Feature: Checks should support powershell scripts

Question

Feature: Checks should support powershell scripts

balteravishay opened this issue 5 months ago · 0 comments

Is your feature request related to a problem? Please describe.
powershell isn't supported by mvdan.cc/sh/v3/syntax and so the Pinned dependency and others such as SAST check ignores .ps1 files AND powershell based tasks/jobs in GitHub Actions AND fails on windows containers dockerfiles that use powershell.
Supporting powershell based scripts will increase the number of repositories that can leverage the Pinned Dependency checks.

Describe the solution you'd like
Pinned Dependency should be able to analyze the following and treat them the same as POSIX Shell, Bash, and mksh and leverage the existing checks that are implemented for those scripts:

.ps1 files
powershell tasks/jobs in GitHub Actions
windows container dockerfiles that use powershell RUN commands

examples:

go run main.go --repo PULSAR-Modders/pulsar-mod-loader --checks Pinned-Dependencies --format json --show-details | jq
go run main.go --repo SonarSource/sonar-dotnet --checks Pinned-Dependencies --format json --show-details | jq
go run main.go --repo dotnet/runtime --checks Pinned-Dependencies --format json --show-details | jq

today these examples do not detect the .net dependencies given that they are either specified in yaml powershell jobs, or in .ps1 files, or the check fails because the dockerfile is using powershell script.