finds.dev← search

// the find

cisagov/ScubaGear

★ 2,606 · PowerShell · CC0-1.0 · updated Jul 2026

Automation to assess the state of your M365 tenant against CISA's baselines

ScubaGear is a PowerShell module from CISA that audits Microsoft 365 tenant configuration against the agency's Secure Configuration Baselines. It pulls settings via M365 APIs, runs them through Open Policy Agent with Rego policies, and spits out HTML/JSON/CSV compliance reports. The target is federal agencies under BOD 25-01, but any M365 shop that wants a structured security audit can use it.

The OPA/Rego evaluation layer is the right architectural call — policy-as-code means the baselines are auditable, diffable, and testable, which the 400+ unit tests for Rego rules confirm. Coverage is genuinely broad: Entra ID, Exchange Online, Teams, SharePoint, Power Platform, Power BI, and Defender all get their own provider and baseline, not just the obvious ones. The NIST SP 800-53 and MITRE ATT&CK mappings are included and maintained, which saves weeks of work if your organization needs to tie findings to a compliance framework. The new ScubaConfigApp GUI with live YAML preview and Graph integration for group selection is a real usability improvement for admins who aren't comfortable hand-editing config files.

It only runs on Windows with PowerShell 5 — the PSGallery install instruction says 'open a PowerShell 5 terminal on a Windows computer', which locks out Linux/macOS CI pipelines and anyone who has moved to PS 7. Running a full tenant assessment requires significant M365 permissions and interactive auth by default; the non-interactive/service principal path exists but is documented separately and noticeably more painful to set up. The tool is read-only — it reports gaps but does nothing to remediate them, so after a run you're staring at a list of failures with no automation path forward (that's by design, but it means pairing it with something like DSC or Terraform for remediation is entirely on you). ScubaConnect automates execution but is a separate repo with its own infrastructure requirements, so 'just run it on a schedule' is more work than the README implies.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →