Updates from newly merged PRs 1857, 1921 and 1850

Author: Christoph Bergmeister

reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingAllowUnencryptedAuthentication.md

@@ -0,0 +1,35 @@
+---
+description: Avoid sending credentials and secrets over unencrypted connections
+ms.custom: PSSA v1.22.0
+ms.date: 02/13/2024
+ms.topic: reference
+title: AvoidUsingAllowUnencryptedAuthentication
+---
+# AvoidUsingAllowUnencryptedAuthentication
+
+**Severity Level: Warning**
+
+## Description
+
+Avoid using the `AllowUnencryptedAuthentication` switch on `Invoke-WebRequest`, `Invoke-RestMethod`, and other webrequest cmdlets, which sends credentials and secrets over unencrypted connections.
+This should be avoided except for compatability with legacy systems.
+
+For more details, see the documentation warning [here](https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/invoke-webrequest#-allowunencryptedauthentication).
+
+## How
+
+Avoid using the `AllowUnencryptedAuthentication` switch.
+
+## Example 1
+
+### Wrong
+
+```powershell
+Invoke-WebRequest foo -AllowUnencryptedAuthentication
+```
+
+### Correct
+
+```powershell
+Invoke-WebRequest foo
+```

reference/docs-conceptual/PSScriptAnalyzer/Rules/AvoidUsingPositionalParameters.md

@@ -25,17 +25,17 @@ supplied. A simple example where the risk of using positional parameters is negl
 ```powershell
 Rules = @{
     PSAvoidUsingPositionalParameters = @{
-        CommandAllowList = 'az', 'Join-Path'
+        CommandAllowList = 'Join-Path', 'MyCmdletOrScript'
         Enable           = $true
     }
 }
 ```
 
 ### Parameters
 
-#### CommandAllowList: string[] (Default value is 'az')
+#### CommandAllowList: string[] (Default value is @()')
 
-Commands to be excluded from this rule. `az` is excluded by default because starting with version 2.40.0 the entrypoint of the AZ CLI became an `az.ps1` script but this script does not have any named parameters and just passes them on using `$args` as is to the Python process that it starts, therefore it is still a CLI and not a PowerShell command.
+Commands or scripts to be excluded from this rule.
 
 #### Enable: bool (Default value is `$true`)
 

reference/docs-conceptual/PSScriptAnalyzer/Rules/README.md

@@ -27,6 +27,7 @@ The PSScriptAnalyzer contains the following rule definitions.
 | [AvoidSemicolonsAsLineTerminators](./AvoidSemicolonsAsLineTerminators.md)                         | Warning     |         No         |                 |
 | [AvoidShouldContinueWithoutForce](./AvoidShouldContinueWithoutForce.md)                           | Warning     |        Yes         |                 |
 | [AvoidTrailingWhitespace](./AvoidTrailingWhitespace.md)                                           | Warning     |        Yes         |                 |
+| [AvoidUsingAllowUnencryptedAuthentication](./AvoidUsingAllowUnencryptedAuthentication.md)         | Warning     |        Yes         |                 |
 | [AvoidUsingBrokenHashAlgorithms](./AvoidUsingBrokenHashAlgorithms.md)                             | Warning     |        Yes         |                 |
 | [AvoidUsingCmdletAliases](./AvoidUsingCmdletAliases.md)                                           | Warning     |        Yes         | Yes<sup>2</sup> |
 | [AvoidUsingComputerNameHardcoded](./AvoidUsingComputerNameHardcoded.md)                           | Error       |        Yes         |                 |

reference/docs-conceptual/PSScriptAnalyzer/Rules/ReviewUnusedParameter.md

@@ -14,6 +14,24 @@ title: ReviewUnusedParameter
 This rule identifies parameters declared in a script, scriptblock, or function scope that have not
 been used in that scope.
 
+## Configuration settings
+
+|Configuration key|Meaning|Accepted values|Mandatory|Example|
+|---|---|---|---|---|
+|CommandsToTraverse|By default, this command will not consider child scopes other than scriptblocks provided to Where-Object or ForEach-Object. This setting allows you to add additional commands that accept scriptblocks that this rule should traverse into.|string[]: list of commands whose scriptblock to traverse.|`@('Invoke-PSFProtectedCommand')`|
+
+```powershell
+@{
+    Rules = @{
+        ReviewUnusedParameter = @{
+            CommandsToTraverse = @(
+                'Invoke-PSFProtectedCommand'
+            )
+        }
+    }
+}
+```
+
 ## How
 
 Consider removing the unused parameter.