1

Use case:
We are running GitLab Code Quality reports in our pipeline based on the PSScriptAnalyzer results by translating the PSScriptAnalyzer severity results to a Code Quality severity. But it appears that engineers might simply take the easy way by suppressing rules rather than investigating time in improving the code (and going through the whole process of retesting etc.)
For this I created a PSAvoidRuleSuppression "information" rule so that any rule suppression might pass through but won't be unnoticed:

using namespace System.Management.Automation.Language
function Measure-AvoidSecureStringDisclosure {
 [CmdletBinding()]
 [OutputType([Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic.DiagnosticRecord])]
 param (
 [Parameter(Mandatory = $true)]
 [ValidateNotNullOrEmpty()]
 [ScriptBlockAst]
 $ScriptBlockAst
 )
 process {
 [ScriptBlock]$Predicate = {
 param ([Ast]$Ast)
 $Ast -is [AttributeAst] -and
 $Ast.TypeName.FullName -eq 'System.Diagnostics.CodeAnalysis.SuppressMessageAttribute'
 }
 $Violations = $ScriptBlockAst.FindAll($Predicate, $False)
 foreach ($Violation in $Violations) {
 $Extent = $Violation.Extent
 [Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic.DiagnosticRecord]@{
 Message = "Avoid rule suppression: $Extent"
 Extent = $Extent
 RuleName = 'PSAvoidRuleSuppression'
 Severity = # In case the suppression is for the rule itself, we want to mark it as an error.
 if ($Violation.PositionalArguments[0].Value -eq 'PSAvoidRuleSuppression') {
 'Error'
 } else {
 'Information'
 }
 RuleSuppressionID = $null
 }
 }
 }
}
Export-ModuleMember -Function Measure-*

This rule works well, but there is a hole in it: script authors might simply suppress the rule itself like:

[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidRuleSuppression', '')]
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '')]
Param()
Write-Host 'Test'

One way around this, is to create a unique rule name, e.g.

RuleName = 'PSAvoidRuleSuppression ' + [Guid]::NewGuid().Guid`

But I rather prefer to higher the severity to error (in case of a "self-suppression") as shown in the above rule definition as that would result into a code quality blocker in our GitLab pipeline.
Unfortunately, it appears not to work that way as the rule is already suppressed before it could be evaluated with PowerShell.
Is there anyway to work around this?

asked Aug 13, 2025 at 9:52
5
  • 2
    "But it appears that engineers might simply take the easy way by suppressing rules rather than investigating" - cultural problems require cultural solutions, not technical ones. Talk to your engineers :) Commented Aug 13, 2025 at 14:31
  • @MathiasR.Jessen, "cultural problems require cultural solutions, not technical ones", I am not sure what to think about that statement and won't apply that too general as I think that it will only work in a perfect world where there aren't any conflicts of interests. Taking this to an extreme: hacking is a cultural problem, I don't think anyone can resolve this with a cultural "please stop hacking" solution. I would rather state: culture problems should be prevented in any way including technically, as e.g. with Injection Hunter rules that shouldn't be unnoticeably suppressed. Commented Aug 13, 2025 at 15:21
  • Ultimately this sounds like a situation involving walls and ladders. Commented Aug 13, 2025 at 19:11
  • what about failing pipeline in case any suppressions are found? :D something like this gci -Filter *.ps1 -Recurse | where { Select-String $_ -Pattern SuppressMessageAttribute } | %{ Write-Error "AHA! do not suppress my rules here $_" -ErrorAction Continue } Commented Aug 17, 2025 at 7:30
  • 1
    another idea, the code that is above you can wrap in pester. and fail CI with cool error message instead :) Commented Aug 17, 2025 at 11:11

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.