feat(scan): add PowerShell scripts for Windows users#69
Merged
Conversation
Add standalone PowerShell scripts that mirror the bash scripts' functionality for Windows users who don't have Ruby/vtk gem installed: - shai-hulud-machine-check.ps1: Check for active Shai-Hulud infection - shai-hulud-repo-check.ps1: Scan lockfiles for compromised packages - credential-audit.ps1: Audit credentials that may need rotation All scripts: - Target PowerShell 5.1+ (ships with Windows 10/11) - Support -Verbose, -Quiet, -Json flags - Use same exit codes as bash equivalents (0=clean, 1=infected, 2=warning) - Auto-download compromised packages list from Cobenian repo (repo scanner) Also update README.md with Windows usage instructions.
There was a problem hiding this comment.
Pull request overview
This PR adds standalone PowerShell scripts that mirror the existing bash script functionality, enabling Windows users to scan for Shai-Hulud malware without requiring Ruby or the vtk gem. The scripts target PowerShell 5.1+ for compatibility with default Windows 10/11 installations.
Key Changes:
- Three new PowerShell scripts providing machine infection checks, repository lockfile scanning, and credential auditing
- All scripts support
-Verbose,-Quiet, and-Jsonflags with consistent exit codes (0=clean, 1=infected, 2=warning) - README documentation updated with Windows-specific usage instructions and download commands
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 18 comments.
| File | Description |
|---|---|
scripts/shai-hulud-repo-check.ps1 |
Repository scanner that checks lockfiles for compromised npm packages and backdoor GitHub workflows |
scripts/shai-hulud-machine-check.ps1 |
Machine infection checker that scans for active malware indicators, processes, and credential files |
scripts/credential-audit.ps1 |
Credential auditor that identifies sensitive credentials requiring rotation after an incident |
README.md |
Added Windows (PowerShell) section with download instructions and usage examples for all three scripts |
Critical Issues Found:
- PowerShell 5.1 compatibility issue with
SupportsVirtualTerminalproperty (doesn't exist until PS 6.0) - Incorrect backtick escaping in package name formatting that will break malware detection
- Process name detection logic issues that may miss malicious processes
- String method parameter errors (TrimStart)
Security Considerations:
- Scripts download and execute compromised package lists from external URLs
- README instructs users to download and run scripts directly, which needs security guidance
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The regex for non-scoped packages was incorrectly matching scoped packages due to PowerShell -or evaluation order. By checking the scoped package pattern (@scope/name) first, we ensure correct parsing. This mirrors the fix from PR #65 for the bash script.
- Fix SupportsVirtualTerminal check for PS 5.1 compatibility (property doesn't exist until PS 6.0) - Fix TrimStart to use character array instead of strings Tested on Windows 10 VM with PowerShell 5.1.
The carriage return approach (\r with -NoNewline) wasn't working properly in Windows terminals, causing progress lines to concatenate instead of displaying on separate lines. Changed to use regular newlines for each progress update.
Collaborator
Author
|
Enoch was able to review and William gave it a go as well. Enoch doesn't have VA access yet. Merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New Files
scripts/shai-hulud-machine-check.ps1scripts/shai-hulud-repo-check.ps1scripts/credential-audit.ps1Features
All scripts support:
-Help- Full usage documentation-Verbose- Detailed output with all checks-Quiet- Exit code only (for scripting)-Json- JSON output formatThe repo scanner additionally supports:
-Recursive- Scan subdirectories for monorepos-Depth N- Control recursion depth (default: 5)-Refresh- Force refresh of compromised packages listThe compromised packages list is auto-downloaded from Cobenian's repo and cached locally.
Dependencies
This PR should be merged after PR #65 (scan repo) so the README links work correctly. However, the PS scripts work standalone and can be merged independently.
Testing
Tested on Windows 10 VM (PowerShell 5.1) via SSH:
shai-hulud-machine-check.ps1-Helpshai-hulud-machine-check.ps1shai-hulud-machine-check.ps1-Jsonoutputcredential-audit.ps1-Helpcredential-audit.ps1credential-audit.ps1-Jsonoutputshai-hulud-repo-check.ps1-Helpshai-hulud-repo-check.ps102-echo:0.0.7in package-lock.jsonshai-hulud-repo-check.ps1shai-hulud-repo-check.ps1@scope/name) in yarn.lockshai-hulud-repo-check.ps1-Recursive(nested directories)shai-hulud-repo-check.ps1-Recursive -JsonFixes Applied
Ported fixes from PR #65 (bash script) to PowerShell version:
formatter_*.yml→formatter_[0-9]*.ymlto reduce false positives@scope/namefirst