File 'Harden-Windows-Security.ps1' uses ConvertTo-SecureString with plaintext. This will expose secure information. Encrypted standard strings should be used instead.

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md

https://hotcakex.github.io

MIT License

1.84k stars 143 forks source link

File 'Harden-Windows-Security.ps1' uses ConvertTo-SecureString with plaintext. This will expose secure information. Encrypted standard strings should be used instead. #366

Closed agpt8 closed 1 month ago

agpt8 commented 1 month ago

https://github.com/HotCakeX/Harden-Windows-Security/blob/5995e96b0cde9f4244b3039d2108630aa3290545/Harden-Windows-Security.ps1#L200C56-L200C56

On my fork of this project, I got this security notification: https://github.com/agpt8/Harden-Windows-Security/security/code-scanning/1

If the link is not accessible, here is the screenshot of the alert:

unrelated but your virustotal api key was also flagged! Unless ofcourse you have already rotated it.

HotCakeX commented 1 month ago

Hi, Yeah, as you can see password is 123 which isn't secret and isn't supposed to protect anything. SignTool.exe doesn't accept secure strings so can't use anything other than plain text. Think of that password as a placeholder only. But i'm gonna do something about it so these errors won't be triggered anymore.

About the API key, yes it's from a deleted Virus Total account i was using during tests to setup the GitHub workflow, the API key currently in use is different and secret.

Thanks for letting me know about them though