Open SteveL-MSFT opened 3 years ago
rjmholt
commented
3 years ago I honestly thought we already had an issue to track this since we've discussed it a few times in the past. But this would be nice to have. It probably would require some significant improvements in PSSA itself.
brwilkinson
commented
1 year ago Is this still outstanding, I thought there were some linting rules that detect syntax that is not compatible with constrained language mode? I guess not.
TravisEz13
commented
1 year ago We could make it a lot easier if we had a ScriptAnalyzer plugin which detected the things that the customer is not allowed in constrained language mode. Below are some examples from a customer.
]::.-Language CSharpadd-type[DllImport.-file <script> <param>
bergmeister
commented
1 year ago I suggest someone starts writing a custom rule and makes the code public. This decouples the request from needing to be in PSSA itself, integration into it could be looked at another point. Some of the above mentioned cases are already covered by custom rules written by Lee Holmes and published here: https://www.powershellgallery.com/packages/InjectionHunter/1.0.0
TravisEz13
commented
1 year ago I started with the module and I have detections for most of these issues, except the
Summary of the new feature
Windows admins using Code Integrity may want to know if their scripts require full language mode or will work with constrained language mode. It would be helpful to have PSSA rule to let them know which parts of their scripts won't work under constrained language mode.
Addtionally, scripts running in a Code Integrity environment have some additional checks which may make sense to have as rules as well.
https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode