Master | Development |
---|---|
- Introduction
- Usage
- Installation
- Suppressing Rules
- Settings Support in ScriptAnalyzer
- ScriptAnalyzer as a .NET library
- Violation Correction
- Project Management Dashboard
- Contributing to ScriptAnalyzer
- Creating a Release
- Code of Conduct
PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.
PSScriptAnalyzer is shipped with a collection of built-in rules that checks various aspects of PowerShell code such as presence of uninitialized variables, usage of PSCredential Type, usage of Invoke-Expression etc. Additional functionalities such as exclude/include specific rules are also supported.
Get-ScriptAnalyzerRule [-CustomizedRulePath <string[]>] [-Name <string[]>] [<CommonParameters>] [-Severity <string[]>]
Invoke-ScriptAnalyzer [-Path] <string> [-CustomizedRulePath <string[]>] [-ExcludeRule <string[]>] [-IncludeRule <string[]>] [-Severity <string[]>] [-Recurse] [-EnableExit] [-Fix] [<CommonParameters>]
Install-Module -Name PSScriptAnalyzer
Note: For PowerShell version 5.1.14393.206
or newer, before installing PSScriptAnalyzer, please install the latest Nuget provider by running the following in an elevated PowerShell session.
Install-PackageProvider Nuget –force –verbose
Exit
- Windows PowerShell 3.0 or greater
- PowerShell Core
- PowerShell Core
- .NET Core 2.1.4 SDK
- PlatyPS 0.5.0 or greater
- Optionally but recommended for development: Visual Studio 2017
-
Obtain the source
- Download the latest source code from the release page OR
- Clone the repository (needs git)
git clone https://github.com/PowerShell/PSScriptAnalyzer
-
Navigate to the source directory
cd path/to/PSScriptAnalyzer
-
Building
You can either build using the
Visual Studio
solutionPSScriptAnalyzer.sln
or build usingPowerShell
specifically for your platform as follows:- Windows PowerShell version 5.0 and greater
.\buildCoreClr.ps1 -Framework net451 -Configuration Release -Build
- Windows PowerShell version 3.0 and 4.0
.\buildCoreClr.ps1 -Framework net451 -Configuration PSV3Release -Build
- PowerShell Core
.\buildCoreClr.ps1 -Framework netstandard1.6 -Configuration Release -Build
-
Build documenatation
.\build.ps1 -BuildDocs
-
Import the module
Import-Module .\out\PSScriptAnalyzer\PSScriptAnalyzer.psd1
To confirm installation: run Get-ScriptAnalyzerRule
in the PowerShell console to obtain the built-in rules
- Adding/Removing resource strings
For adding/removing resource strings in the *.resx
files, it is recommended to use Visual Studio
since it automatically updates the strongly typed *.Designer.cs
files. The Visual Studio 2017 Community Edition
is free to use but should you not have/want to use Visual Studio
then you can either manually adapt the *.Designer.cs
files or use the New-StronglyTypedCsFileForResx.ps1
script although the latter is discouraged since it leads to a bad diff of the *.Designer.cs
files.
Pester-based ScriptAnalyzer Tests are located in path/to/PSScriptAnalyzer/Tests
folder.
- Ensure Pester 3.4 is installed on the machine
- Copy
path/to/PSScriptAnalyzer/out/PSScriptAnalyzer
to a folder inPSModulePath
- Go the Tests folder in your local repository
- Run Engine Tests:
cd /path/to/PSScriptAnalyzer/Tests/Engine
Invoke-Pester
- Run Tests for Built-in rules:
cd /path/to/PSScriptAnalyzer/Tests/Rules
Invoke-Pester
You can suppress a rule by decorating a script/function or script/function parameter with .NET's SuppressMessageAttribute.
SuppressMessageAttribute
's constructor takes two parameters: a category and a check ID. Set the categoryID
parameter to the name of the rule you want to suppress and set the checkID
parameter to a null or empty string. You can optionally add a third named parameter with a justification for suppressing the message:
function SuppressMe()
{
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSProvideCommentHelp", "", Justification="Just an example")]
param()
Write-Verbose -Message "I'm making a difference!"
}
All rule violations within the scope of the script/function/parameter you decorate will be suppressed.
To suppress a message on a specific parameter, set the SuppressMessageAttribute
's CheckId
parameter to the name of the parameter:
function SuppressTwoVariables()
{
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSProvideDefaultParameterValue", "b")]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSProvideDefaultParameterValue", "a")]
param([string]$a, [int]$b)
{
}
}
Use the SuppressMessageAttribute
's Scope
property to limit rule suppression to functions or classes within the attribute's scope.
Use the value Function
to suppress violations on all functions within the attribute's scope. Use the value Class
to suppress violations on all classes within the attribute's scope:
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSProvideCommentHelp", "", Scope="Function")]
param(
)
function InternalFunction
{
param()
Write-Verbose -Message "I am invincible!"
}
You can further restrict suppression based on a function/parameter/class/variable/object's name by setting the SuppressMessageAttribute's
Target
property to a regular expression or a glob pattern. Few examples are given below.
Suppress PSAvoidUsingWriteHost
rule violation in start-bar
and start-baz
but not in start-foo
and start-bam
:
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Scope='Function', Target='start-ba[rz]')]
param()
function start-foo {
write-host "start-foo"
}
function start-bar {
write-host "start-bar"
}
function start-baz {
write-host "start-baz"
}
function start-bam {
write-host "start-bam"
}
Suppress violations in all the functions:
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", Scope="Function", Target="*")]
Param()
Suppress violation in start-bar
, start-baz
and start-bam
but not in start-foo
:
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", Scope="Function", Target="start-b*")]
Param()
Note: Rule suppression is currently supported only for built-in rules.
