Integration Guidelines

These articles provide general guidance on integrations.

Search

FAQs: Product integrations: APIs, webhooks, Slack, Jira, and related tools

This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

APIs, webhooks, and automation

What are the API requirements for setting up an API key with Humaans HR software?

  • Secureframe provides an API key and API Developer portal to support compliance workflows, fetch audit data, or manage users programmatically, the Developer Portal gives you the resources to extend Secureframe’s capabilities.

    However, we do not maintain instructions for accessing or generating API keys within third-party applications. For that, we recommend referring to the applications documentation or reaching out to their support team.

Google and Microsoft 365

A customer updated their Google Workspace integration filter but the previously excluded users still aren't showing up. Will they be added automatically?

  • Yes. Once the filter is corrected, the users will be included in the next scheduled sync from Google Workspace and should then be able to log in.

Does the Google Workspace integration have read and write access, or is it read only?

  • The Google Workspace integration is read only.

If a user is terminated from Google Workspace, will that change the user status in Secureframe to inactive?

  • Yes, unless an HR vendor connection or Okta or Azure AD shows the user as active.

Platform doesn't integrate with Google Firestore, will there be a lot of manual uplift?

  • No, the manual uplift will be minimal. You just need to take some screenshots and manually upload them, which shouldn't take much time.

Why are some users still able to sign in with Google even though our Google Workspace integration is no longer connected?

  • Some users may still be able to sign in with Google due to a legacy login behavior in Secureframe.

    Here’s how the Sign in with Google flow currently works:

    A user can still sign in using Google if all of the following are true:

    The Google Workspace domain has not already been connected in Secureframe (or was previously removed).

    The user is a super admin of the Google Workspace organization.

    The user has already been invited and is active within your company's Secureframe account.

    This explains how some existing users may still be logging in with Google even though your company now primarily uses Office365.

    Important: New users will not be able to use Google login unless Google Workspace is reconnected via the Integrations page.

Integrations

Can Kandji integrate with Secureframe to manage mobile devices?

  • While we integrate with Kandji, we currently do not support compliance checks for mobile devices in our platform.

Does Secureframe integrate with GovCloud?

  • Secureframe will start integrating with AWS GovCloud by the end of May, and Azure GovCloud soon after.

Does Secureframe integrate with Wizer?

  • Wizer is a third party option for training that allows your personnel to upload completed training documents or certificates as proof of completion. Please note that Wizer is not a direct integration, so there is no connection to set up within the platform.

Is it possible to integrate multiple Office 365 instances into Secureframe?

  • Yes, you are able to connect multiple accounts for integrations as long as they’re unique. This goes for Office 365, but also all of our integrations.

Is it possible to integrate Rippling with Secureframe to pull training completion data?

  • Secureframe does not currently support pulling training completion data from Rippling through the standard integration.

    However, there are two alternatives:

    Standard Rippling Integration: Only supports syncing user and access details, and Rippling RPass (used to demonstrate the use of a password management tool).

    [Custom Data Platform (CDP)](https://support.secureframe.com/hc/en-us/articles/40263351779731-Create-Custom-Integrations): If Rippling can export training completion data (e.g., via API or report), you can use Secureframe’s Custom Integration (CDP) feature to ingest this data into your Secureframe account.

    Tip: CDP is a flexible way to map external data into your compliance program when a native integration doesn't exist.

Where can I find documentation to integrate with AWS Organizations using Terraform?

  • At this time we do not support terraform modules for the AWS integration.

    With that said, once you are integrated with AWS we do offer [remediation methods](https://support.secureframe.com/hc/en-us/articles/19326455609747-Comply-AI-Cloud-Remediation-test-guidance) using Terraform as an option via our Comply AI feature.

Slack

For ISMS Scope, 1c. “For Interfaces and Dependencies, can we list something like: Provider: Engineering, External Providers: Google Workspace, Interfaces: Email, Slack?”

  • Yes — that format is acceptable as long as it accurately reflects your actual internal teams, external providers, and system interfaces.

Our ticketing system and notifications are set up through Asana (our project management program) and Slack. Is it ok that it's not a traditional ticketing system?

  • This is okay as long as you document changes as they happen and provide that documentation as evidence. Ensure that your policy aligns with the implemented process and vice versa.

