The evaluation of elements in the AST is the method used by the PSScriptAnalyzer tool. The tool can be installed using the following code:

Install-Module PSScriptAnalyzer -Scope CurrentUser

PSScriptAnalyzer can be used to inspect a script with the Invoke-ScriptAnalzyer command. For example, the tool will flag warnings and errors about use of the Password parameter and variable, as it is not considered to be a good practice:

[CmdletBinding()] 
param ( 
    [Parameter(Mandatory)] 
    [String]$Password 
) 
 
$credential = [PSCredential]::new(
    '.user',
    ($Password | ConvertTo-SecureString -AsPlainText -Force)
) 
$credential.GetNetworkCredential().Password

The script is saved to a file named Show-Password.ps1, and the analyzer is run against the file , as shown here:

PS> Invoke-ScriptAnalyzer .Show-Password.ps1 | Format-List

RuleName : PSAvoidUsingConvertToSecureStringWithPlainText
Severity : Error
Line     : 9
Column   : 18
Message  : File 'Show-Password.ps1' uses ConvertTo-SecureString with plaintext. This will expose
           secure information. Encrypted standard strings should be used instead.

RuleName : PSAvoidUsingPlainTextForPassword
Severity : Warning
Line     : 3
Column   : 5
Message  : Parameter '$Password' should use SecureString, otherwise this will expose
           sensitive information. See ConvertTo-SecureString for more information.

The script analyzer raises one error and one warning. The error notes that ConvertTo-SecureString is used, exposing information that is supposed to be secure.

The warning suggests that password parameters should accept SecureString values rather than a plain text string.