Skip to content

Rule request: AvoidRuleSuppression #2118

New issue
New issue
Open
Open
Rule request: AvoidRuleSuppression#2118
@iRon7

Description

@iRon7
iRon7
opened on Aug 8, 2025

Use case:

We are running GitLab Code Quality reports in our pipeline based on the PSScriptAnalyzer results by translating the PSScriptAnalyzer severity results to a Code Quality severity.
But it appears that engineers might unnoticeable take the easy road by simply suppressing rules rather than investigating time in improving the code (and going through the whole test process etc.)
Meaning, only a scripts that pass the PSScriptAnalyzer and that do not have any suppression rules should actually get an empty severity level.

Request:

Add a (disabled) information rule to "avoid rule suppression"

Notes
To prevent that the AvoidRuleSuppression rule (once enabled) could be suppressed itself, it might be considered to give it a RuleName that can't be used for suppression (e.g. based on a guid, see also StackOverflow: Bypass PSScriptAnalyzer (self) suppression).

PowerShell based prototype 
#Requires -Version 3.0

using namespace System.Management.Automation.Language

function Measure-AvoidSecureStringDisclosure {
<#
    .SYNOPSIS
    Avoid rule suppression

    .DESCRIPTION
    Scripts that suppress rules should note left unnoticed.

    .INPUTS
    [System.Management.Automation.Language.ScriptBlockAst]

    .OUTPUTS
    [Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic.DiagnosticRecord]

    .LINK
    https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md
#>

    [CmdletBinding()]
    [OutputType([Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic.DiagnosticRecord])]
    Param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [ScriptBlockAst]
        $ScriptBlockAst
    )
    Process {
        [ScriptBlock]$Predicate = {
            Param ([Ast]$Ast)
            (
                $Ast -is [AttributeAst] -and
                $Ast.TypeName.FullName -eq 'System.Diagnostics.CodeAnalysis.SuppressMessageAttribute'
            )
        }
        $Violations = $ScriptBlockAst.FindAll($Predicate, $False)
        Foreach ($Violation in $Violations) {
            $Extent = $Violation.Extent
            [Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic.DiagnosticRecord]@{
                Message              = "Avoid rule suppression: $Extent"
                Extent               = $Extent
                RuleName             = 'PSAvoidRuleSuppression ' + [Guid]::NewGuid().Guid
                Severity             = 'Information'
                RuleSuppressionID    = $null
            }
        }
    }
}
Export-ModuleMember -Function Measure-*

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions