PowerShell · SteveL-MSFT · Sep 23, 2025 · Sep 23, 2025 · Sep 23, 2025 · Sep 23, 2025
diff --git a/dsc/Cargo.lock b/dsc/Cargo.lock
diff --git a/dsc/locales/en-us.toml b/dsc/locales/en-us.toml
@@ -131,6 +131,7 @@ tableHeader_functionCategory = "Category"
 tableHeader_minArgs = "MinArgs"
 tableHeader_maxArgs = "MaxArgs"
 tableHeader_argTypes = "ReturnTypes"
+tableHeader_trust = "Trust"
 invalidFunctionFilter = "Invalid function filter"
 maxInt = "maxInt"
 invalidManifest = "Error in manifest for"
@@ -157,3 +158,4 @@ dscConfigRootAlreadySet = "The current value of DSC_CONFIG_ROOT env var will be
 settingDscConfigRoot = "Setting DSC_CONFIG_ROOT env var as"
 stdinNotAllowedForBothParametersAndInput = "Cannot read from STDIN for both parameters and input."
 removingUtf8Bom = "Removing UTF-8 BOM from input"
+failedToCheckFileSecurity = "Failed to check file security for '%{path}': %{error}"
diff --git a/dsc/src/subcommand.rs b/dsc/src/subcommand.rs
@@ -7,6 +7,7 @@ use crate::resource_command::{get_resource, self};
 use crate::tablewriter::Table;
 use crate::util::{get_input, get_schema, in_desired_state, set_dscconfigroot, write_object, DSC_CONFIG_ROOT, EXIT_DSC_ASSERTION_FAILED, EXIT_DSC_ERROR, EXIT_INVALID_ARGS, EXIT_INVALID_INPUT, EXIT_JSON_ERROR};
 use dsc_lib::functions::FunctionArgKind;
+use dsc_lib::security::{check_file_security, TrustLevel};
 use dsc_lib::{
     configure::{
         config_doc::{
@@ -595,6 +596,7 @@ fn list_extensions(dsc: &mut DscManager, extension_name: Option<&String>, format
         t!("subcommand.tableHeader_type").to_string().as_ref(),
         t!("subcommand.tableHeader_version").to_string().as_ref(),
         t!("subcommand.tableHeader_capabilities").to_string().as_ref(),
+        t!("subcommand.tableHeader_trust").to_string().as_ref(),
         t!("subcommand.tableHeader_description").to_string().as_ref(),
     ]);
     if format.is_none() && io::stdout().is_terminal() {
@@ -616,11 +618,17 @@ fn list_extensions(dsc: &mut DscManager, extension_name: Option<&String>, format
                 }
             }
 
+            let trust_level = match check_file_security(Path::new(&extension.path)) {
+                Ok(trust_level) => trust_level,
+                Err(_err) => TrustLevel::Unknown,
+            };
+
             if write_table {
                 table.add_row(vec![
                     extension.type_name,
                     extension.version,
                     capabilities,
+                    trust_level.to_string(),
                     extension.description.unwrap_or_default()
                 ]);
             }
@@ -661,6 +669,7 @@ fn list_functions(functions: &FunctionDispatcher, function_name: Option<&String>
         t!("subcommand.tableHeader_minArgs").to_string().as_ref(),
         t!("subcommand.tableHeader_maxArgs").to_string().as_ref(),
         t!("subcommand.tableHeader_argTypes").to_string().as_ref(),
+        t!("subcommand.tableHeader_trust").to_string().as_ref(),
         t!("subcommand.tableHeader_description").to_string().as_ref(),
     ]);
     if output_format.is_none() && io::stdout().is_terminal() {
@@ -744,13 +753,15 @@ fn list_functions(functions: &FunctionDispatcher, function_name: Option<&String>
     }
 }
 