Source control

Can Secureframe use GitLab Custom Properties to create scoping rules, like it does with GitHub?

  • Not currently. Secureframe supports custom attributes for GitHub but not GitLab. GitLab custom attributes are only accessible via API and require admin-level access to read. If a customer is willing to grant admin access, they can configure custom attributes on the GitLab side using [GitLab's own documentation](https://docs.gitlab.com/api/custom_attributes/#update-a-custom-attribute), but Secureframe does not have native support or internal documentation for this workflow at this time.

Can we integrate with the on-premise version of Gitlab?

  • Yes, the “self-managed or self-hosted” version of GitLab can be integrated.

Can we support self-hosted GitHub? (On-prem)

  • Secureframe does not support on-prem/self-hosted GitHub; only GitLab is supported.

How can I set new GitHub repositories as out of scope by default in Secureframe?

  • At this time, Secureframe does not support automatically marking new GitHub repositories as out of scope when they are imported.

    However, there are a couple of ways you can manage this behavior:

    Recommended Approach: Limit which repos are imported
    To prevent irrelevant or dev-only repositories from being imported in the first place:

    Go to your GitHub organization settings.

    Navigate to Settings > Installed GitHub Apps.

    Select the Secureframe app.

    Update the app’s permissions to only allow access to specific repositories (e.g., your production monorepo).

    This way, only the selected repositories will be synced and included in scope evaluations.

How does the Gitlab integration work with Secureframe, particularly in terms of populating vulnerabilities on the Secureframe Vulnerabilities tab?

  • Currently our Gitlab integration syncs repository information, branch, pull request, and code testing configurations required for compliance.

    It does NOT pull in vulnerability scanning or information.

If a customer archives projects in Github, would we still pull them in as vulnerabilities? Also, would the vulnerabilities still remain from what has already been pulled in?

  • Archived repos in GitHub are not pulled in. However, vulnerabilities from repos that were previously pulled in remain in the app. There are plans to change this in the future, but it's not currently on the roadmap.

If there are members of a team that are using their individual GitHub accounts, how should that be evidenced?

  • Evidence should be provided for change management, such as pull requests, approvals, and code reviews/testing.

What happens when I click “Apply to All in Scope” during repo setup or testing — does it affect all repositories or just the ones from the current connection (e.g., GitHub, GitLab, Bitbucket)?

  • When you click “Apply to All in Scope,” it only applies to repositories from the given connection — not all repositories across your entire asset inventory.

    For example, if you are modifying repositories from your GitHub integration, this action will only affect the repos tied to that specific GitHub connection, not other integrations or unrelated repositories.

What if I don’t use GitHub or another supported code repository? Can I manually import repository data into Secureframe?

  • At this time, Secureframe does not support manual repository imports or custom uploads for repositories. If you're not using a supported integration like GitHub, GitHub Enterprise, or GitLab (including self-hosted GitLab with a publicly accessible API), there are a couple of options:

    Custom Integrations (Early Access):

    Secureframe is currently developing support for custom integrations through our Custom Data Platform.

    While repositories are not yet a supported resource type, this is something we're actively exploring for future releases.

    If your organization hosts repositories internally or uses an unsupported provider, this feature may allow more flexibility down the line.

    Manual Evidence Upload:

    For now, you can manually upload evidence to meet repository-related test requirements.

    This may include screenshots or documentation showing repository activity, production branch protection, or pull request workflows.

Who has the necessary permissions to connect GitHub integration, an admin or a super admin?

  • To integrate GitHub with Secureframe, the individual initiating the connection must have administrative permissions within the GitHub organization. This is because the process involves installing the Secureframe GitHub App and configuring its permissions, tasks that require GitHub admin rights.

    In theory, both Admin or Super Admin could connect Github, but the critical factor is possessing the necessary GitHub organization admin privileges to authorize and configure the integration.

Why are some tests still manual even though we’ve connected Azure or GitHub?

  • Some tests may seem automatable at first glance, but there are important technical or contextual limitations.

    Here’s a breakdown of specific tests and why manual evidence may still be required:

    File Integrity Monitoring
    Secureframe cannot currently automate this test due to integration limitations. While this information may be available via certain cloud tools (e.g., Defender for Cloud), we are not yet able to reliably detect it through current API access.

