Script checks use the Script Check Engine (SCE) standard. See Script Check Engine for more information. You can use Slang parameters with script-based checks the same way as regular Slang checks.

1. Open Visual Studio Code (VS Code).
2. Select File > New File..., and then name the file check_name.ps1, where check_name is the name of your check.
3. Copy this script, and then paste it in the new .ps1 file:
   For example:

   JAVACopy

   # This script checks the TPM status using TPM. # # clear all errors $error.Clear() # check tpm is present and ready try { $TPM = Get-TPM Write-Output $TPM if ($TPM -and $TPM.TpmPresent -and $TPM.TpmReady) { Write-Output "Result: PASS" exit $env:XCCDF_RESULT_PASS } else { Write-Output "Result: FAIL" exit $env:XCCDF_RESULT_FAIL } } catch { Write-Output $_ Write-Output "Result: ERROR" exit $env:XCCDF_RESULT_ERROR }

   # This script checks the TPM status using TPM. #
   # clear all errors
   $error.Clear()
   # check tpm is present and ready
   try {
     $TPM = Get-TPM
     Write-Output $TPM
     if ($TPM -and $TPM.TpmPresent -and $TPM.TpmReady) {
       Write-Output "Result: PASS"
       exit $env:XCCDF_RESULT_PASS
     } else {
       Write-Output "Result: FAIL"
       exit $env:XCCDF_RESULT_FAIL
     }
   } catch {
       Write-Output $_
       Write-Output "Result: ERROR"
       exit $env:XCCDF_RESULT_ERROR
   }

4. Save the file in the /Slang/check_scripts folder.

When you add scripts to your ~/Slang/check_scripts folder, you can use them in Slang rules. See Add rules to the project for more information.

1. In VS Code, select File > Open Folder, and then navigate to your project.
2. Create a file, and then name it rule_id.slang, where rule_id is the ID of your rule.
3. Copy this content, and then paste it in the new .slang file:
   YAMLCopy

   Rule: title: <rule_name> checks: - common.script: script_file: <check_name>.ps1

   Rule:
     title: <rule_name>
     checks:
       - common.script:
       script_file: <check_name>.ps1

   Where:

   • rule_name is the name of your rule.
   • check_name is the name of your check.
4. Optional: Export parameters as environment variables to use in your script.

   For example:

   YAMLCopy

   - common.script: script_file: <check_name>.ps1 set_environment_variables: <environment_variable>: ${<parameter_name>}

   - common.script:
     script_file: <check_name>.ps1
     set_environment_variables:
         <environment_variable>: ${<parameter_name>}

   Where:

   • check_name is the name of your check.
   • environment_variable is the name you want the environment variable to have.
   • paramter_name is the name of the parameter you want to export.

   In SCE, exported variables are prefixed by XCCDF_VALUE_. To use the environment variables in your script, use the appropriate syntax for your scripting language. For example, use $env:XCCDF_VALUE_environment_variable in PowerShell and $XCCDF_VALUE_environment_variable in bash.

5. Save the rule file.
6. Run this command to export your project, including the new script-based check:
   SHELLCopy

   slang export <project_name> <project_name>.xml

   slang export <project_name> <project_name>.xml

   Where:

   • project_name is the name of your project.

1. Run a scan.
   Note: If you have access to a Windows 10 device to scan against, and have completed Test a Slang project, run this command to export and test your project using a profile:

   SHELLCopy

   slang export <project_name> <project_name>.xml --scan_config <config_name> --profile profile.<profile_name>.slang --elevate y

   slang export <project_name> <project_name>.xml --scan_config <config_name> --profile profile.<profile_name>.slang --elevate y

   Where:

   • project_name is the name of your project.
   • confg_name is the name of your scan configuration.
   • profile_name is the name of your profile.
2. Review the results to make sure the script worked as expected.
   For example, verify that the output includes XCCDF_RESULT_PASS, XCCDF_RESULT_FAIL, XCCDF_RESULT_ERROR, or XCCDF_RESULT_UNKNOWN.