SharePoint PnP Security Review




Does anyone know if the PnP programme has undertaken any security reviews or source code checks?


I am working on a project that I feel the tools in the PnP program would be ideal such as the PnP PowerShell library, but i cannot use the library until the organisation I am working with approves the library on a security aspect.


Has anyone encountered this situation or have any recommendations for tools to perform security reviews on the code?




4 Replies

this is a good question for @Vesa Juvonen

best response

Not aware of any official security checks around the PnP. Might have been done a one-off in the customer engagements/projects, but not from our side. PnP is using native oob APIs exposed from SharePoint, so there should not be any surprises from that perspective. In general, though PnP is open source, community driven initiative, with obvious implications from supportability perspective. 


Just a quote around the supportability from the monthly communications - 


What's supportability story around PnP material?

Following statements apply across all of the PnP samples and solutions, including samples, core component(s) and solutions, like PnP Partner Pack.

  • PnP guidance and samples are created by Microsoft & by the Community
  • PnP guidance and samples are maintained by Microsoft & community
  • PnP uses supported and recommended techniques
  • PnP implementations are reviewed and approved by Microsoft engineering
  • PnP is open source initiative by the community – people who work on the initiative for the benefit of others, have their normal day job as well
  • PnP is NOT a product and therefore it’s not supported through Premier Support or other official support channels
  • PnP is supported in similar ways as other open source projects done by Microsoft with support from the community by the community
  • There are numerous partners that utilize PnP within their solutions for customers. Support for this is provided by the Partner. When PnP material is used in deployments, we recommend being clear with your customer/deployment owner on the support model
I would suggest you to take a look at Rencore tools even knowing there are more intended to check if you are applying best practices when developing on top of SPO

Thanks Vesa for replying so quickly.


This is the answer I was looking for. I do appreciate the effort and work that has gone into the programme, what it has become over the years is very impressive. Thats why I am querying this, so I can use this library, but I have to follow a security process for due diligence. :)