0

I am currently developing a PowerShell script with 10k lines of code connecting to a SQL DB. While it is considered a best practice to use plug-ins in the IDE for example for Java or C# to scan the code (Resharper/ Fortify or Sonarcube plugin) and during the build process, perform a SAST analysis, I cannot find any tool suited for PowerShell code except the PSScriptAnalyzer which is good for bad smells but not so much considered a SAST tool.

Is such a tool currently simply not available for PowerShell or do you know any useful tools?

KR Chris

Chris
  • 143
  • 7
  • 1
    "but not so much considered a SAST tool." - by whom? PSSA is meant to analyze and optimize for correctness - which is exactly the first property you'd want from a SAST tool :) – Mathias R. Jessen Aug 20 '21 at 13:59
  • Yeah, it's for sure a static code scanner but to my knowledge it does not really scan security issues / OWASP like fortify would do. A few rules related to security are there like if you name a string $Credential it would be recognized but the rules are rather on a basic level... – Chris Aug 20 '21 at 14:38

1 Answers1

0

NIST keeps a regularly updated list of SAST tool examples (not recommendations) here. As of August 20, 2021, the only tool that lists Powershell as a supported language is Atlassian's Static Reviewer:

Provides security checks in compliance with OWASP, CWE, CVE, CVSS, MISRA, CERT. Available as a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries

Personally, I just use the PSScriptAnalyzer module with Microsoft's InjectionHunter ruleset. These days, you can add them to VSCode's powershell plugin rules.

Cpt.Whale
  • 4,784
  • 1
  • 10
  • 16