Integrations
Connect your entire infrastructure stack — 50 live integrations across cloud providers, identity platforms, security tools, HR systems, and developer tools — to enable automatic evidence collection and continuous compliance monitoring with 383 automated checks.
Overview
zGovern integrates with 50 platforms across 9 categories. Once connected, each integration runs automated checks on a 6-hour schedule. Failing checks auto-create risks in your Risk Register, passing checks auto-collect compliance evidence, and trend data is available per check via the Monitoring dashboard.
50
Live Integrations
383
Automated Checks
18
Frameworks Covered
6h
Auto-Scan Interval
Cloud & Infrastructure (6 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| AWS | 8 | IAM MFA enforcement, S3 public bucket exposure, CloudTrail logging, Security Hub findings, EBS encryption, RDS encryption at rest, VPC flow logs, GuardDuty threat detection |
| Azure | 7 | MFA Conditional Access policies, RBAC role assignments, storage encryption, NSG rules, Activity Log retention, Microsoft Defender for Cloud, Key Vault access policies |
| GCP | 7 | VPC firewall rules and audit logging, IAM policy bindings, Cloud Storage bucket ACLs, Cloud Audit Logs, Cloud KMS key rotation, Cloud Armor policies |
| DigitalOcean | 6 | API authentication, Droplet firewall rules, no public Spaces exposure, team member access review, monitoring alerts configuration, VPC network isolation |
| Linode (Akamai) | 6 | API authentication, Linode instance firewall rules, no public Object Storage, user account access review, managed monitoring, VPC configuration |
| Vultr | 6 | API authentication, instance firewall rules, no public Object Storage, account access review, monitoring alerts, VPC network configuration |
Identity & Access Management (4 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| Okta | 6 | MFA enrollment policy (required for all users), session timeout policies, password complexity and history, admin role assignments review, inactive user detection, app assignment review |
| Ping Identity | 6 | API authentication, MFA policy enforcement, admin account review, password policy strength, SSO session management, audit log configuration |
| Google Workspace | 7 | 2-step verification enforcement, super admin role count, external data sharing policies, third-party app access controls, Drive sharing defaults, Admin SDK audit, password expiry policy |
| Microsoft 365 | 7 | MFA status for all users, Conditional Access policies, SharePoint external sharing, Teams external access, Defender for Office 365 status, audit log search enabled, mail forwarding rules |
Code, DevOps & CI/CD (10 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| GitHub | 8 | Branch protection on main/master, no unexpected public repos, secret scanning enabled, Dependabot alerts, signed commit enforcement, org 2FA requirement, CODEOWNERS enforcement, Actions permissions |
| GitLab | 6 | Protected branches, deploy key scope, audit logging enabled, 2FA enforcement at group level, merge request approval rules, container registry access |
| Bitbucket | 6 | Branch restrictions on main, no public repos, 2FA enforcement, IP allowlist configuration, pipeline permissions, code review enforcement |
| GitHub Actions | 6 | Workflow permissions (read-only default), no self-hosted runner exposure, secrets used instead of hardcoded values, OIDC token usage, artifact retention limits, approved Actions only |
| CircleCI | 6 | API authentication, project security settings, env var usage (no hardcoded secrets), runner configuration review, OIDC token usage, orb version pinning |
| Jenkins | 6 | Authentication enabled (no anonymous access), CSRF protection active, script security settings, plugin update status, credentials store usage, TLS configuration |
| Terraform | 6 | State file encryption, remote backend usage, no plaintext secrets in state, workspace isolation, version pinning on providers, sentinel policy checks |
| Docker | 6 | No public images with sensitive data, registry access controls, image signing/trust enabled, no privileged containers, secrets management (no ENV secrets), base image vulnerability scan |
| Kubernetes | 7 | RBAC enabled, no default service account usage, network policies configured, pod security admission, secrets encryption at rest, audit logging enabled, container image policy |
| Dependabot | 6 | API authentication, open critical CVE count, dependency update PRs review, security advisories count, auto-merge policy review, dependency review action enabled |
Security Tools (5 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| CrowdStrike | 7 | Sensor deployment coverage, prevention policy enforcement, real-time response enabled, threat intelligence alerts, zero-trust assessment score, host group assignments, detections review |
| Snyk | 6 | API authentication, open critical vulnerabilities, license compliance issues, container image vulnerabilities, IaC misconfigurations, SBOM generation status |
| SonarQube | 6 | API authentication, quality gate status, critical code issues count, security hotspot review, code coverage threshold, duplications threshold |
| Wiz | 6 | API authentication, critical issues count, toxic combinations detected, data exposure findings, identity risk findings, vulnerability management SLAs |
| Lacework | 6 | API authentication, compliance assessment score, anomaly detection alerts, cloud activity baseline, container runtime threats, policy violation count |
Monitoring & Observability (5 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| Datadog | 7 | API authentication, monitor alert configuration, anomaly detection enabled, log retention policy, SIEM/security signal rules, sensitive data scanner, compliance dashboards |