+#[allow(clippy::too_many_lines)]
 pub fn list_resources(dsc: &mut DscManager, resource_name: Option<&String>, adapter_name: Option<&String>, description: Option<&String>, tags: Option<&Vec<String>>, format: Option<&ListOutputFormat>, progress_format: ProgressFormat) {
     let mut write_table = false;
     let mut table = Table::new(&[
         t!("subcommand.tableHeader_type").to_string().as_ref(),
         t!("subcommand.tableHeader_kind").to_string().as_ref(),
         t!("subcommand.tableHeader_version").to_string().as_ref(),
         t!("subcommand.tableHeader_capabilities").to_string().as_ref(),
+        t!("subcommand.tableHeader_trust").to_string().as_ref(),
         t!("subcommand.tableHeader_adapter").to_string().as_ref(),
         t!("subcommand.tableHeader_description").to_string().as_ref(),
     ]);
@@ -817,12 +828,18 @@ pub fn list_resources(dsc: &mut DscManager, resource_name: Option<&String>, adap
                 }
             }
 
+            let trust_level = match check_file_security(Path::new(&resource.path)) {
+                Ok(trust_level) => trust_level,
+                Err(_err) => TrustLevel::Unknown,
+            };
+
             if write_table {
                 table.add_row(vec![
                     resource.type_name,
                     format!("{:?}", resource.kind),
                     resource.version,
                     capabilities,
+                    trust_level.to_string(),
                     resource.require_adapter.unwrap_or_default(),
                     resource.description.unwrap_or_default()
                 ]);

diff --git a/dsc/src/util.rs b/dsc/src/util.rs
@@ -3,6 +3,7 @@
 
 use crate::args::{SchemaType, OutputFormat, TraceFormat};
 use crate::resolve::Include;
+use dsc_lib::security::check_file_security;
 use dsc_lib::{
     configure::{
         config_doc::{
@@ -461,6 +462,11 @@ pub fn get_input(input: Option<&String>, file: Option<&String>, parameters_from_
                 }
             }
         } else {
+            if let Err(err) = check_file_security(Path::new(path)) {
+                error!("{}", t!("util.failedToCheckFileSecurity", path = path, error = err));
+                exit(EXIT_INVALID_INPUT);
+            }
+
             // see if an extension should handle this file
             let mut discovery = Discovery::new();
             for extension in discovery.get_extensions(&Capability::Import) {

diff --git a/dsc/tests/dsc.exist.tests.ps1 b/dsc/tests/dsc.exist.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe '_exist tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
+
     It 'Resource supporting exist on set should receive _exist for: <exist>' -TestCases @(
         @{ exist = $true }
         @{ exist = $false }

diff --git a/dsc/tests/dsc.exit_code.tests.ps1 b/dsc/tests/dsc.exit_code.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe 'exit code tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
+
     It 'non-zero exit code in manifest has corresponding message' {
         dsc resource get -r Test/ExitCode --input "{ exitCode: 8 }" 2> $TestDrive/tracing.txt
         "$TestDrive/tracing.txt" | Should -FileContentMatchExactly 'Placeholder from manifest for exit code 8'

diff --git a/dsc/tests/dsc_args.tests.ps1 b/dsc/tests/dsc_args.tests.ps1
@@ -3,6 +3,7 @@
 
 Describe 'config argument tests' {
     BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
         $manifest = @'
         {
             "$schema": "https://aka.ms/dsc/schemas/v3/bundled/resource/manifest.json",
@@ -52,6 +53,7 @@ Describe 'config argument tests' {
 
     AfterAll {
         $env:DSC_RESOURCE_PATH = $oldPath
+        $env:DSC_TRACE_LEVEL = $null
     }
 
     It 'input is <type>' -TestCases @(

diff --git a/dsc/tests/dsc_config_get.tests.ps1 b/dsc/tests/dsc_config_get.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe 'dsc config get tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
+
     It 'can successfully get config with multiple registry resource instances: <config>' -Skip:(!$IsWindows) -TestCases @(
         @{ config = 'osinfo_registry.dsc.json' }
         @{ config = 'osinfo_registry.dsc.yaml' }

diff --git a/dsc/tests/dsc_config_set.tests.ps1 b/dsc/tests/dsc_config_set.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe 'dsc config set tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
+
     It 'can use _exist with resources that support and do not support it' {
         $config_yaml = @"
             `$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json

diff --git a/dsc/tests/dsc_config_test.tests.ps1 b/dsc/tests/dsc_config_test.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe 'dsc config test tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
+
     It 'Assertion works correctly' {
         $configYaml = @'
  $schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json

diff --git a/dsc/tests/dsc_discovery.tests.ps1 b/dsc/tests/dsc_discovery.tests.ps1
@@ -4,6 +4,7 @@
 Describe 'tests for resource discovery' {
     BeforeAll {
         $env:DSC_RESOURCE_PATH = $testdrive
+        $env:DSC_TRACE_LEVEL = 'error'
 
