PoshGuard

PowerShell security and quality auto-fixes

Safe AST-based transformations • NIST/OWASP/CIS compliant • Zero telemetry

Quickstart • Features • Documentation • Contributing

---

What is PoshGuard?

The problem: PowerShell scripts are prone to security vulnerabilities (hardcoded credentials, command injection, weak crypto) and quality issues (missing error handling, inconsistent formatting). Manual fixes are time-consuming and error-prone.

The solution: PoshGuard uses AST-based analysis to automatically detect and fix security vulnerabilities and code quality issues in PowerShell scripts—preserving your code's intent while enforcing best practices.

Who is this for?

• DevOps engineers automating infrastructure and deployments
• Security teams enforcing NIST, OWASP, CIS, and ISO compliance
• IT administrators maintaining PowerShell scripts across Windows/Linux/macOS
• Compliance officers requiring auditable security standards

What's New

• RipGrep integration for 5-10x faster scanning on large codebases
• AST-based transformations preserve code intent (no regex hacks)
• Secrets hardening detects and fixes hardcoded credentials
• Compliance frameworks mapped to NIST, OWASP, CIS, ISO 27001, FedRAMP
• SARIF export for GitHub Code Scanning integration
• Cross-platform works on Windows, macOS, Linux (PowerShell 7+)

---

Quickstart

Option 1: Install from PowerShell Gallery

# Install from PowerShell Gallery
Install-Module -Name PoshGuard -Scope CurrentUser -Force
Import-Module PoshGuard

# Preview changes (dry run)
Invoke-PoshGuard -Path ./script.ps1 -DryRun -ShowDiff

# Apply fixes to entire directory
Invoke-PoshGuard -Path ./scripts -Recurse

# Fast scan with RipGrep (5-10x faster)
Invoke-PoshGuard -Path ./large-codebase -Recurse -FastScan

Option 2: Install from Source

# Clone repository
git clone https://github.com/cboyd0319/PoshGuard.git
cd PoshGuard

# Run directly from source
./tools/Apply-AutoFix.ps1 -Path ./samples/before-security-issues.ps1 -ShowDiff

Option 3: GitHub Code Scanning

# Generate SARIF report for GitHub Security tab
Invoke-PoshGuard -Path . -DryRun -ExportSarif -SarifOutputPath ./poshguard-results.sarif

# Upload SARIF to GitHub (via GitHub Actions)
# See docs/reference/GITHUB-SARIF-INTEGRATION.md

What it does:

• Scans PowerShell scripts for security issues
• Shows diff of proposed changes
• Applies fixes automatically (preserving intent)
• Generates SARIF reports for GitHub

New to PoshGuard? Follow the documentation index

---

Features

Security Scanning Hardcoded credentials detection Command injection prevention Weak cryptography detection Invoke-Expression (eval) warnings Unsafe deserialization checks Path traversal detection LDAP injection prevention Cross-site scripting (XSS) in HTML RipGrep Integration (NEW) 5-10x faster scanning on large codebases Secret scanning with pattern matching Multi-repo batch analysis CI/CD pipeline optimization Automatic fallback if unavailable Zero configuration required Code Quality Missing error handling detection Inconsistent formatting fixes Parameter validation enforcement Output encoding verification Best practices compliance Documentation completeness checks

Compliance Frameworks NIST 800-53 controls mapping OWASP ASVS v4.0 compliance CIS PowerShell Benchmarks ISO 27001 security standards FedRAMP requirements PCI DSS data protection GitHub Integration SARIF 2.1.0 export format GitHub Code Scanning support Security tab integration Automated PR checks Policy enforcement Cross-Platform Support Windows (PowerShell 7+) macOS (PowerShell 7+) Linux (PowerShell 7+) Docker/container environments Azure DevOps pipelines GitHub Actions Developer Experience Dry-run mode (preview changes) Diff visualization Recursive directory scanning Configurable rule sets Privacy-first (no telemetry) Zero external dependencies

