We are pleased to announce the fourth SPCAF release in 12 months – SPCAF version 7.8. As mentioned in the SPCAF version 7.7 release blog, we aim to roll out multiple updates of SPCAF throughout the year, and we have certainly delivered on that promise. Each update comes with an increased rule set related to the latest development scripts and new or improved features.
Customizing SharePoint is far from simple. There are many processes that need to be put in place from the beginning of your customization project to signing off on a job well done. Amongst many other things, updating SPCAF means you are using the full set of tools required to do the job properly.
So, whether you’re learning about SPCAF for the first time or you have an SPCAF license, you can view the full release notes at the end of this article.
Now let’s look at the most standout features and updates from this release. We have added support for detecting the performance of scripts hosted on the Office 365 public CDN. We’ve updated the rule-list for analyzing SharePoint Framework (SPFx), and there have also been significant rules added to inventory and security area.
This is a perfect example of why organizations need to run the latest version of SPCAF. Microsoft’s SPFx received an update after SPCAF v.7.7 was released. Therefore, it’s crucial that your organization updates to SPCAF v 7.8 so you can use the rules that apply to the latest SPFx features. Updating SPCAF to the newest version keeps your automated analysis in-line with Microsoft updates.
Referencing a package from an external CDN may be considered fast, but that might not necessarily be the case. It really depends on the performance of the third-party browser hosting the URL. SPCAF makes an assumption of the script performance inside the package before you deploy it. You can then decide if you want to deploy it or not. SPCAF informs you with a notification alert.
Earlier this year, a script offering screen reading capabilities for websites was hacked and 4000 government websites all over the world were loading a cryptocurrency miner along with the screen reading script. Luckily, no real harm was done, but intentions of other individuals could have been more sinister. What if a similar script entered your Office 365 tenant? And the script did something far more malicious than mining coins? – this is exactly why we have integrated a rule for checking scripts specifically for the integrity hash.
When you have an API permission request , and you approve it, you could be unknowingly offering access to every script across your SharePoint tenant. The new inventory rules alert you before giving out access to your APIs , and this means you can see permissions before going ahead and releasing certain information to 3rd party scripts. Furthermore, they detect whether a specific package or project requires access to APIs. They safeguard against unknowingly sharing confidential information.
Using third-party libraries to build solutions increases the possibilities available to you, but it’s important to understand that although the code you write doesn’t change, the third-party libraries you have used can. Therefore, it is essential to analyze the customizations built with third-party libraries regularly to make sure any known vulnerabilities are flagged. Our security rules located in SPCAF do this job automatically.
For a full list of new features and changes, please view our release notes.
Building SharePoint customizations is not trivial. There are many intricacies you have to be aware of to avoid risks and maintain governance. SPCAF helps you mitigate these risks by continuously analyzing your customizations. Start using SPCAF in your organization today and don’t hesitate to reach out if you have any questions.
Please keep an eye out for the SharePoint Patterns and Practices (PnP) third-party framework. It is run by a number of Microsoft-recognized most valuable professionals (MVPs) and should be considered along with SPFx to build secure and future proof customizations. We are privileged to have two PnP community members working at Rencore.