Settings that describe ScriptAnalyzer rules to include/exclude based on Severity
can be created and supplied to
Invoke-ScriptAnalyzer
using the Setting
parameter. This enables a user to create a custom configuration for a specific environment. We support the following modes for specifying the settings file.
ScriptAnalyzer ships a set of built-in presets that can be used to analyze scripts. For example, if the user wants to run PowerShell Gallery rules on their module, then they use the following command.
PS> Invoke-ScriptAnalyzer -Path /path/to/module/ -Settings PSGallery -Recurse
Along with PSGallery
there are a few other built-in presets, including, DSC
and CodeFormatting
, that can be used. These presets can be tab completed for the Settings
parameter.
The following example excludes two rules from the default set of rules and any rule that does not output an Error or Warning diagnostic record.
# PSScriptAnalyzerSettings.psd1
@{
Severity=@('Error','Warning')
ExcludeRules=@('PSAvoidUsingCmdletAliases',
'PSAvoidUsingWriteHost')
}
Then invoke that settings file when using Invoke-ScriptAnalyzer
:
Invoke-ScriptAnalyzer -Path MyScript.ps1 -Setting PSScriptAnalyzerSettings.psd1
The next example selects a few rules to execute instead of all the default rules.
# PSScriptAnalyzerSettings.psd1
@{
IncludeRules=@('PSAvoidUsingPlainTextForPassword',
'PSAvoidUsingConvertToSecureStringWithPlainText')
}
Then invoke that settings file when using:
Invoke-ScriptAnalyzer -Path MyScript.ps1 -Setting ScriptAnalyzerSettings.psd1
If you place a PSScriptAnayzer settings file named PSScriptAnalyzerSettings.psd1
in your project root, PSScriptAnalyzer will discover it if you pass the project root as the Path
parameter.
Invoke-ScriptAnalyzer -Path "C:\path\to\project" -Recurse
Note that providing settings explicitly takes higher precedence over this implicit mode. Sample settings files are provided here.
ScriptAnalyzer engine and functionality can now be directly consumed as a library.
Here are the public interfaces:
using Microsoft.Windows.PowerShell.ScriptAnalyzer;
public void Initialize(System.Management.Automation.Runspaces.Runspace runspace,
Microsoft.Windows.PowerShell.ScriptAnalyzer.IOutputWriter outputWriter,
[string[] customizedRulePath = null],
[string[] includeRuleNames = null],
[string[] excludeRuleNames = null],
[string[] severity = null],
[bool suppressedOnly = false],
[string profile = null])
public System.Collections.Generic.IEnumerable<DiagnosticRecord> AnalyzePath(string path,
[bool searchRecursively = false])
public System.Collections.Generic.IEnumerable<IRule> GetRule(string[] moduleNames, string[] ruleNames)
Some violations can be fixed by replacing the violation causing content with a suggested alternative. You can use the -Fix
switch to automatically apply the suggestions. Since Invoke-ScriptAnalyzer
implements SupportsShouldProcess
, you can additionally use -WhatIf
or -Confirm
to find out which corrections would be applied. It goes without saying that you should use source control when applying those corrections since some some of them such as the one for AvoidUsingPlainTextForPassword
might require additional script modifications that cannot be made automatically. Should your scripts be sensitive to encoding you should also check that because the initial encoding can not be preserved in all cases.
The initial motivation behind having the SuggestedCorrections
property on the ErrorRecord
(which is how the -Fix
switch works under the hood) was to enable quick-fix like scenarios in editors like VSCode, Sublime, etc. At present, we provide valid SuggestedCorrection
only for the following rules, while gradually adding this feature to more rules.
- AvoidAlias.cs
- AvoidUsingPlainTextForPassword.cs
- MisleadingBacktick.cs
- MissingModuleManifestField.cs
- UseToExportFieldsInManifest.cs
You can track issues, pull requests, backlog items here:
Throughput Graph
You are welcome to contribute to this project. There are many ways to contribute:
- Submit a bug report via Issues. For a guide to submitting good bug reports, please read Painless Bug Tracking.
- Verify fixes for bugs.
- Submit your fixes for a bug. Before submitting, please make sure you have:
- Performed code reviews of your own
- Updated the test cases if needed
- Run the test cases to ensure no feature breaks or test breaks
- Added the test cases for new code
- Submit a feature request.
- Help answer questions in the discussions list.
- Submit test cases.
- Tell others about the project.
- Tell the developers how much you appreciate the product!
You might also read these two blog posts about contributing code: Open Source Contribution Etiquette by Miguel de Icaza, and Don’t “Push” Your Pull Requests by Ilya Grigorik.
Before submitting a feature or substantial code contribution, please discuss it with the Windows PowerShell team via Issues, and ensure it follows the product roadmap. Note that all code submissions will be rigorously reviewed by the Windows PowerShell Team. Only those that meet a high bar for both quality and roadmap fit will be merged into the source.
- Update changelog (
changelog.md
) with the new version number and change set. When updating the changelog please follow the same pattern as that of previous change sets (otherwise this may break the next step). - Import the ReleaseMaker module and execute
New-Release
cmdlet to perform the following actions.- Update module manifest (engine/PSScriptAnalyzer.psd1) with the new version number and change set
- Update the version number in
engine/project.json
andrules/project.json
- Create a release build in
out/
PS> Import-Module .\Utils\ReleaseMaker.psm1
PS> New-Release
- Sign the binaries and PowerShell files in the release build and publish the module to PowerShell Gallery.
- Create a PR on
development
branch, with all the changes made in the previous step. - Merge the changes to
development
and then mergedevelopment
tomaster
(Note that thedevelopment
tomaster
merge should be afast-forward
merge). - Draft a new release on github and tag
master
with the new version number.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.