         $script:lookupTableFilePath = if ($IsWindows) {
             Join-Path $env:LocalAppData "dsc\AdaptedResourcesLookupTable.json"
@@ -18,6 +19,7 @@ Describe 'tests for resource discovery' {
 
     AfterAll {
         $env:DSC_RESOURCE_PATH = $null
+        $env:DSC_TRACE_LEVEL = $null
     }
 
     It 'Use DSC_RESOURCE_PATH instead of PATH when defined' {
@@ -94,7 +96,7 @@ Describe 'tests for resource discovery' {
         try {
             $env:DSC_RESOURCE_PATH = $testdrive
             Set-Content -Path "$testdrive/test.dsc.resource.json" -Value $manifest
-            $null = dsc resource list 2> "$testdrive/error.txt"
+            $null = dsc -l warn resource list 2> "$testdrive/error.txt"
             "$testdrive/error.txt" | Should -FileContentMatchExactly 'WARN.*?does not use semver' -Because (Get-Content -Raw "$testdrive/error.txt")
         }
         finally {

diff --git a/dsc/tests/dsc_export.tests.ps1 b/dsc/tests/dsc_export.tests.ps1
@@ -2,6 +2,13 @@
 # Licensed under the MIT License.
 
 Describe 'resource export tests' {
+    BeforeAll {
+        $env:DSC_TRACE_LEVEL = 'error'
+    }
+
+    AfterAll {
+        $env:DSC_TRACE_LEVEL = $null
+    }
 
     It 'Export can be called on individual resource' {
 

diff --git a/dsc/tests/dsc_expressions.tests.ps1 b/dsc/tests/dsc_expressions.tests.ps1
@@ -2,6 +2,15 @@
 # Licensed under the MIT License.
 
 Describe 'Expressions tests' {
+
+  BeforeAll {
+      $env:DSC_TRACE_LEVEL = 'error'
+  }
+
+  AfterAll {
+      $env:DSC_TRACE_LEVEL = $null
+  }
+
   It 'Accessors work: <text>' -TestCases @(
     @{ text = "[parameters('test').hello]"; expected = '@{world=there}' }
     @{ text = "[parameters('test').hello.world]"; expected = 'there' }

diff --git a/dsc/tests/dsc_extension_discover.tests.ps1 b/dsc/tests/dsc_extension_discover.tests.ps1
@@ -14,10 +14,12 @@ Describe 'Discover extension tests' {
         $oldPath = $env:PATH
         $toolPath = Resolve-Path -Path "$PSScriptRoot/../../extensions/test/discover"
         $env:PATH = "$toolPath" + [System.IO.Path]::PathSeparator + $oldPath
+        $env:DSC_TRACE_LEVEL = 'error'
     }
 
     AfterAll {
         $env:PATH = $oldPath
+        $env:DSC_TRACE_LEVEL = $null
     }
 
     It 'Discover extensions' {

diff --git a/dsc/tests/dsc_functions.tests.ps1 b/dsc/tests/dsc_functions.tests.ps1
@@ -2,6 +2,14 @@
 # Licensed under the MIT License.
 
 Describe 'tests for function expressions' {
+  BeforeAll {
+      $env:DSC_TRACE_LEVEL = 'error'
+  }
+
+  AfterAll {
+      $env:DSC_TRACE_LEVEL = $null
+  }
+
   It 'function works: <text>' -TestCases @(
     @{ text = "[concat('a', 'b')]"; expected = 'ab' }
     @{ text = "[concat('a', 'b', 'c')]"; expected = 'abc' }