powershellsecuritysonarqubefortifysast

PowerShell SAST / OWASP 10


I am currently developing a PowerShell script with 10k lines of code connecting to a SQL DB. While it is considered a best practice to use plug-ins in the IDE for example for Java or C# to scan the code (Resharper/ Fortify or Sonarcube plugin) and during the build process, perform a SAST analysis, I cannot find any tool suited for PowerShell code except the PSScriptAnalyzer which is good for bad smells but not so much considered a SAST tool.

Is such a tool currently simply not available for PowerShell or do you know any useful tools?

KR Chris


Solution

  • NIST keeps a regularly updated list of SAST tool examples (not recommendations) here. As of August 20, 2021, the only tool that lists Powershell as a supported language is Atlassian's Static Reviewer:

    Provides security checks in compliance with OWASP, CWE, CVE, CVSS, MISRA, CERT. Available as a module for Software Composition Analysis (SCA) to find vulnerabilities in open source and third party libraries

    Personally, I just use the PSScriptAnalyzer module with Microsoft's InjectionHunter ruleset. These days, you can add them to VSCode's powershell plugin rules.