We provide security updates for the following versions of the Azure Enterprise PowerShell Toolkit:
| Version | Supported |
|---|---|
| 3.0.x | Yes |
| 2.x.x | Yes |
| < 2.0 | No |
The Azure Enterprise PowerShell Toolkit team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Primary Contact: wes@wesellis.com
- Subject: [SECURITY] Azure PowerShell Toolkit Vulnerability
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact
- Any suggested fixes or mitigations
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Updates: We will keep you informed of our progress throughout the investigation
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- We request that you do not publicly disclose the vulnerability until we have had a chance to investigate and address it
- Once a fix is available, we will coordinate the disclosure timeline with you
- We will credit you in our security advisory (unless you prefer to remain anonymous)
When using the Azure Enterprise PowerShell Toolkit:
- Keep Scripts Updated: Always use the latest version of scripts
- Review Before Execution: Understand what a script does before running it
- Secure Credentials: Never hardcode credentials in scripts
- Use Secure Methods: Utilize Azure Key Vault, Managed Identities, or secure credential storage
- Principle of Least Privilege: Run scripts with minimal required permissions
- Audit Logging: Enable logging for all script executions in production
- No Hardcoded Secrets: Never commit credentials, API keys, or secrets
- Input Validation: Always validate user inputs and parameters
- Error Handling: Implement proper error handling to prevent information disclosure
- Secure Defaults: Use secure default configurations
- Dependencies: Keep dependencies updated and scan for vulnerabilities
The repository includes several security measures:
- Secrets Detection: GitLeaks scans for accidentally committed secrets
- Dependency Scanning: Regular checks for vulnerable dependencies
- Code Analysis: Static analysis for security anti-patterns
- PSScriptAnalyzer: Enforces secure PowerShell coding practices
- Code Review: All changes require review before merging
- Testing: Comprehensive testing including security test cases
- Branch Protection: Main branch requires reviews and status checks
- Signed Commits: Contributors are encouraged to sign commits
- Release Management: Controlled release process with security validation
- Scripts use Azure PowerShell modules for authentication
- Supports Azure AD, Service Principals, and Managed Identities
- No credentials are stored in the repository
- Scripts require appropriate Azure RBAC permissions
- Follow principle of least privilege
- Document required permissions in script headers
- Scripts may process sensitive Azure configuration data
- No data is transmitted outside Azure environments
- Local temporary files are cleaned up appropriately
Security updates will be:
- Documented in the CHANGELOG.md
- Tagged with appropriate version bumps
- Announced through GitHub releases
- Communicated via security advisories when applicable
For general security questions or concerns:
- Email: wes@wesellis.com
- Create a GitHub issue (for non-sensitive topics only)
For urgent security matters, please use the vulnerability reporting process described above.
Last Updated: September 19, 2025 Security Policy Version: 1.0