Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rhymeswithmogul/SecurityTxtToolkit

A PowerShell module for generating and parsing "security.txt" files.
https://github.com/rhymeswithmogul/SecurityTxtToolkit

pgp-signature powershell powershell-adminscripts powershell-cmdlets powershell-core powershell-gallery powershell-module powershell-modules pwsh rfc-9116 security security-audit security-automation security-scan security-scanner security-team security-testing security-tools security-txt securitytxt

Last synced: 3 months ago
JSON representation

A PowerShell module for generating and parsing "security.txt" files.

Awesome Lists containing this project

README

        

[![PowerShell Gallery Version (including pre-releases)](https://img.shields.io/powershellgallery/v/SecurityTxtToolkit?include_prereleases)](https://powershellgallery.com/packages/SecurityTxtToolkit/) [![PowerShell Gallery](https://img.shields.io/powershellgallery/dt/SecurityTxtToolkit)](https://powershellgallery.com/packages/v/SecurityTxtToolkit) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/16e09f22dcf9463e8e6ceb5a187432f2)](https://app.codacy.com/gh/rhymeswithmogul/SecurityTxtToolkit/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)

# SecurityTxtToolkit

## DOWNLOAD IT!
[It's in the PowerShell Gallery now!](https://www.powershellgallery.com/packages/SecurityTxtToolkit/)
```powershell
Install-Module SecurityTxtToolkit
```

## SHORT DESCRIPTION
SecurityTxtToolkit is a module that works with "security.txt" files, as defined in RFC 9116.

## LONG DESCRIPTION
SecurityTxtToolkit is a PowerShell module. It can create, download, test, and verify "security.txt" files.

"security.txt" is an RFC for letting web sites post and share information pertinent to security researchers. This module currently complies with draft version 12.

### Testing "security.txt" Files with `Test-SecurityTxtFile`
To test a "security.txt" file, use the cmdlet `Test-SecurityTxtFile`. It can be used in both online and offline modes. It outputs a `PSCustomObject` that has note-properties corresponding to the fields in the "security.txt" file:

```powershell
PS C:\> Test-SecurityTxtFile 'github.com'
```

As of this writing (June 2021), that will generate the following output:
```
Test-SecurityTxtFile: The mandatory Expires field was not found.

For : github.com
IsValid : False
IsCanonical : True
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
```

It looks like GitHub's "security.txt" file is not compliant with the specification (at the time of this writing)!

The `Test-SecurityTxtFile` cmdlet also accepts string input via `-InputObject` or the pipeline:
```powershell
PS C:\> Get-Content "security.txt" | Test-SecurityTxtFile
```

That will test the file and validate its input:
```
For : stdin
IsValid : False
IsCanonical : False
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
```

However, that cannot be validated for canonicity. In this case, you can add the file's original URL to the cmdlet with the `-TestCanonicalUri` parameter:
```powershell
PS C:\> Invoke-WebRequest -OutFile 'security.txt' -Uri 'https://github.com/.well-known/security.txt'

PS C:\> Get-Content 'security.txt' | Test-SecurityTxtFile -TestCanonicalUri 'https://github.com/.well-known/security.txt'
```

The latter command will parse the previously-downloaded "security.txt" file as if it had been fetched directly from a web server:
```
For : stdin
IsValid : False
IsCanonical : True
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
```

### Generating Your Own "security.txt" Files
The `New-SecurityTxtFile` cmdlet will generate a "security.txt" file, sending its output to the pipeline. You may redirect it via standard means, or with the `-OutFile` parameter. The fields in the "security.txt" specification correspond to this cmdlet's parameters.
```powershell
PS C:\> New-SecurityTxtFile -OutFile '.well-known/security.txt' -Canonical "https://contoso.com/.well-known/security.txt" -Contact "mailto:[email protected]" -Hiring "https://jobs.contoso.com"
```

That example will genereate the following output. The Expires field and PGP signature will vary:
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# This is a "security.txt" file that complies with RFC 9116:
#
#
# This file was made with SecurityTxtToolkit:
#

Canonical: https://contoso.com/.well-known/security.txt
Contact: mailto:[email protected]
Expires: 2022-06-18T16:41:06-04:00
Hiring: https://jobs.contoso.com/

-----BEGIN PGP SIGNATURE-----

signature-goes-here
-----END PGP SIGNATURE-----
```

## SEE ALSO
For more information about "security.txt" files in general, the creators of the specification, Edwin "EdOverflow" Foudil and Yakov Shafranovich, have a web page at https://securitytxt.org. This module might be listed on their web site, but I'm not affiliated with them.

Why not read [my article about this](https://colincogle.name/blog/security-txt) to see it in action?