← Back to blog

Introducing Galvnyz — Open-Source Compliance Automation

announcementopen-sourcecomplianceM365

The problem nobody talks about

If you’ve ever run a security assessment for a small IT shop, you know the drill. You open a spreadsheet, probably one you built yourself, and start checking boxes. Is MFA enabled? What’s the password policy? Are audit logs turned on? You click through admin portals, copy values into cells, and after a few hours you have something that looks like a compliance report but feels like a homework assignment.

This is the state of cybersecurity compliance for most small teams. The frameworks exist (CIS Benchmarks, NIST 800-171, CMMC) and the requirements are well-documented. But the actual work of collecting evidence, mapping controls, and producing reports is almost entirely manual. You’re either paying a consultant to click through the same portals you could click through yourself, or you’re doing it in-house with a patchwork of scripts and spreadsheets that nobody wants to maintain.

Enterprise organizations solve this with GRC platforms. They spend six figures on tools that auto-discover assets, pull telemetry, map controls, and generate audit-ready reports. Those tools are genuinely good. They’re also completely out of reach for a 10-person MSP, a two-person IT department, or a solo consultant trying to deliver security assessments without losing money on every engagement. The gap between “enterprise GRC platform” and “spreadsheet I found on Reddit” is enormous, and almost nobody is building for the teams stuck in that gap.

What Galvnyz builds

Galvnyz exists to close that gap. We build open-source tools that automate the mechanical, repetitive parts of compliance work: data collection, control mapping, and evidence gathering. The goal is to let practitioners focus on analysis and remediation instead of copying values between browser tabs.

Everything we ship is free, open-source, and built by people who have actually done this work. No free tier that gates the useful features behind a paywall. No “community edition” that’s missing half the controls. The tools are MIT-licensed, the code is public, and if you want to fork it and build something better, go for it. We’d rather have good tools exist than own the market.

M365-Assess: security assessments without the busywork

The first tool we released is M365-Assess, a PowerShell-based security assessment for Microsoft 365 environments. If you’ve ever spent an afternoon clicking through the Exchange admin center, the Intune portal, the Teams admin center, and the Purview compliance portal trying to document what’s configured and what isn’t, this is the tool that replaces that afternoon.

M365-Assess connects to your tenant using read-only permissions and pulls configuration data from across the Microsoft 365 stack: Exchange Online, Intune, Teams, Microsoft Purview, and Entra ID. It evaluates what it finds against established security baselines and produces a report you can hand to a client or use internally. The whole process takes minutes instead of hours.

The read-only part matters. M365-Assess doesn’t install agents, doesn’t require write access, and doesn’t modify anything in your environment. It connects, reads configuration data, disconnects, and generates a report. For consultants working in client tenants, where you need to be careful about what you touch, this is a hard requirement, not a nice-to-have. You can run it with confidence that it won’t change a single setting.

We built M365-Assess because we needed it ourselves. Running Microsoft 365 security reviews was a regular part of the work, and every engagement involved the same manual data collection. The frameworks told us what to check, but nobody had automated the checking. So we did, and then we open-sourced it because every other IT consultant and MSP tech is doing the same manual work.

CheckID: one control, one identifier

Anyone who has worked across multiple compliance frameworks knows the mapping problem. “Require MFA for all users” shows up in CIS Microsoft 365 Foundations Benchmark, NIST 800-53, CMMC Level 2, and FedRAMP. Each framework gives it a different identifier, different language, and a slightly different scope. If you’re assessing against multiple frameworks at once (which is increasingly common), you end up maintaining parallel spreadsheets that all describe the same controls in different terms.

CheckID is our answer to that problem. It defines a universal check identifier system that maps equivalent controls across frameworks. When you assess a configuration, you get a single CheckID that links back to CIS, NIST, CMMC, FedRAMP, and whatever other frameworks apply. Instead of tracking the same finding five different ways, you track it once and let CheckID handle the cross-references. It’s a small thing that eliminates a surprisingly large amount of duplicated work.

What’s next

We have more tools in development. The direction is guided remediation: not just telling you what’s wrong, but walking you through how to fix it with specific, actionable steps. We’re also working on evidence collection workflows that produce audit-ready artifacts, and deeper coverage of additional compliance frameworks.

The roadmap isn’t set in stone. We’re building for practitioners, and practitioners have opinions. The features that ship next will be shaped by what the community actually needs, not what sounds good in a pitch deck. If you’re doing compliance work and something is eating your time, we want to hear about it.

Get involved

Galvnyz is a small operation right now. One person with an infrastructure and security background who got tired of doing compliance work the hard way. But open source scales differently than headcount. If the tools are useful, they’ll find their audience. Here’s how to get started:

  • Try the tools. Clone M365-Assess and run it against a test tenant. Kick the tires on CheckID. See if they solve problems you actually have.
  • Open issues. Found a bug? Missing a control? Have an idea for a feature? GitHub Issues is where that goes.
  • Join the conversation. GitHub Discussions is the place for questions, feedback, and general discussion about where these tools should go next.
  • Star the repos. It costs nothing and helps other people find the tools.
  • Sponsor the work. If these tools save you time and you want to support continued development, GitHub Sponsors is the way to do it.

Everything lives at github.com/Galvnyz. The website is galvnyz.com. Come build with us.