POWERSHELL 7.4+ SCRIPT REVIEW

Check scripts
before you run them.

PSRafScan reviews AI-generated and user-written PowerShell scripts for parser errors, unsafe operations, hidden failures, and terminal-paste traps.

Runs on Windows, macOS, and Linux · MIT licensed · No external module dependency

PSRafScan ResultsSCAN COMPLETE
CommandRSX -Path .\script.ps1 -IntendedUse Ps1File -FailOn Warning
PSRafScan 0.2.0-alpha1NATIVE ENGINE

PowerShell Script Check Report

Scanning .\script.ps1

1 file scanned, 1 finding

SUMMARY0 Error1 Warning0 Information
SeverityFindingLocation
WarningSilentErrorActionLine 18
ISSUE

-ErrorAction SilentlyContinue can hide failures that should be handled.

FIX

Prefer -ErrorAction Stop with a meaningful catch block, or record the skipped error.

58Built-in rules
67Self-test cases
2Intended-use modes
0External module dependencies

ANALYSIS MODEL

Two analysis layers. One clear decision.

PSRafScan reads the target script without intentionally executing it. The selected FailOn threshold turns review findings into a dependable pass or fail result.

01PARSE

Native parser

PowerShell parser findings surface syntax errors before deeper review begins.

Source: Parser
02INSPECT

PSRafScan rules

Built-in rules inspect safety, correctness, portability, credentials, Git, and paste behavior.

Source: CustomRule
03DECIDE

Actionable report

Every finding identifies the triggering text, explains the issue, and gives a direct fix.

Plain text or JSON
ACCEPTANCE LOOP FOR AI-GENERATED POWERSHELL

Let the script prove it is ready.

Run PSRafScan, fix every finding at the chosen threshold, and scan again before the final script is delivered.

  1. 1WRITECandidate script
  2. 2SCANRSX gate
  3. 3FIXIssue + fix
  4. 4REPEATUntil pass

EXECUTION CONTEXT

Review the script for how it will run.

PowerShell that works as a saved file can fail when pasted into a live terminal. IntendedUse lets PSRafScan apply the right checks.

MODE 01PASTE-SENSITIVE

TerminalPaste

For code copied directly into a live PowerShell 7 terminal. This mode catches console-sensitive patterns that may parse differently, pause unexpectedly, or rely on saved-file context.

  • Top-level param() and #requires
  • $PSScriptRoot and $PSCommandPath
  • Continuation blocks and fragile backticks
  • Prompt text and Markdown fence lines
RSX -Path .\candidate.ps1 -IntendedUse TerminalPaste
MODE 02SAVED SCRIPT

Ps1File

For code saved and executed as a .ps1 file. Normal script-file concepts remain available, and PSRafScan concentrates on parser, correctness, safety, and maintenance findings.

  • Normal param() blocks
  • #requires declarations
  • $PSScriptRoot and $PSCommandPath
  • Plain-text or JSON reporting
RSX -Path .\candidate.ps1 -IntendedUse Ps1File

BUILT-IN CATALOG

Search the checks that guard your script.

The current source snapshot contains 58 PSRafScan-owned rules across safety, correctness, portability, credential, output, privilege, and automation categories.

Severity
Showing 12 of 12 featured rules58 built-in rules in the current source snapshot
ErrorPasteSafety

BacktickContinuation

Flags fragile backtick line continuations that can break during copy and paste.

#backtick#line-continuation
ErrorGitSafety

GitForcePush

Finds git push --force operations that can overwrite remote history.

#git#remote-history
WarningPortability

HardcodedOneDrivePath

Finds OneDrive paths that can fail for another user, sandbox, or sync state.

#path#onedrive
WarningAutomationSafety

InteractivePrompt

Finds commands that may stop automation and wait for interactive input.

#read-host#interactive
WarningPrivilege

LikelyRequiresAdministrator

Calls out operations that probably require an Administrator session.

#administrator#elevation
ErrorPasteSafety

MarkdownCodeFence

Finds raw Markdown fence lines accidentally placed in executable code.

#markdown#code-fence
WarningCorrectness

NativeExitCodeNotChecked

Finds native commands whose exit status is not checked before continuing.

#native-command#exit-code
WarningCredentialSafety

PlainTextPasswordParameter

Finds password-like parameters modeled as plain strings.

#credentials#secret
ErrorFileSystemSafety

RecursiveForceDelete

Finds recursive forced deletes that lack a safety guard.

#delete#recursive
WarningErrorHandling

SilentErrorAction

Flags SilentlyContinue when it can hide a failure that should be handled.

#error-action#hidden-failure
WarningSystemSafety

SystemConfigurationCommand

Calls out commands that commonly change system configuration.

#configuration#privilege
WarningCorrectness

UnknownCommand

Finds commands that are not recognized in the current PowerShell 7 environment.

#command-resolution#correctness
FULL CATALOG FROM POWERSHELL

Search the complete catalog by rule name, category, type, severity, tag, intended use, alias, or free text.

Get-PSRafScanRule -Search password
EXTEND PSRAFSCAN

Create your own rules and rule self-tests.

Use the included templates to extend PSRafScan for your own standards, then follow the authoring guide to define metadata, expected findings, positive cases, and false-positive regression tests.

OPEN AUTHORING GUIDE ↗

COMMAND INTERFACE

One short command. Predictable results.

Invoke-PSRafScan is the primary command. RSX is the short alias for terminal use, automation, and acceptance loops.

INTERACTIVE

Open the guided terminal workflow.

RSX
SAVED SCRIPT

Review a .ps1 file and fail on warnings or errors.

RSX -Path ".\script.ps1" -IntendedUse Ps1File -FailOn Warning
TERMINAL PASTE

Apply the paste-safety checks before copying code into PS7.

RSX -Path ".\candidate.ps1" -IntendedUse TerminalPaste -FailOn Warning
JSON

Write structured output for automation and AI tools.

RSX -Path ".\script.ps1" -OutputFormat Json -OutputPath ".\result.json"
NO FLAGS REQUIRED

The guided terminal workflow

Run RSX by itself for a guided path through source selection, intended use, failure threshold, report format, and export.

  1. 01Select inputClipboard or .ps1 file
  2. 02Choose contextTerminalPaste or Ps1File
  3. 03Set the gateAny, Warning, Error, or None
  4. 04Review outputPlain text or JSON

INSTALL PSRAFSCAN

Start with PowerShell 7.4 or newer.

Download the release ZIP, extract the PSRafScan module folder, and place it in a PowerShell module path. No external PowerShell module is required.

Open GitHub releases
WINDOWS USER MODULE PATH$HOME\Documents\PowerShell\Modules
MACOS / LINUX USER MODULE PATH$HOME/.local/share/powershell/Modules
VERIFY THE INSTALLPS 7.4+
Import-Module PSRafScan
Get-Command RSX
RSX -SelfTest

PROJECT DOCUMENTATION

Go from first scan to rule authoring.

The documentation follows the same structure as the tool: direct commands, explicit contexts, searchable metadata, and verifiable self-tests.