| New Relic | 6 | API authentication, alert policy coverage, user access review, data retention configuration, security vulnerability monitoring, SLO definition |
| Elastic | 6 | API authentication, security alerts enabled, SIEM rules active, index lifecycle management, role-based access, TLS configuration |
| Grafana | 6 | API authentication, LDAP/SSO authentication, admin user count review, dashboard public exposure, data source access controls, alert notification channels |
| Prometheus | 5 | API accessibility, authentication configuration, alert rules defined, retention policy, TLS endpoint configuration |
Networking & CDN (1 integration)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| Cloudflare | 7 | WAF rules enabled, DDoS protection active, SSL/TLS minimum version, access policies configured, API token permissions review, bot management, audit log retention |
Device Management (1 integration)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| Jamf | 7 | Device enrollment compliance, disk encryption (FileVault) enforcement, firewall enabled, OS version compliance, screensaver lock policy, MDM profile deployment, Gatekeeper enforcement |
Productivity & Collaboration (9 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| Slack | 6 | Workspace 2FA requirement, approved apps list, data retention policy, external workspace connections, file sharing restrictions, admin audit log access |
| Jira | 6 | API authentication, project permissions (no public projects), user access review, audit logging enabled, field permission schemes, external sharing controls |
| Linear | 6 | API authentication, workspace member access review, no public projects, guest access controls, SAML SSO enforcement, data export restrictions |
| Notion | 6 | API authentication, workspace member access review, no public pages with sensitive content, guest access controls, SSO enforcement, content export restrictions |
| Confluence | 6 | API authentication, space permissions review, no public spaces with sensitive content, user access review, anonymous access disabled, attachment size policy |
| Google Drive | 6 | API authentication, no overly-shared files (anyone with link), external sharing restrictions, Team Drive member review, DLP policy enforcement, audit logging |
| Trello | 6 | API authentication, organization access, no public boards with sensitive data, member access review, Power-Up review, file attachment policy |
| Asana | 6 | API authentication, workspace member access review, external guest access control, public project exposure, SSO enforcement, data export restrictions |
| ClickUp | 6 | API authentication, team member access review, public space exposure, guest access review, SSO enforcement, external link sharing policy |
Password Management (4 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| 1Password | 7 | API authentication, master password policy, MFA enrollment for all members, vault sharing policies, admin account count review, security audit score, travel mode usage |
| Bitwarden | 6 | API authentication, organization member MFA, master password policy enforcement, vault sharing controls, admin access review, two-step login policy |
| LastPass | 6 | API authentication, MFA policy enforcement, master password complexity, shared folder access review, admin user count, security score baseline |
| Dashlane | 6 | API authentication, team member MFA enrollment, password health score, admin provisioning review, SSO configuration, security breach alerts enabled |
HR & People Operations (5 integrations)
| Integration | Checks | Key Automated Checks |
|---|---|---|
| BambooHR | 7 | API authentication, terminated employee offboarding completeness, security training completion rate, onboarding checklist completion, employee data access review, IT asset assignment, background check records |
| Rippling | 7 | API authentication, terminated employee access revocation, onboarding app provisioning, MFA posture across workforce, security training completion, device management enrollment, payroll admin count |
| Gusto | 8 | API authentication, terminated employee access revocation, onboarding completeness, company MFA posture, payroll admin count, SSO configuration, I-9 document completeness, benefits enrollment completion |
| Workday | 7 | API authentication, terminated worker offboarding completeness, security role assignment review, audit logging enabled, password policy strength, SSO/SAML configuration, data retention policy |
| ADP | 7 | OAuth authentication, worker data accessible, terminated worker offboarding, payroll data encryption, admin access controls, audit trail configuration, role-based access review |
Credential Security
All integration credentials (API keys, access tokens, service account JSON, OAuth tokens, Basic auth credentials) are encrypted at rest using AES-256-GCM before being stored in the database. Decryption only occurs at scan time inside the backend process — credentials are never logged or returned in API responses.
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key material | ENCRYPTION_KEY environment variable (64-character hex string = 256-bit key) |
| IV | Randomly generated per encryption operation (12 bytes) |
| Auth tag | 16-byte GCM authentication tag stored alongside ciphertext — prevents tampering |
| Storage | Encrypted blob stored in IntegrationCredential table — never stored in plaintext |
Protect your ENCRYPTION_KEY
If the
ENCRYPTION_KEY is lost or rotated without re-encrypting existing credentials, all stored integration credentials will be unreadable and you will need to re-enter them. Store this key in a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) in production.