    Logging for web application(s)
    This test is critical for HIPAA and other frameworks, but automation depends on how your web applications are configured and identified in your environment. If cloud assets are not consistently tagged or named, Secureframe cannot confidently determine which services are logging activity related to public-facing apps.

    Encryption in transit for web application(s)
    Although Secureframe integrates with Azure, this test cannot always be automated because encryption settings can vary based on service type (e.g., App Services, Load Balancers, Application Gateways) and how they're configured.

    Firewalls for web application(s)
    Similar to encryption and logging, firewall configuration can be implemented in multiple ways across Azure (e.g., Azure Firewall, NSGs, Application Gateway). Without tagging or specific resource mapping, Secureframe cannot infer which firewall protections apply to which web apps.

    Session timeout for cloud service providers (Azure)
    There are many ways to enforce session timeouts in Azure, including:

    App Service settings
    Conditional Access Policies in Microsoft Entra ID
    Directory configurations
    Application Gateway or load balancers

    Secureframe does not currently support automation across all these configuration paths.

    Multi-factor authentication for human resources providers
    This test applies to HRIS tools. If no HR tool is in use, the test can be disabled. Providing evidence from GitHub or Azure may help, but these are not typically recognized as HR providers, so automation isn’t currently supported for this scenario.

Will you be willing to sign the GitHub/Microsoft Data Protection Agreement/Addendum?

  • Yes, Secureframe is willing to sign the GitHub/Microsoft Data Protection Agreement/Addendum.

Ticketing and work tracking

Can a service account be used for the Jira integration instead of a personal user account?

  • Yes. The Jira integration uses OAuth 2.0, not a personal API token. During the connection setup in Secureframe, whichever Atlassian account completes the OAuth authorization flow is the account that gets used. To connect via a service account, simply have that account (e.g., jira-bot@yourcompany.com) signed in when completing the Jira connection setup in Secureframe.
    A few things to keep in mind:

    If the user is already signed into their personal Atlassian account before starting the setup, Jira may skip the authentication prompt and default to that personal account.
    To ensure the service account is used, the user should be signed into the service account in their browser before initiating the connection.
    Fully app-based (non-user) authentication is not supported. A dedicated non-personal Atlassian user is the recommended and supported path.

Can a service account be used for the Jira integration, and can the connected account be swapped out after initial setup?

  • Yes, a service account can be used. Whichever user authenticates during the connection setup is the account Secureframe will use going forward. If you want to use a service account, sign in with that account when creating or reconnecting the integration.
    There is no way to "replace" an existing connected account in place. To switch accounts, you would need to set up a new connection or reconnect an existing one, authenticating as the desired user at that time. The service account does not need to be a full Jira admin but must have the required OAuth scopes listed above.

Can a user with a custom admin role configure the Jira integration in Secureframe? What permissions are required?

  • Yes, a custom admin role with the "Integrations" permission should be sufficient to configure the Jira integration. Note that the Integrations permission in a custom role primarily controls visibility of the integrations page and left nav -- it does not itself grant the ability to connect.
    If a user has the correct Secureframe role but still cannot configure the integration, the issue is likely on the Jira side, not in Secureframe. A 403 error during connection indicates insufficient permissions in Jira, not in the platform. Common causes include:

    The user has admin access to specific Jira projects or spaces but lacks global admin permissions in Jira.
    The specific Jira project being referenced during setup (check for a project ID in any error output) may not be accessible to that user.

How do we handle user access tracking (linear)?

  • User access tracking includes onboarding and offboarding users. If you don’t have a process, you can adopt the template we provide and integrate it into Linear. For Type 1, upload one example, but for future employees, you must track every new employee and those terminated.

If a customer connects two Jira accounts to their instance and wants to keep admin events in one account...

  • As long as the labels and SLAs are properly configured for each connection, they should be fine.

Is on-premises Jira integration supported in Secureframe?

  • No, Secureframe does not currently support integration with on-premises Jira.

    JIRA Cloud and JIRA Servers are two different products with separate APIs.

    Currently, we only support JIRA Cloud.

Q: What Jira permissions are required to connect the Secureframe Jira integration?

