> ## Documentation Index
> Fetch the complete documentation index at: https://tally.wharflab.com/llms.txt
> Use this file to discover all available pages before exploring further.

# powershell/PSAvoidUsingConvertToSecureStringWithPlainText

> Avoid Using SecureString With Plain Text

`powershell/PSAvoidUsingConvertToSecureStringWithPlainText` is a PSScriptAnalyzer diagnostic emitted by tally for PowerShell snippets embedded in
Dockerfiles.

| Property | Value            |
| -------- | ---------------- |
| Severity | Error            |
| Category | PSScriptAnalyzer |
| Auto-fix | No               |

## Description

The use of the `AsPlainText` parameter with the `ConvertTo-SecureString` command can expose secure
information.

## How

Use a standard encrypted variable to perform any SecureString conversions.

## Recommendations

If you do need an ability to retrieve the password from somewhere without prompting the user,
consider using the
[SecretStore](https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretStore)
module from the PowerShell Gallery.

## Examples

### Problematic code

```powershell theme={null}
$UserInput = Read-Host 'Please enter your secure code'
$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
```

### Correct code

```powershell theme={null}
$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString
```

## Source

This rule documentation is adapted from Microsoft's PSScriptAnalyzer documentation for
[AvoidUsingConvertToSecureStringWithPlainText](https://github.com/MicrosoftDocs/PowerShell-Docs-Modules/blob/main/reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingConvertToSecureStringWithPlainText.md),
licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/).
