PSRafScan Security and Safe-Use Boundaries
Understand PSRafScan's nonexecution boundary, static-analysis limits, safe handling of scripts and reports, and the current public security reporting route.
Nonexecution boundary
PSRafScan reads source, calls the native PowerShell parser, evaluates its own static rules, and formats findings without intentionally invoking the scanned target. That source boundary is important, but it does not turn PSRafScan into a sandbox or establish that a target is safe.
Static-analysis limits
- Rules cover defined patterns, not every possible defect or malicious behavior.
- A passing threshold does not establish runtime correctness or trustworthy intent.
- Environmental dependencies, permissions, credentials, external systems, race conditions, and real side effects require separate review and controlled testing.
- Reports can include source text and local paths and should be handled as potentially sensitive.
Report a vulnerability
The current public Security Policy directs vulnerability reports to GitHub Security Advisories. Use the repository's private vulnerability-reporting flow when available to the reporting account.
- Include the affected version.
- Provide minimal reproduction steps and expected versus observed behavior.
- Remove credentials, tokens, customer data, and unrelated source.
- Do not publish an unpatched vulnerability through a public issue.