Integration types
Which categories of integrations HAS supports and how they work.
HAS connects to the tools your team already uses so vulnerabilities found in a test automatically become tickets, notifications, and events in the right places, with no manual work. Below are the types of integrations supported. Configuration steps live inside the company's Integrations panel (gear icon → Integrations), since they shift as each third-party tool updates its APIs.
ITSM and issue tracking
Vulnerabilities turn into tickets, issues, or work items on the ticketing and development platforms your team uses. HAS creates the item when the vulnerability is reported and updates its state as it gets fixed, ignored, or retested.
- Jira — issues on Jira Cloud projects
- GitHub — issues on repositories
- Azure DevOps — work items (Bug, Task, Issue)
- ServiceNow — incidents or change requests
- FreshService — tickets
Chat notifications
Automatic messages to communication channels when a vulnerability is found or a test changes status. Useful to keep the security team aware in real time.
- Slack — channel messages
- Microsoft Teams — channel cards
Generic webhook
HTTP POST with a JSON payload to any endpoint you control. Use it when your tool isn't on the native list above or when you want to process events in your own backend, SIEM, automation pipeline, or internal tooling.
MCP (Model Context Protocol)
MCP is an open standard that lets AI clients talk to external platforms. HAS provides an MCP server so your preferred client can read data such as the vulnerability list, dashboard, and asset inventory, and also run actions like requesting a retest, changing a vulnerability's status, and triggering already-configured integrations.
It works with any MCP-compatible client, including Claude Desktop, Claude.ai, Claude Code, Cursor, VS Code, Windsurf, Cline, and your own CLIs/scripts. Authentication is done via OAuth or a personal token, and every call is recorded in the company's audit logs.
Events that drive integrations
Configured integrations react automatically to platform events.
| Event | When it fires |
|---|---|
vuln.created | New vulnerability is created in HAS |
vuln.approved | Yaga (AI) vulnerability is approved by a human pentester |
vuln.visible | Vulnerability becomes visible to the client |
vuln.status_changed | Vulnerability status changes (fixed, retest, ignored) |
vuln.export | Manual send of a vulnerability to an integration |
test.completed | Test is finalized |
Security and permissions
- Only users with the master role on the company can create, edit, or remove integrations. Regular users can see the configured integrations but can't change them.
- Credentials (API tokens, webhook URLs, passwords) are encrypted with AES-256-GCM before they go to the database.
- SSRF protection: client-provided URLs (generic webhook, ServiceNow, etc.) must be HTTPS. Private IPs, localhost, and cloud metadata endpoints are blocked.
- Rate limiting: max 3 integration configurations per 2 minutes, per company.
- Every trigger is written to the audit log, with success or failure shown in the integrations panel.
- Deduplication: the same vulnerability + event only fires once per 2 hours on automatic triggers. Manual triggers skip dedup.
Where to configure
- Open your company (Overview).
- Click the gear icon at the top (Settings).
- Open the Integrations tab.
- Pick the integration you want and fill the fields that screen asks for.
The exact fields (token, webhook URL, project, work item type, etc.) depend on the tool and can change as those tools update their APIs. That's why detailed steps live inside each integration's screen rather than on this page.