Security and auditability

Credentials and access material

Gray-box testing requires access material — credentials, tokens, headers, cookie sessions. NullSquare stores them securely and presents them back to operators in a controlled way: list and detail views show metadata rather than the secret value itself, and the agent retrieves them at run time scoped to where they apply.

• Login credentials — username and password pairs, optionally tied to a login flow description.
• Bearer tokens — opaque tokens used as Authorization: Bearer headers.
• Custom headers — arbitrary key/value pairs for environments that use non-standard auth headers.
• Cookie sessions — cookie-based session contexts captured from an authenticated browser session.

Safe use of credentials

The platform supports good practice; you supply the discipline. The same hygiene that applies to test credentials in CI applies here.

• Always use least-privilege test accounts created specifically for assessment use.
• Scope each piece of access material to the host or path where it applies. Do not paste production admin tokens into staging scopes.
• Add a note explaining what each credential is for. Future-you will thank current-you.
• Remove or rotate access material when an assessment is finished or when the test account is no longer needed.
• Avoid using production accounts of real human users; create dedicated test identities.

Roles and what they can do

Four roles — Owner, Admin, Lead, and Member — cover the operational shape of a security program. Pick the smallest one that lets each person do their job.

• Owner — full control including billing and ownership transfer. One per organization.
• Admin — manages settings, members, integrations, runners, and billing. Right for platform owners and IT.
• Lead — manages scopes, runs, automations, repository mappings, and evidence review. Right for security operators.
• Member — triages assigned findings and reviews run outputs. Right for engineers and reviewers.

The audit log

NullSquare records sensitive actions to an audit log. Open Settings → Audit log to review. Each entry includes who, what, when, and the relevant scope or object. Make periodic review part of your routine — once a quarter at minimum, more often for larger teams.

• Scope creation, configuration changes, and deletions.
• Asset promotion, demotion, or ignore actions.
• Access material creation, update, or deletion.
• Private runner deployment, attachment, and token rotation.
• Automation creation, edits, pause/resume, and deletion.
• Integration connections, configuration, and disconnections.
• Compliance evidence review decisions.
• Member invitations, role changes, and removals.

Integration boundaries

Every supported integration is read-only and scope-bound where applicable. Repository access is limited to repositories explicitly mapped to a scope. Identity providers (Entra, Workspace) cannot be modified by the platform. Disconnecting an integration revokes tokens and removes derived data from active use.

Private runner security

A private runner makes outbound connections only — there is no inbound exposure on the runner host. Its scope of action is constrained by attachment: a runner can only execute work in scopes it is attached to. Token rotation is a single action from the runner detail page, and old tokens stop working immediately.

Where your data lives

Scope data, assets, findings, evidence, reports, and audit records belong to your organization. The platform processes them to execute runs and produce outputs, but they are not used to train shared systems or shared with other customers. Exports and deletions are available through Settings.