Add Optional PSUseConstrainedLanguageMode rule#2165
Open
joshcorr wants to merge 13 commits intoPowerShell:mainfrom
Open
Add Optional PSUseConstrainedLanguageMode rule#2165joshcorr wants to merge 13 commits intoPowerShell:mainfrom
joshcorr wants to merge 13 commits intoPowerShell:mainfrom
Conversation
joshcorr
requested review from
a team,
bergmeister,
michaeltlombardi and
sdwheeler
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new optional ScriptAnalyzer rule (PSUseConstrainedLanguageMode) to detect PowerShell patterns that are incompatible with Constrained Language Mode (CLM), along with tests and documentation so users can opt into CLM-focused linting.
Changes:
- Added
UseConstrainedLanguageModerule implementation to detect multiple CLM-incompatible patterns, with special handling for signature blocks. - Added a comprehensive Pester test suite for the new rule.
- Added end-user documentation and new localized resource strings for diagnostics.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
Rules/UseConstrainedLanguageMode.cs |
Implements the new rule logic (CLM checks, signature-block detection, manifest checks). |
Tests/Rules/UseConstrainedLanguageMode.tests.ps1 |
Adds tests covering the new rule’s detections and signature behavior. |
docs/Rules/UseConstrainedLanguageMode.md |
Documents what the rule flags, signed vs unsigned behavior, and configuration. |
Rules/Strings.resx |
Adds diagnostic strings used by the new rule (and updates file header/encoding). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Rules/UseConstrainedLanguageMode.cs
Outdated
Comment on lines
+66
to
+69
| /// When true, ignores script signatures and runs all CLM checks regardless of signature status. | ||
| /// When false (default), scripts with valid signatures are treated as having elevated permissions | ||
| /// and only critical checks (dot-sourcing, parameter types, manifests) are performed. | ||
| /// Set to true to enforce full CLM compliance even for signed scripts. |
Comment on lines
+594
to
+598
| // Check if the variable was declared with a type constraint elsewhere | ||
| // Look for assignment statements with type constraints | ||
| var assignmentWithType = FindTypedAssignment(varExpr); | ||
| if (assignmentWithType != null) | ||
| { |
Rules/Strings.resx
Outdated
| @@ -1,17 +1,17 @@ | |||
| <?xml version="1.0" encoding="utf-8"?> | |||
| <?xml version="1.0" encoding="utf-8"?> | |||
Comment on lines
+342
to
+343
| Context "Informational severity" { | ||
| It "Should have Information severity" { |
Rules/Strings.resx
Outdated
| <value>Module manifest field '{0}' uses wildcard ('*') which is not recommended for Constrained Language Mode. Explicitly list exported items instead.</value> | ||
| </data> | ||
| <data name="UseConstrainedLanguageModeScriptModuleError" xml:space="preserve"> | ||
| <value>Module manifest field '{0}' contains script file '{1}' (.ps1). Use binary modules (.psm1 or .dll) instead for Constrained Language Mode compatibility.</value> |
|
|
||
| Use `New-Object PSObject` with `Add-Member` or hashtables instead of classes. | ||
|
|
||
| **Important**: `[PSCustomObject]@{}` syntax is NOT allowed in CLM because it uses type casting. |
Contributor
|
👋 @joshcorr, I wonder if Perhaps something like |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Summary
This PR adds a new rule PSUseConstrainedLanguageMode that identifies PowerShell patterns incompatible with Constrained Language Mode, helping developers ensure scripts work in restricted environments. This rule is a Warning, but is optional and not enabled by default.
New files:
Rules/UseConstrainedLanguageMode.cs- Implements 14 CLM restriction checksTests/Rules/UseConstrainedLanguageMode.tests.ps1- Adds 46 comprehensive testsdocs/Rules/UseConstrainedLanguageMode.md- Provides complete user documentationModified files;
Rules/strings.resx- Adds 16 new diagnostic message stringsFeatures
Detects CLM Violations:
Signature Awareness:
Array Type Support:
Configuration:
Testing:
PR Checklist
.cs,.ps1and.psm1files have the correct copyright headerWIP:to the beginning of the title and remove the prefix when the PR is ready.