Integrations

Connect your cloud providers, identity platforms, and developer tools to enable automatic evidence collection and continuous compliance monitoring across your entire infrastructure.

Overview

zGovern integrates with 8 platforms across cloud infrastructure, version control, identity providers, and messaging. Once connected, each integration runs automated checks on a 6-hour schedule and surfaces failing checks as compliance risks. Evidence from passing checks is automatically linked to the relevant controls in your frameworks.

AWS
Cloud
🐙
GitHub
VCS
Azure
Cloud
GCP
Cloud
🔑
Okta
IdP
🦊
GitLab
VCS
G
Google Workspace
Directory
#
Slack
Messaging

What Each Integration Checks

Integration Type Automated Checks
AWS Cloud IAM MFA enforcement, S3 public bucket exposure, CloudTrail logging enabled, Security Hub findings, EBS volume encryption, RDS encryption at rest, VPC flow logs enabled
GitHub VCS Branch protection rules on main/master, repository visibility (no unexpected public repos), secret scanning enabled, Dependabot alerts configured, signed commit enforcement
Azure Cloud MFA policies (Conditional Access), RBAC role assignments, storage account encryption, Network Security Group rules, Activity Log retention & export
GCP Cloud VPC firewall rules and audit logging, IAM policy bindings, Cloud Storage bucket ACLs, Cloud Audit Logs configuration
Okta IdP MFA enrollment policy (required for all users), session timeout policies, password complexity & history policy, admin role assignments review
GitLab VCS Protected branches configuration, deploy key scope restrictions, audit logging enabled, 2FA enforcement at group level
Google Workspace Directory 2-step verification enforcement for all users, super admin role count, external data sharing policies, third-party app access controls
Slack Messaging Workspace-level 2FA requirement, approved apps list review, data retention policy configuration, external workspace connections

Credential Security

All integration credentials (API keys, access tokens, service account JSON, OAuth tokens) are encrypted at rest using AES-256-GCM before being stored in the database. Decryption only occurs at scan time inside the backend process.

Property Value
Algorithm AES-256-GCM (authenticated encryption)
Key material ENCRYPTION_KEY environment variable (64-character hex string = 256-bit key)
IV Randomly generated per encryption operation (12 bytes)
Auth tag 16-byte GCM authentication tag stored alongside ciphertext
Storage Encrypted blob stored in the IntegrationCredential table — never stored in plaintext
🔒
Protect your ENCRYPTION_KEY If the ENCRYPTION_KEY is lost or rotated without re-encrypting existing credentials, all stored integration credentials will be unreadable and you will need to re-enter them. Store this key in a secrets manager (AWS Secrets Manager, Vault, etc.) in production.

How to Add an Integration

  1. Navigate to Integrations

    Click Integrations in the sidebar. You'll see a list of available integrations with their connection status.

  2. Click "Add Integration"

    Select the integration type from the dropdown (e.g., AWS).

  3. Enter credentials

    Provide the required credentials for the selected integration:

    IntegrationRequired Credentials
    AWSAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
    GitHubPersonal Access Token with repo, admin:org scopes
    AzureTenant ID, Client ID, Client Secret (Service Principal)
    GCPService Account JSON key file
    OktaOkta Domain, API Token
    GitLabPersonal or Group Access Token
    Google WorkspaceService Account JSON with domain-wide delegation
    SlackBot OAuth Token (xoxb-...)
  4. Run your first sync

    Click Sync Now to run an immediate check. Results will appear within 30–60 seconds depending on the number of resources in your account.

  5. Review results

    Navigate to Continuous Monitoring to see the check results. Any FAIL items will automatically create risks in your Risk Register.

Sync Schedule & Behavior

Integration syncs run automatically on the following schedule:

Trigger Schedule Description
Automated scan Every 6 hours (node-cron) Runs checks for all active integrations across all organizations
Manual sync On demand Click "Run Now" in the Integrations page or call POST /api/integrations/:id/sync
Weekly digest Monday 8:00 AM Summary email to all ADMIN users with check pass/fail counts and trend

What Happens When a Check Fails

When an integration check transitions to FAIL status, the following automated actions occur:

  • A new risk is created in the Risk Register with severity derived from the check's impact level
  • The risk is linked to the source check via risk.sourceCheckId — so you can always trace a risk back to its trigger
  • An email alert is sent to all ADMIN users (if SMTP is configured)
  • Alert deduplication prevents re-alerting for checks that were already failing in the previous scan
  • If a closed risk's source check starts failing again, the risk is automatically reopened and its reopenCount is incremented
Auto-resolve behavior When a previously-failing check passes again, the linked risk's status is not automatically changed to RESOLVED — this requires a human decision. However, you can configure auto-close in your organization settings (coming in a future release).

API Endpoints

See the full Integrations API reference for request/response schemas. Key endpoints:

GET /api/integrations List all integrations for the organization
POST /api/integrations Create a new integration
POST /api/integrations/:id/sync Trigger an immediate sync for one integration