Skip to content

rhymeswithmogul/SecurityTxtToolkit

Repository files navigation

PowerShell Gallery Version (including pre-releases) PowerShell Gallery Codacy Badge

SecurityTxtToolkit

DOWNLOAD IT!

It's in the PowerShell Gallery now!

Install-Module SecurityTxtToolkit

SHORT DESCRIPTION

SecurityTxtToolkit is a module that works with "security.txt" files, as defined in RFC 9116.

LONG DESCRIPTION

SecurityTxtToolkit is a PowerShell module. It can create, download, test, and verify "security.txt" files.

"security.txt" is an RFC for letting web sites post and share information pertinent to security researchers. This module currently complies with draft version 12.

Testing "security.txt" Files with Test-SecurityTxtFile

To test a "security.txt" file, use the cmdlet Test-SecurityTxtFile. It can be used in both online and offline modes. It outputs a PSCustomObject that has note-properties corresponding to the fields in the "security.txt" file:

PS C:\> Test-SecurityTxtFile 'github.com'

As of this writing (June 2021), that will generate the following output:

Test-SecurityTxtFile: The mandatory Expires field was not found.

For                : github.com
IsValid            : False
IsCanonical        : True
Acknowledgements   : {https://bounty.github.com/bounty-hunters.html}
Canonical          : {https://github.com/.well-known/security.txt}
Contact            : {https://hackerone.com/github}
Encryption         : {}
Expires            :
Hiring             : {}
Policy             : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned           : False

It looks like GitHub's "security.txt" file is not compliant with the specification (at the time of this writing)!

The Test-SecurityTxtFile cmdlet also accepts string input via -InputObject or the pipeline:

PS C:\> Get-Content "security.txt" | Test-SecurityTxtFile

That will test the file and validate its input:

For                : stdin
IsValid            : False
IsCanonical        : False
Acknowledgements   : {https://bounty.github.com/bounty-hunters.html}
Canonical          : {https://github.com/.well-known/security.txt}
Contact            : {https://hackerone.com/github}
Encryption         : {}
Expires            :
Hiring             : {}
Policy             : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned           : False

However, that cannot be validated for canonicity. In this case, you can add the file's original URL to the cmdlet with the -TestCanonicalUri parameter:

PS C:\> Invoke-WebRequest -OutFile 'security.txt' -Uri 'https://github.com/.well-known/security.txt'

PS C:\> Get-Content 'security.txt' | Test-SecurityTxtFile -TestCanonicalUri 'https://github.com/.well-known/security.txt'

The latter command will parse the previously-downloaded "security.txt" file as if it had been fetched directly from a web server:

For                : stdin
IsValid            : False
IsCanonical        : True
Acknowledgements   : {https://bounty.github.com/bounty-hunters.html}
Canonical          : {https://github.com/.well-known/security.txt}
Contact            : {https://hackerone.com/github}
Encryption         : {}
Expires            :
Hiring             : {}
Policy             : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned           : False

Generating Your Own "security.txt" Files

The New-SecurityTxtFile cmdlet will generate a "security.txt" file, sending its output to the pipeline. You may redirect it via standard means, or with the -OutFile parameter. The fields in the "security.txt" specification correspond to this cmdlet's parameters.

PS C:\> New-SecurityTxtFile -OutFile '.well-known/security.txt' -Canonical "https://contoso.com/.well-known/security.txt" -Contact "mailto:security@contoso.com" -Hiring "https://jobs.contoso.com"

That example will genereate the following output. The Expires field and PGP signature will vary:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# This is a "security.txt" file that complies with RFC 9116:
# <https://www.rfc-editor.org/rfc/rfc9116>
#
# This file was made with SecurityTxtToolkit:
# <https://github.com/rhymeswithmogul/SecurityTxtToolkit>

Canonical: https://contoso.com/.well-known/security.txt
Contact: mailto:security@contoso.com
Expires: 2022-06-18T16:41:06-04:00
Hiring: https://jobs.contoso.com/

-----BEGIN PGP SIGNATURE-----

signature-goes-here
-----END PGP SIGNATURE-----

SEE ALSO

For more information about "security.txt" files in general, the creators of the specification, Edwin "EdOverflow" Foudil and Yakov Shafranovich, have a web page at https://securitytxt.org. This module might be listed on their web site, but I'm not affiliated with them.

Why not read my article about this to see it in action?