Skip to main content
powershell/PSAvoidUsingConvertToSecureStringWithPlainText is a PSScriptAnalyzer diagnostic emitted by tally for PowerShell snippets embedded in Dockerfiles.

Description

The use of the AsPlainText parameter with the ConvertTo-SecureString command can expose secure information.

How

Use a standard encrypted variable to perform any SecureString conversions.

Recommendations

If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the SecretStore module from the PowerShell Gallery.

Examples

Problematic code

Correct code

Source

This rule documentation is adapted from Microsoft’s PSScriptAnalyzer documentation for AvoidUsingConvertToSecureStringWithPlainText, licensed under CC BY 4.0.