It's in the PowerShell Gallery now!
Install-Module SecurityTxtToolkit
SecurityTxtToolkit is a module that works with "security.txt" files, as defined in RFC 9116.
SecurityTxtToolkit is a PowerShell module. It can create, download, test, and verify "security.txt" files.
"security.txt" is an RFC for letting web sites post and share information pertinent to security researchers. This module currently complies with draft version 12.
To test a "security.txt" file, use the cmdlet Test-SecurityTxtFile
. It can be used in both online and offline modes. It outputs a PSCustomObject
that has note-properties corresponding to the fields in the "security.txt" file:
PS C:\> Test-SecurityTxtFile 'github.com'
As of this writing (June 2021), that will generate the following output:
Test-SecurityTxtFile: The mandatory Expires field was not found.
For : github.com
IsValid : False
IsCanonical : True
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
It looks like GitHub's "security.txt" file is not compliant with the specification (at the time of this writing)!
The Test-SecurityTxtFile
cmdlet also accepts string input via -InputObject
or the pipeline:
PS C:\> Get-Content "security.txt" | Test-SecurityTxtFile
That will test the file and validate its input:
For : stdin
IsValid : False
IsCanonical : False
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
However, that cannot be validated for canonicity. In this case, you can add the file's original URL to the cmdlet with the -TestCanonicalUri
parameter:
PS C:\> Invoke-WebRequest -OutFile 'security.txt' -Uri 'https://github.com/.well-known/security.txt'
PS C:\> Get-Content 'security.txt' | Test-SecurityTxtFile -TestCanonicalUri 'https://github.com/.well-known/security.txt'
The latter command will parse the previously-downloaded "security.txt" file as if it had been fetched directly from a web server:
For : stdin
IsValid : False
IsCanonical : True
Acknowledgements : {https://bounty.github.com/bounty-hunters.html}
Canonical : {https://github.com/.well-known/security.txt}
Contact : {https://hackerone.com/github}
Encryption : {}
Expires :
Hiring : {}
Policy : {https://bounty.github.com/}
PreferredLanguages : {en}
IsSigned : False
The New-SecurityTxtFile
cmdlet will generate a "security.txt" file, sending its output to the pipeline. You may redirect it via standard means, or with the -OutFile
parameter. The fields in the "security.txt" specification correspond to this cmdlet's parameters.
PS C:\> New-SecurityTxtFile -OutFile '.well-known/security.txt' -Canonical "https://contoso.com/.well-known/security.txt" -Contact "mailto:[email protected]" -Hiring "https://jobs.contoso.com"
That example will genereate the following output. The Expires field and PGP signature will vary:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# This is a "security.txt" file that complies with RFC 9116:
# <https://www.rfc-editor.org/rfc/rfc9116>
#
# This file was made with SecurityTxtToolkit:
# <https://github.com/rhymeswithmogul/SecurityTxtToolkit>
Canonical: https://contoso.com/.well-known/security.txt
Contact: mailto:[email protected]
Expires: 2022-06-18T16:41:06-04:00
Hiring: https://jobs.contoso.com/
-----BEGIN PGP SIGNATURE-----
signature-goes-here
-----END PGP SIGNATURE-----
For more information about "security.txt" files in general, the creators of the specification, Edwin "EdOverflow" Foudil and Yakov Shafranovich, have a web page at https://securitytxt.org. This module might be listed on their web site, but I'm not affiliated with them.
Why not read my article about this to see it in action?