  • The connecting user does not need to be a full Jira admin, but does need the following OAuth scopes granted in Jira:
    Read scopes: read:jira-user, read:jira-work, offline_access
    Write scopes: write:jira-work, read:workflow:jira
    These permissions must apply across all relevant Jira projects. If a user has admin access to some projects but not others, sync errors (typically 403s) may occur for the projects where permissions are missing.

Additional customer questions

What is the Secureframe API?

  • [Secureframe](https://secureframe.com/) exposes a REST API for use by customers, partners, and community developers.

    The Secureframe API utilizes [resource-oriented endpoints](https://cloud.google.com/apis/design/resources) and returns requests in the form of standard JSON responses, based on the [JSON API spec](https://jsonapi.org/). Search utilizes [Lucene Syntax](https://lucene.apache.org/core/2_9_4/queryparsersyntax.html).

    API URL (latest version): https://api.secureframe.com

    New to Secureframe?\
    Customers: [Start here](https://secureframe.com/request-demo)\
    Partners: [Start here](https://secureframe.com/contact/partner)

How do I authenticate with the Secureframe API?

Secureframe utilizes API keys to authenticate requests. API keys are assigned on a per company <> user basis. API secrets can only be viewed a single time at key creation. Please securely store your secrets and do not share your keys in a public medium. If you forget your secret, you must generate a new API key.

To view, create, and revoke API keys, navigate to the Secureframe Console -> Your Profile -> Company settings -> API keys. This page is protected by RBAC and only accessible by certain roles.
To authenticate with an API Key and Secret, include the header `'Authorization: <YOUR_API_KEY> <YOUR_KEY_SECRET>'` in your request.

```
--header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>'
```

Requests made via HTTP will be redirected to HTTPS.

How do I create a request to the Secureframe API?

Reference the below template in `cURL` for creating a request with parameters:

```bash
curl --location -g --request GET \
--header 'Authorization: <YOUR_API_KEY> <YOUR_SECRET_KEY>' \
'https://api.secureframe.com/<ENDPOINT>?include[<PARAM>]=<VALUE>
```

Note: Our API does not directly support bulk updates - only one object can be updated per request. That said, you can utilize loops to mimic bulk operations.

How do I view API request history in Secureframe?

API requests, just like console-based requests, are tracked in the Audit Log (note: API vs Console requests are not differentiated visually).

To access the Audit Log, navigate to the Secureframe Console -> Your Profile -> Company settings -> Audit Log. This page is protected by RBAC and only accessible by certain roles.

How does Secureframe API versioning work?

Secureframe makes many additive API changes that are _backwards compatible_ and able to be supported in all API versions:

- Adding operations
- Adding optional parameters
- Adding optional request headers
- Adding response attributes
- Adding response headers

Backwards _incompatible_ changes require Secureframe to release a new dated API version, as the can potentially break an integration:

- Removing operations
- Removing, renaming, or changing the type of a parameter
- Adding a required parameter or making a previously optional parameter now required
- Removing attributes from request responses
- Adding a required header
- Introducing new parameter data validation constraints
- Updating authentication and authorization mechanisms

| Dated Version (Release Date) | API URL | Deprecation Date |
| :--------------------------- | :--------------------------- | :--------------- |
| 2023-10-18 | https://api.secureframe.com/ | - |

Is it possible to use an API to add new vendors?

At this time, we do not have the ability to create vendors through the API.

Our API supports the following actions:
-Retrieving a list of existing vendors.
-Getting details for a single vendor.
-Archiving vendors.

For more information, you can refer to our documentation [here](https://developer.secureframe.com/tag/Third-Party-Risk-Management-Vendor/#operation/tprmVendorRiskDetailsArchive).

What are the licensing requirements to access the API?

Access to our API Developer tool is available for both Complete and Fundamentals plan, so all customers can enjoy no matter your subscription tier.

For more details on your plan and what is available, please visit https://secureframe.com/pricing

What are the Secureframe API rate limits?

Requests are limited to 500 requests per minute per IP address. If the limit is exceeded, requests will be blocked until requests are available based on the aforementioned limit.

How can one find out which user account is associated with setting up an integration?

  • At this time, Secureframe doesn’t show which user added an integration. If you need help identifying who may have set it up, please reach out to support@secureframe.com for assistance.

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.