We release patches for security vulnerabilities. Currently supported versions:

We take the security of PSScriptModule seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Do not open a public GitHub issue for security vulnerabilities
• Do not disclose the vulnerability publicly until it has been addressed

1. Report via GitHub Security Advisories:

   • Navigate to the repository's "Security" tab
   • Click "Advisories" and then "New draft security advisory"
   • Provide detailed information about the vulnerability

2. Include in Your Report:

   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact
   • Suggested fix (if available)
   • Your contact information

When using this PowerShell module template:

• Never commit credentials: Use SecureString or credential management systems
• Validate all inputs: Use parameter validation attributes
• Sanitize user input: Prevent injection attacks
• Use approved verbs: Follow PowerShell naming conventions
• Handle errors properly: Don't expose sensitive information in error messages

• Run PSScriptAnalyzer: All code must pass static analysis
• Run InjectionHunter tests: Check for injection vulnerabilities
• Review dependencies: Regularly update modules in requirements.psd1

• Sign your scripts: Use code signing certificates for production
• Verify execution policy: Use appropriate PowerShell execution policies
• Limit permissions: Follow principle of least privilege
• Audit module usage: Enable PowerShell logging in production environments

This module requires PowerShell script execution. Ensure:

• Execution policy is set appropriately for your environment
• Scripts are obtained from trusted sources
• Code signing is enforced in production environments

This project uses external PowerShell modules:

• InvokeBuild: Build orchestration
• Pester: Testing framework
• PSScriptAnalyzer: Static code analysis
• platyPS: Documentation generation

Review the security advisories for these dependencies regularly.

Every PR runs:

1. PSScriptAnalyzer: Static code analysis for common issues
2. InjectionHunter: Detection of potential injection vulnerabilities
3. Pester Tests: Functional testing including security scenarios
4. Dependency Checks: Ensure dependencies are up-to-date

When a security vulnerability is confirmed:

1. Assessment: Evaluate severity and impact
2. Fix Development: Create patch in private branch
3. Testing: Thoroughly test the security fix
4. Release:
   • Use +semver: patch for minor security fixes
   • Use +semver: major for breaking security changes
5. Disclosure: Publish security advisory after fix is released
6. Notification: Notify users of the security update

• PowerShell Security Best Practices
• PSScriptAnalyzer Rules
• OWASP Secure Coding Practices

For security-related questions that are not vulnerabilities, please open a regular GitHub issue or discussion.

Thank you for helping keep PSScriptModule and its users safe!