The Code to Cloud organization takes security seriously. We appreciate your efforts to responsibly disclose your findings.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

Report vulnerabilities through the Microsoft Security Response Center.

You can also email security concerns to the team directly.

When using this repository, follow these security practices:

• Use .env files for local development (in .gitignore)
• Use Azure Key Vault for production secrets
• Use Managed Identity instead of API keys

Our .gitignore is configured to prevent accidental commits of:

• .env files
• API keys and credentials
• Local configuration files
• Certificate files

When deploying to Azure:

• Enable private endpoints
• Use RBAC with least privilege
• Enable diagnostic logging
• Use Azure Defender for Cloud

• Regularly update SDK versions
• Monitor for security advisories
• Use Dependabot or similar tools

Before deploying any code from this repository:

• Verified no secrets in code or configuration
• Using DefaultAzureCredential for authentication
• Private endpoints configured for production
• RBAC roles follow least privilege principle
• Diagnostic logging enabled
• Content Safety measures in place

• Azure Security Documentation
• Microsoft Security Response Center
• Azure Security Benchmark