Integrations
Integrations forward HarborGuard's vulnerability findings to outside systems — compliance tools, code-security dashboards, ticketing — so the data your auditors and developers already look at stays in sync with what HarborGuard sees.
Every integration follows the same shape:
- Pull on a schedule, not on every scan. A single worker wakes every 15 minutes, walks every org that has an integration enabled, and pushes the complete current state. There are no per-scan webhooks to wire up, and a single missed run self-heals on the next sweep.
- State-of-world replace. Each sync pushes the entire current set of findings scoped to the integration. Anything previously pushed that is no longer present is removed on the target side. There is no append/delete drift to reconcile.
- Credentials are encrypted at rest. Tokens are AES-256-GCM envelope-encrypted before they hit Postgres and are never returned to the browser. The settings UI masks to the last four characters.
- Disable without disconnecting. Every integration has an Enabled toggle separate from Disconnect. Uncheck it to pause sync (e.g. during an audit freeze) while keeping the token and mappings in place.
Available integrations
| Integration | What it pushes | Scope of replace | Token type | Push cadence |
|---|---|---|---|---|
| Vanta | Container vulnerability findings as Vanta connector items | Per (integrationId, sourceId) — findings not in the payload are deleted from that source | Vanta Private API token | Every 15 minutes |
| GitHub Code Scanning | Per-image SARIF analyses to a repo's Security → Code scanning tab | Per (repo, ref, category) — category is harborguard:<imageName>[:<imageTag>] | GitHub PAT, fine-grained PAT, or App installation token with security_events | Every 15 minutes |
Connecting an integration
From Settings → Integrations, pick a provider card. Each card is a self-contained form:
- Paste the provider token (and any provider-specific IDs or repo mappings).
- Click Save. The token is encrypted server-side; the plaintext is wiped from the form.
- Click Test Connection to verify the token works against the live API.
- Click Sync Now to enqueue an immediate run (otherwise the scheduled sweep will pick it up within 15 minutes).
Subsequent saves are credential-preserving: leave the token field blank to keep the existing token and only update the other fields.
Permissions
Connecting, disconnecting, or editing an integration requires the owner or admin role on the organization. All other roles see the integration cards as read-only. Every change is recorded in the audit log as an integration.<provider>.connected, .updated, or .disconnected event, and each sweep emits .sync_started / .sync_completed / .sync_failed.
Sync failures
When a sync fails — bad token, network blip, rate limit, malformed config — HarborGuard:
- Records the error count and up to the 50 most recent error messages on the integration's status panel.
- Fires an
integration_sync_failednotification through your configured channels (email, Slack, PagerDuty, webhook). See Notifications for routing. - Retries on the next sweep without operator intervention. A persistently-failing token will keep firing the notification every 15 minutes until disabled or fixed.
Adding more integrations
The integrations framework is pluggable — src/lib/integrations/<provider>/ with five files (adapter, HTTP client, Zod schema, mappers, React config card) and a registry entry. New providers will appear on this page as they ship. If you need an integration that isn't listed, request one through your account contact or via support.