] | |
| > | |
| > For custom properties named "Password", it is recommended to rename them to something that does not imply they | |
| > contain secrets, or to ensure that they do not actually contain secrets. If renaming is not possible, consider | |
| > suppressing the warning for those specific cases. | |
| > [!NOTE] | |
| > For custom properties named "Password", it is recommended to rename them to something that does | |
| > not imply they contain secrets, or to ensure that they do not actually contain secrets. If | |
| > renaming is not possible, consider suppressing the warning for those specific cases. |
Comment on lines
+37
to
+41
| ## Configuration | ||
|
|
||
| ### Parameters | ||
|
|
||
| * `Enable` - Enables or disables the rule. Default value is `True`. |
Collaborator
There was a problem hiding this comment.
Remove leading space and fix list item.
Suggested change
| ## Configuration | |
| ### Parameters | |
| * `Enable` - Enables or disables the rule. Default value is `True`. | |
| ## Configuration | |
| ### Parameters | |
| - `Enable` - Enables or disables the rule. Default value is `$true`. |
Also, where do you set this parameter? Show the syntax of the setting.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Summary
Rule request: #1997
Description
Disclosing a secret might result in security vulnerabilities such as memory trails or logging trails that could
be exploited by attackers. This rule identifies instances where a secret is being converted to plain text,
which can lead to unintended exposure of sensitive information.
Important
The general approach of dealing with credentials is to avoid them and instead rely on other means
to authenticate, such as certificates or Windows authentication.
How to Fix
In general, avoid any code pattern that involves converting secrets to plaintext or accessing plaintext secrets.
ConvertFrom-SecureString -AsPlainText: Use-Credentialparameter insteadSecureStringTo*methods: Avoid converting to plaintextPasswordproperties: Use secure credential objects directly or the SecureString equivalentSecurePasswordinstead of accessing plaintext passwords.Note
For custom properties named "Password", it is recommended to rename them to something that does not imply they
contain secrets, or to ensure that they do not actually contain secrets. If renaming is not possible, consider
suppressing the warning for those specific cases.
PR Checklist
.cs,.ps1and.psm1files have the correct copyright headerWIP:to the beginning of the title and remove the prefix when the PR is ready.