Access Control

SSO, SCIM, role-based access, and audit logs for managing who can see and act on your security findings.

Trace's access control is built around the assumption that security findings are sensitive data. Every account decision — who can sign in, what they can do, what they can see — is enforced at the application layer and recorded for audit.

Single sign-on (SSO)

Trace integrates with your identity provider through WorkOS. Supported standards:

  • SAML 2.0 — for any IdP that speaks SAML, including Okta, Microsoft Entra (formerly Azure AD), OneLogin, JumpCloud, Auth0, and Ping.
  • OIDC — for OIDC-native providers.
  • Social providers — Google Workspace and Microsoft accounts are supported out of the box for organizations that don't require a dedicated IdP.

SSO is configured once per organization. Your Trace team sets up the connection metadata; after that, your users sign in through your IdP and Trace provisions them just-in-time on first sign-in.

SCIM directory sync

Automatic provisioning and deprovisioning through SCIM Directory Sync is available on enterprise plans — when you remove a user from your IdP, their Trace access is revoked on the next sync, with no manual offboarding step. Reach out to the Trace team to enable it for your org.

Roles

Trace ships with three built-in roles. Permissions are layered: every Admin can do what an Analyst can do, every Analyst can do what a Developer can do.

RoleCan do
DeveloperView vulnerabilities; trigger scans; mark findings as false positives.
AnalystEverything a Developer can do, plus invite/remove members and manage webhooks.
AdminEverything an Analyst can do, plus change roles and manage API keys.

API keys

Admins can issue API keys from Settings → API Keys for machine-to-machine access (CLI use in CI, custom dashboards, etc.). Each key is scoped to the issuing organization, tracks its creation timestamp and last-used time, and can be revoked instantly from the dashboard. API key creation, use, and revocation are recorded as audit events.

Audit log

Every action that affects your security posture — invites, role changes, scan runs, vulnerability state changes, integration installs, suppression rules — is recorded as an audit event. Each entry captures the actor, action, target resource, and timestamp.

Trace forwards audit events to WorkOS Audit Logs, so customers on SSO-enabled organizations can review and export the full event stream through the WorkOS admin portal. An in-product audit log view and webhook-based forwarding are on the roadmap.

GitHub App permissions

When you install Trace's GitHub App, GitHub displays the full list of permissions Trace requests. We request only what's needed to clone repositories, post check runs, post review comments, and upload SARIF — no write access to your repository contents, no access to your organization settings, and no access to repositories you haven't explicitly granted.

A complete reference of every permission Trace requests is available on request — ask the Trace team if you need it for a security review.

Session and authentication policies

  • Sessions are time-bound and tied to your IdP's session policy when SSO is enabled.
  • For organizations not yet on SSO, password authentication supports strong-password requirements and MFA through WorkOS.
  • Failed authentication attempts are rate-limited and recorded.

How Trace Handles Your Data

How Trace protects customer code, secrets, and findings — and what's covered by our Trust Center for compliance evidence.

CLI Reference

Complete command reference for the Trace CLI, including auth, org, repo, vulnerabilities, pentests, updates, and shell completion.

On this page

Single sign-on (SSO)SCIM directory syncRolesAPI keysAudit logGitHub App permissionsSession and authentication policies