The M365 Security & SharePoint Analysis Toolkit is actively maintained with regular security updates.

All artifacts generated by GitHub Actions workflows are cryptographically signed using GitHub's build provenance attestation. This provides:

• Supply Chain Security: Verifiable proof that artifacts were built by GitHub Actions
• Integrity Verification: Cryptographic signatures prevent tampering
• Audit Trail: Complete provenance metadata for compliance requirements

To verify the provenance of an artifact:

# Install GitHub CLI if not already installed
# gh auth login

# Download and verify an artifact
gh attestation verify <artifact-path> --owner Heyson315 --repo share-report

All security reports, audit results, and build artifacts include attestations automatically.

We take security seriously. If you discover a security vulnerability in the M365 Security Toolkit:

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Email security concerns to: [security contact information]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if available)

• Initial Response: Within 48 hours
• Status Updates: Every 5 business days
• Resolution Target: Critical issues within 7 days, others within 30 days

When using this toolkit:

1. Credentials: Never commit secrets to the repository
2. Service Principals: Use least-privilege permissions
3. Audit Logs: Review workflow logs regularly
4. Dependencies: Keep Python and PowerShell modules updated
5. Attestations: Verify artifact provenance before deployment

• Automated Security Scanning: Bandit, Safety, and Semgrep
• Dependency Monitoring: Weekly automated updates
• PowerShell Script Analysis: PSScriptAnalyzer enforcement
• Build Provenance: Cryptographic artifact attestation
• Access Control: Role-based permissions for M365 services