Integrations Every external system Safeguard connects to — source control, registries, clouds, identity, ticketing, notifications, SIEMs, and more.
Safeguard is useful only if it sees your environment. This page catalogs every supported integration across nine categories, how each one connects, and what scopes it needs.
Every integration:
Authenticates with the minimum privileges required.
Uses short-lived workload identity where the provider supports it.
Logs every action to the Safeguard audit stream.
Can be disconnected and its data purged in one click.
Add and manage integrations under Settings → Integrations or via the safeguard integrations CLI.
Provider Auth Notes GitHub (Cloud + Enterprise Server 3.7+) GitHub App + OAuth Organization-wide install; per-repo enablement GitLab (SaaS + Self-managed 15.0+) GitLab App + OAuth Supports groups, sub-groups Bitbucket (Cloud + Data Center 7.0+) OAuth + App Password Workspace-wide install Azure DevOps Azure DevOps App + PAT Org or project scope Gitea / Forgejo OAuth App Self-hosted AWS CodeCommit IAM role OIDC federation supported Google Cloud Source Repositories Workload Identity Gerrit Service account REST API
What Safeguard does with SCM access:
Reads repository metadata, commits, PRs, CODEOWNERS, GitHub Advanced Security findings.
Opens pull requests for Griffin auto-fix and self-healing.
Writes commit status / check runs with pass/fail results.
Subscribes to push, PR, tag, and release webhooks.
Write scopes are never enabled without explicit per-repo consent.
Registry Auth Notes Docker Hub OAuth / Token Read only unless push is enabled for auto-fix GitHub Container Registry (GHCR) GitHub App or PAT OIDC supported Amazon ECR / ECR Public IAM role Roles Anywhere supported Azure Container Registry (ACR) Managed Identity / Service Principal Google Artifact Registry (GAR) Workload Identity Federation Google Container Registry (GCR) Workload Identity Federation Deprecated by Google; migrate to GAR Harbor Robot account On-prem + SaaS JFrog Artifactory Token Sonatype Nexus Token Quay.io / Red Hat Quay Robot account On-prem + SaaS Red Hat OpenShift internal registry Kubeconfig GitLab Container Registry GitLab App AWS Public ECR Anonymous read Custom OCI-compliant Token Any OCI-distribution-compatible registry
Capabilities:
Enumerate images, tags, and digests.
Pull image metadata for layer analysis without pulling the full image.
Verify Sigstore / Notation signatures.
Push signed attestations alongside images.
Provider Auth Use AWS IAM role, Roles Anywhere, OIDC WIF Asset inventory (EKS, ECS, Lambda, ECR, S3, CodeBuild), VPC deployment for runners/admission Azure Managed Identity / Service Principal / Workload Identity Asset inventory (AKS, ACI, Functions, ACR, Container Apps), VNet deployment Google Cloud Workload Identity Federation Asset inventory (GKE, Cloud Run, Cloud Functions, GAR, Cloud Build), VPC deployment Oracle Cloud Infrastructure Instance principal OKE + ADB scans IBM Cloud IAM token Kubernetes Service + Code Engine DigitalOcean API token Linode / Akamai Cloud Personal access token Hetzner API token Kubernetes (any) Kubeconfig or in-cluster service account Admission controller, runtime collector
System Integration GitHub Actions Marketplace actions + OIDC federation GitLab CI Docker image + JWT authentication Azure Pipelines Task extension Jenkins Plugin (2.346+) CircleCI Orb Buildkite Plugin TeamCity Plugin Bitbucket Pipelines Pipe Travis CI Container image Drone CI Plugin Tekton / Jenkins X Task Argo Workflows WorkflowTemplate Spacelift / Terraform Cloud Integration
See CI/CD Integration for installation snippets.
