Vulnerability Assessment and Secure coding practises

[roze26]

This is such a wonderful tool and I want to get dbatools approved for use within my organisation. But a lot of stumbling blocks with security team. Any vulnerability assessments done for dbatools? Is it possible to get a copy of a vulnerability assessment report of the product. Any document or details of compliance to Secure coding practises would be appreciated.

[niphlod]

Hi, did you look at https://dbatools.io/secure/ ?

[roze26]

Thanks, I had a look at that.
I like that it is code-signed with limited permissions to merge and manageable code base etc, those details do help. I am looking for any vulnerability assessments that the product have undertaken.

[niphlod]

not that I'm aware of, but what are you looking for in terms of vulnerability assessment of the code ? We basically wrap Microsoft SMO 95% if the time, so if that is not vulnerable, dbatools is not. All permissions are managed either by Powershell best practices (when working on resources outside the sql instance) or delegated to sql itself. We do not store credentials and go with integrated auth by default, allowing specific credentials to be passed in (but when they do, they're wrapped in a PSCredential object, which is the best practice by Powershell to avoid leakage).

[wsmelton]

There are no vulnerability assessments done by the maintainers or GitHub because the tooling doesn't support the PowerShell language. The project is open sourced so if the auditing or security teams require the code to be scanned, they are welcomed to pull it down and do that...it is public accessible after all.