Credential Requirements by Integration
Cloud & Infrastructure
| Integration | Required Credentials |
|---|---|
| AWS | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION |
| Azure | Tenant ID, Client ID, Client Secret (Service Principal) |
| GCP | Service Account JSON key file (with Security Admin + Viewer roles) |
| DigitalOcean | Personal Access Token (read scope) |
| Linode | Personal Access Token (read-only scope) |
| Vultr | API Key (read-only) |
Identity & Access
| Integration | Required Credentials |
|---|---|
| Okta | Okta Domain, API Token (Read Only Administrator) |
| Ping Identity | PingOne Environment ID, Client ID, Client Secret |
| Google Workspace | Service Account JSON with domain-wide delegation, Admin SDK enabled |
| Microsoft 365 | Tenant ID, Client ID, Client Secret (with Directory.Read, AuditLog.Read permissions) |
Code & DevOps
| Integration | Required Credentials |
|---|---|
| GitHub | Personal Access Token (repo, admin:org, security_events scopes) |
| GitLab | Personal or Group Access Token (read_api, read_repository) |
| Bitbucket | App Password (Repositories:Read, Account:Read, Workspace membership:Read) |
| GitHub Actions | Same token as GitHub (Actions:Read scope) |
| CircleCI | Personal API Token |
| Jenkins | Jenkins URL, Username, API Token |
| Terraform | Terraform Cloud Token + Organization Name (or self-hosted backend URL) |
| Docker | Docker Hub Username + Access Token (or Registry URL + credentials) |
| Kubernetes | Kubeconfig file (cluster endpoint + service account token with read access) |
| Dependabot | GitHub Token with security_events scope |
Security Tools
| Integration | Required Credentials |
|---|---|
| CrowdStrike | API Client ID + Client Secret (Hosts:Read, Prevention Policy:Read, Detections:Read) |
| Snyk | Snyk API Token + Organization ID |
| SonarQube | SonarQube URL + User Token |
| Wiz | Client ID + Client Secret (Wiz Service Account) |
| Lacework | Account Name, Key ID, Secret (API key with read access) |
Monitoring & Observability
| Integration | Required Credentials |
|---|---|
| Datadog | API Key + Application Key (read-only) |
| New Relic | User API Key + Account ID |
| Elastic | Elasticsearch URL + API Key (read access) |
| Grafana | Grafana URL + Service Account Token (Viewer role) |
| Prometheus | Prometheus URL (+ Basic Auth if configured) |
| Cloudflare | API Token (Zone:Read, Account:Read, Firewall Services:Read) |
| Jamf | Jamf Pro URL, Username, Password (Auditor role) |
Productivity & Collaboration
| Integration | Required Credentials |
|---|---|
| Slack | Bot OAuth Token (xoxb-...) with admin.teams:read, channels:read |
| Jira | Atlassian Domain + Email + API Token |
| Linear | Personal API Key |
| Notion | Internal Integration Secret (workspace-level) |
| Confluence | Atlassian Domain + Email + API Token |
| Google Drive | Service Account JSON with Drive API (read-only) |
| Trello | API Key + API Token (read access) |
| Asana | Personal Access Token |
| ClickUp | Personal API Token |
Password Management
| Integration | Required Credentials |
|---|---|
| 1Password | 1Password Connect Server URL + API Token (or Service Account Token) |
| Bitwarden | Organization Client ID + Client Secret |
| LastPass | Account Email + SAML Key + Account Number |
| Dashlane | Team Admin API Key |
HR & People Operations
| Integration | Required Credentials |
|---|---|
| BambooHR | Company Domain + API Key |
| Rippling | API Key (Company-level, read access) |
| Gusto | OAuth Access Token (Company UUID read access) |
| Workday | Tenant URL + ISU Username + ISU Password + Client ID + Client Secret |
| ADP | Client ID + Client Secret (OAuth 2.0 with worker read access) |
How to Add an Integration
-
Navigate to Integrations
Click Integrations in the sidebar. You'll see all 50 available integrations with their connection status.
-
Click "Add Integration"
Select the integration type from the dropdown. You can search by name or filter by category.
-
Enter credentials
Provide the required credentials for the selected integration. All credentials are encrypted with AES-256-GCM before being stored. See the credential requirements tables above.
-
Run your first sync
Click Sync Now to run an immediate check. Results appear within 30–90 seconds depending on the number of resources in your account.
-
Review results
Navigate to Continuous Monitoring to see check results. Any FAIL items automatically create risks in your Risk Register with severity and remediation guidance.
Sync Schedule & Behavior
| Trigger | Schedule | Description |
|---|---|---|
| Automated scan | Every 6 hours (node-cron) | Runs all 383 checks for all active integrations across all organizations |
| Manual sync | On demand | Click "Run Now" in the Integrations page or call POST /api/integrations/:id/sync |
| Weekly digest | Monday 8:00 AM | Summary email to all ADMIN users with check pass/fail counts and trend sparklines |
What Happens When a Check Fails
When an integration check transitions to FAIL status, the following automated actions occur:
- ⚠ A new risk is created in the Risk Register with severity derived from the check's impact level
- ⚠ The risk is linked to the source check via
risk.sourceCheckId— traceable back to its trigger - ⚠ An email alert is sent to all ADMIN users (if SMTP is configured)
- ⚠ Alert deduplication prevents re-alerting for checks already failing in the previous scan
- ⚠ If a closed risk's source check starts failing again, the risk is automatically reopened and its
reopenCountis incremented - ✓ When a previously-failing check passes, evidence is auto-collected and linked to mapped controls
API Endpoints
See the full Integrations API reference for request/response schemas. Key endpoints:
GET
/api/integrations
List all integrations for the organization
POST
/api/integrations
Create a new integration
POST
/api/integrations/:id/sync
Trigger an immediate sync for one integration
DELETE
/api/integrations/:id
Remove an integration and its stored credentials