ConvertTo-SecureString Password
Description
General
The ConvertTo-SecureString Password detector aims at catching passwords passed to the PowerShell ConvertTo-SecureString cmdlet.
ConvertTo-SecureString is a PowerShell cmdlet commonly used to convert plain text strings into secure string objects. When used with the -AsPlainText and -Force flags, it indicates that a plain text password is being handled directly in the code.
Specifications
The detector covers the common usage patterns of ConvertTo-SecureString:
- Piped form:
"password" | ConvertTo-SecureString -AsPlainText -Force - Argument form:
ConvertTo-SecureString -AsPlainText -Force "password" - Named parameter form:
ConvertTo-SecureString -String "password" -AsPlainText -Force
password:
- Must be between 4 and 128 characters long.
- Must consist of alphanumeric characters and common special characters.
Revoke the secret
This detector catches generic passwords, hence GitGuardian cannot infer the concerned service. To properly revoke the password:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the secret.
Examples
Examples that WILL be caught
- text: |
"MyS3cureP@ss!" | ConvertTo-SecureString -AsPlainText -Force
password: MyS3cureP@ss!
- text: |
ConvertTo-SecureString -AsPlainText -Force "MyS3cureP@ss!"
password: MyS3cureP@ss!
- text: |
ConvertTo-SecureString -String "MyS3cureP@ss!" -AsPlainText -Force
password: MyS3cureP@ss!
Examples that WILL NOT be caught
- The password is a variable reference
- text: |
$TenantId | ConvertTo-SecureString -AsPlainText -Force
- The password is a common or test value
- text: |
"test1234" | ConvertTo-SecureString -AsPlainText -Force
- The password has low entropy
- text: |
"aaaa" | ConvertTo-SecureString -AsPlainText -Force
