NullSquare
how tointermediateReviewed May 18, 2026

Integrations

Connect GitHub for white-box context and PR review, Microsoft Entra and Google Workspace for identity evidence, plus the access boundary that keeps integrations safe.

Integrations connect NullSquare to the systems that already hold context about your environment — your source code, your identity provider, your collaboration tools. Each integration unlocks a specific capability: GitHub enables white-box testing and PR review, Microsoft Entra and Google Workspace bring identity evidence into compliance readiness, and the integrations layer is where future providers will plug in.

This page covers what each currently-supported integration does, how to connect it, and the access boundaries that keep all of them read-only and scope-bound.

What you will learn

  • GitHub. Repository sync, white-box context, PR review, branch protection evidence.
  • Microsoft Entra. Identity evidence for compliance readiness.
  • Google Workspace. Workspace identity evidence for compliance readiness.
  • Access boundary. How NullSquare keeps integrations read-only and scope-bound.

Related app areas

/integrations/settings/integrations

Where integrations live

Integrations are installed at the organization level by an Owner or Admin. Once installed, individual scopes can use them — for example, GitHub is installed once, but each scope chooses which repositories to map.

You can disconnect an integration at any time. Disconnecting revokes the platform's access and removes derived data (mapped repositories, synced evidence) from active use, though historical evidence remains for audit purposes.

GitHub

GitHub is the source-context integration. Install it once at the organization level, sync the repositories you want available, and then map them to scopes that should have white-box context. Repository access is strictly read-only.

  1. 1Open Settings → Integrations.
  2. 2Click Connect GitHub and approve the app installation on the GitHub side.
  3. 3Sync the repositories you want available to NullSquare.
  4. 4Open a scope and map the relevant repository under the Repositories tab.
  5. 5Optional: enable PR review on that mapping so each pull request triggers a focused security pass on the diff.
  6. 6Optional: enable compliance evidence sync to capture branch protection settings as readiness evidence.

Repositories are scope-bound

A repository is only available to runs in the scopes it has been mapped to. Mapping a repository to one scope does not make it visible to others — that boundary is deliberate.

Play: automated PR review

Microsoft Entra

Microsoft Entra (Azure Active Directory) provides identity posture evidence. Once connected, the platform syncs tenant metadata and identity configuration so it can support compliance controls related to authentication, MFA, privileged access, and account hygiene.

  • Tenant metadata.
  • User and guest posture where readable.
  • MFA and authentication settings where readable.
  • Privileged role membership.
  • Inactive account and access-review posture where readable.

Google Workspace

Google Workspace provides equivalent identity posture evidence for organizations that run on Google. Like Entra, it is used to support compliance controls related to authentication and account governance.

  • Customer and domain metadata.
  • User inventory and 2-step verification fields.
  • Admin role membership.
  • Security group evidence where readable.

How integration evidence flows into compliance

Identity and source integrations feed the compliance evidence library. Synced items enter as candidate evidence and are reviewed against the controls they apply to. They do not pass controls automatically — your team reviews and approves, the same as any uploaded evidence.

Access boundary

Every supported integration is read-only and scope-bound where applicable. The agent cannot push code, modify identities, or change provider configuration. Within a scope, source-context tools can only read repositories that the scope has explicitly mapped — no other repositories, even ones the organization owns, are visible to that scope's runs.

Disconnecting

Open Settings → Integrations and choose Disconnect. The platform revokes its tokens, removes derived data from active use (mapped repos, synced evidence), and stops further syncs. Historical evidence is retained for audit purposes but is no longer refreshed.

New integrations

NullSquare is building out additional integrations (Slack notifications, Jira ticket sync, additional identity and source providers). The integrations page is the place to see what is currently available; the docs will update as new providers ship.

Related articles