The evaluation of elements in the AST is the method used by the PSScriptAnalyzer tool. The tool can be installed using the following code:
Install-Module PSScriptAnalyzer -Scope CurrentUser
PSScriptAnalyzer can be used to inspect a script with the Invoke-ScriptAnalzyer command. For example, the tool will flag warnings and errors about use of the Password parameter and variable, as it is not considered to be a good practice:
[CmdletBinding()] param ( [Parameter(Mandatory)] [String]$Password ) $credential = [PSCredential]::new( '.user', ($Password | ConvertTo-SecureString -AsPlainText -Force) ) $credential.GetNetworkCredential().Password
The script is saved to a file named Show-Password.ps1, and the analyzer is run against the file , as shown here:
PS> Invoke-ScriptAnalyzer .Show-Password.ps1 | Format-List
RuleName : PSAvoidUsingConvertToSecureStringWithPlainText
Severity : Error
Line : 9
Column : 18
Message : File 'Show-Password.ps1' uses ConvertTo-SecureString with plaintext. This will expose
secure information. Encrypted standard strings should be used instead.
RuleName : PSAvoidUsingPlainTextForPassword
Severity : Warning
Line : 3
Column : 5
Message : Parameter '$Password' should use SecureString, otherwise this will expose
sensitive information. See ConvertTo-SecureString for more information.
The script analyzer raises one error and one warning. The error notes that ConvertTo-SecureString is used, exposing information that is supposed to be secure.
The warning suggests that password parameters should accept SecureString values rather than a plain text string.