---

Installation

Prerequisites

Tool	Version	Purpose	Required
PowerShell	≥ 7.0	Runtime (Windows/macOS/Linux)	Yes
PSGallery	N/A	Module installation	Yes
RipGrep	≥ 14.0	Fast pre-filtering (5-10x speedup)	No (optional)

RipGrep Installation (Optional, Recommended)

# Windows
choco install ripgrep
# Or: winget install BurntSushi.ripgrep.MSVC

# macOS
brew install ripgrep

# Linux (Ubuntu/Debian)
apt install ripgrep

# Verify installation
rg --version

---

Performance

Fast Scan Mode

For large codebases with thousands of PowerShell scripts, enable RipGrep pre-filtering:

# Standard scan (full AST analysis on all files)
Invoke-PoshGuard -Path ./enterprise-scripts -Recurse

# Fast scan (5-10x faster with RipGrep)
Invoke-PoshGuard -Path ./enterprise-scripts -Recurse -FastScan

How It Works

1. RipGrep pre-filtering - Quickly identifies scripts with security patterns (credentials, Invoke-Expression, etc.)
2. AST analysis - Only candidate files undergo expensive parsing
3. Skip safe files - Clean scripts are skipped entirely

Performance Benchmarks

Codebase Size	Standard Scan	Fast Scan	Speedup
1,000 scripts	~48s	~9s	5.3x
10,000 scripts	~480s	~52s	9.2x

See RipGrep Integration Guide for advanced usage.

---

Configuration

PoshGuard uses sensible defaults. Advanced configuration available via:

• config/PSScriptAnalyzerSettings.psd1 - PSScriptAnalyzer rules
• config/QASettings.psd1 - Quality assurance settings
• config/SecurityRules.psd1 - Security rule mappings
• config/poshguard.json - Main configuration

See Configuration Guide for details.

---

Troubleshooting

Common Issues

Error: Module not found

Cause: PoshGuard not installed or not imported

Fix:

# Install from Gallery
Install-Module -Name PoshGuard -Scope CurrentUser -Force

# Import module
Import-Module PoshGuard

# Verify installation
Get-Module PoshGuard -ListAvailable

Slow performance on large codebases

Cause: Full AST analysis on all files

Fix: Enable Fast Scan mode with RipGrep:

# Install RipGrep first (see prerequisites)
Invoke-PoshGuard -Path ./large-repo -Recurse -FastScan

See Performance Guide

SARIF export fails

Cause: Invalid output path or permissions

Fix:

# Ensure directory exists
New-Item -ItemType Directory -Force -Path ./reports

# Export with full path
Invoke-PoshGuard -Path . -DryRun -ExportSarif -SarifOutputPath ./reports/poshguard.sarif

More help:

• Documentation Index
• GitHub Issues
• GitHub Discussions

---

Documentation

Getting Started

• Documentation Index - Complete documentation map
• Architecture Guide - System design and data flow
• Checks & Fixes - Security rules and transformations
• API Reference - Command reference

Advanced Features

• RipGrep Integration - Fast scanning for large codebases
• GitHub SARIF Integration - Code Scanning setup
• Configuration Guide - Customizing rules and settings

Operations

• Changelog - Release history and updates
• Troubleshooting - Common issues and solutions

---

License

MIT License - See LICENSE for full text.

✅ Commercial use allowed
✅ Modification allowed
✅ Distribution allowed
✅ Private use allowed
📋 License and copyright notice required

TL;DR: Use it however you want. Just include the license.

Learn more: https://choosealicense.com/licenses/mit/

---

Support & Community

Need help?

• 🐛 File a bug report
• 💡 Request a feature
• 💬 Ask a question
• 🔒 Report a security issue (private)

Resources:

• PowerShell Gallery
• Contributing Guide
• Security Policy

---

⭐ Spread the Word

If PoshGuard helps secure your PowerShell scripts, give us a star ⭐

Active Development • Production-Ready • Community-Driven

Made with ❤️ for PowerShell developers who value security

⬆ Back to top