Provider Protocols Notes Okta SAML 2.0, OIDC, SCIM 2.0 Reference implementation Microsoft Entra ID (Azure AD) SAML 2.0, OIDC, SCIM 2.0 Conditional Access supported Google Workspace OIDC, SAML 2.0 Directory sync supported JumpCloud SAML 2.0, SCIM OneLogin SAML 2.0, OIDC, SCIM Ping Identity SAML 2.0, OIDC Duo SAML 2.0 Keycloak OIDC, SAML 2.0 Self-hosted Authentik / authelia OIDC, SAML 2.0 Self-hosted AWS IAM Identity Center SAML 2.0, SCIM
System Use HashiCorp Vault Rotate leaked secrets, fetch short-lived credentials for workflows AWS Secrets Manager Auto-rotate on secret detection Azure Key Vault Rotate + retrieve GCP Secret Manager Rotate + retrieve Doppler Rotate on secret detection Infisical Rotate on secret detection 1Password Secrets Automation Rotate on secret detection CyberArk Conjur Rotate + retrieve
System Capabilities Jira (Cloud + Data Center 8.20+) Create / update / comment / transition; custom field mapping; auto-close on finding resolution Linear Create issue, assign, update status Azure Boards Work item create / update Asana Task create / update ClickUp Task create / update GitHub Issues Issue create / close on merge GitLab Issues Issue create / close ServiceNow ITSM Incident / Change / Problem records Zendesk Ticket create FreshService Ticket create
Channel Notes Slack Per-channel routing + slash commands (/safeguard triage, /safeguard suppress) Microsoft Teams Adaptive cards; per-channel routing Discord Webhook-based Google Chat Chatbot integration Mattermost Webhook-based Email Per-user digest + escalation routes SMS (Twilio)Critical-KEV-in-prod pages only, opt-in Webhook (generic) JSON or plain-text templates
System Use PagerDuty Page on critical in-production findings, workflow failures, missed SLAs OpsGenie Same as PagerDuty VictorOps / Splunk On-Call Same as PagerDuty incident.io Open incident channel on qualifying findings FireHydrant Open incident Rootly Open incident
System Data Splunk HEC (findings, audit, telemetry) + Splunk ES app Datadog Logs + Metrics + Events API New Relic OpenTelemetry Elastic (ECS) Logs + Metrics Chronicle (Google SecOps) Direct integration Microsoft Sentinel Native connector Exabeam / LogRhythm / Securonix / Arctic Wolf / Rapid7 InsightIDR Syslog + JSON webhook Honeycomb OpenTelemetry Grafana Cloud OpenTelemetry Prometheus + Loki + Tempo Self-hosted OpenTelemetry AWS CloudWatch / S3 Log ship Azure Monitor / Log Analytics Log ship Google Cloud Logging Log ship
Ecosystem Integration npm Registry / GitHub Packages / internal npm Token-authenticated read PyPI / private PyPI (devpi / Gemfury) Token-authenticated read Maven Central / Sonatype Nexus / JFrog Artifactory Token-authenticated read NuGet Gallery / Azure Artifacts / GitHub Packages Token-authenticated read RubyGems API key Packagist / Composer Token crates.io / private Cargo Token Go modules / GOPROXY GOPROXY endpoint Conda / Anaconda Cloud / mamba Token
System Integration Hugging Face User / org / private; OAuth or token MLflow REST API token AWS SageMaker Model Registry IAM role Vertex AI Model Registry Workload Identity Federation Azure ML Model Registry Managed Identity Databricks Model Serving PAT Kubeflow / KServe In-cluster service account
System Mode Snowflake Secure data sharing / pull subscription BigQuery Dataset export Redshift / Redshift Serverless Direct load Databricks (Unity Catalog) Delta share Clickhouse Cloud / self-hosted JSON over HTTP
System Integration Drata Evidence push Vanta Evidence push SecureFrame Evidence push Tugboat Logic / OneTrust Evidence push Hyperproof Evidence push Archer / MetricStream / LogicManager Export bundle
Most integrations follow the same flow:
Settings → Integrations → Add integration .Pick the provider.
Authenticate (OAuth redirect, workload identity, or paste a token).
Pick the scope (which repos / clusters / projects to include).
Confirm.
Integrations are scoped to a team or organization, with team-level overrides where relevant.
Integrations can be declared as code:
safeguard integrations create --type github --org acme --token-env SG_GH_TOKEN Or via the Terraform provider:
resource "safeguard_integration" "github_acme" { type = "github" org = "acme" token = var . github_token }