Security
Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues.
Send a private report
support@dummy-bi.comInclude a description of the issue, steps to reproduce, and the version you were using. We review all reports and respond as soon as we can. Responsible disclosure is credited unless you prefer anonymity.
Your Data Never Leaves Your Machine
The optional API connectors — Power BI service, Fabric, Azure DevOps, GitHub, and Databricks — connect directly to those services using credentials you provide. They are only activated when you explicitly use them. Dummy BI never sees or stores those credentials or the data returned.
The only background network activity is an optional update check that sends your current version number to GitHub to see if a newer release exists. No report data is included. All local features work fully offline.
Supply Chain Security
Every commit triggers automated scanning across all three ecosystems the tool uses. CI fails on any finding not explicitly acknowledged — new vulnerabilities are never silently ignored.
| Ecosystem | Tool | What it catches |
|---|---|---|
| Python | pip-audit | Known CVEs in PyPI packages |
| Python | Hash-verified installs | Tampered or replaced packages |
| Node.js | npm audit | High/critical vulnerabilities |
| Rust | cargo audit | Security advisories in crates |
| All | Socket.dev | Malicious packages, typosquatting |
Verifiable Releases
Every release ships with:
SBOM
CycloneDX format
A complete list of every bundled dependency.
SHA-256 checksums
All installers
Verify file integrity before running.
Build attestation
GitHub Actions
Cryptographic proof the build came from our official pipeline.
To verify an installer:
gh attestation verify <installer.exe> --repo TomNek/PowerBI_ToolAll release artifacts are available on our GitHub Releases page.