⚠️ Select your experience
Select your interface version below to learn how to manage connected version control.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
What’s changed in the New Experience
Managing version control accounts is now handled through a dedicated page in the New Experience.
Instead of accessing account management from an individual connection card, you can now review and manage infrastructure accounts from the Connections page → Version Control page.
Instructions for the New Experience ⬇️
The Version Control page shows accounts discovered through your connected version control systems.
This page helps you:
View which version control accounts Drata is monitoring
Understand which accounts represent individual users versus service accounts
Link accounts to personnel
Review access indicators such as write access, merge permissions, and MFA status
Prerequisites
Before managing version control accounts in Drata:
A version control system (such as GitHub, GitLab, or Bitbucket) must be connected
An identity provider must be connected to sync personnel into Drata
Drata uses read-only access to collect version control account data and does not modify permissions or access levels in your version control system.
How version control accounts appear in Drata
After a version control system is connected, Drata automatically syncs detected user accounts.
In many cases, Drata attempts to automatically link accounts to personnel based on matching attributes such as name or email. If a match cannot be determined, the account remains unlinked.
Some version control providers may not share enough information for automatic matching. In these cases, accounts must be linked manually.
Link version control accounts to personnel
For a complete explanation of how account linking works across Drata, including how service accounts are handled, refer to Linking accounts to personnel in Drata.
Access changes and audit trail
When access to a version control account is removed in the provider, Drata detects and records the change.
Deleting an account in your version control system does not remove it from Drata. Instead, Drata records a timestamp indicating when access was revoked under the Access revoked column. This preserves an audit trail used to demonstrate timely access removal and track access control SLAs.
Changes made in the provider may take time to appear in Drata due to sync timing.
Access indicators: Write Access, Merge to default branch, and MFA
Drata looks at your version control system and reads certain access signals about each account. These signals help Drata understand how powerful an account is, but Drata cannot change them.
Write access → Can this account push code?
Merge to default branch → Can this account push directly to production?
MFA status → Is extra authentication required to log in?
Write Access and Merge to default branch
The Write access and Merge to default branch column has checkboxes which are used to confirm the level of access an account is expected to have.
Checking these boxes:
Does not change permissions in your version control system
Helps Drata understand which access is intentional
Is used to evaluate access-related compliance checks
You should select these options only when the account is meant to have that level of access in the source system. If the access shown in your version control tool doesn’t match what’s selected here, related tests may fail. To actually change permissions, update the account directly in your version control system.
MFA status
MFA status is detected automatically from the version control provider.
MFA is read-only in Drata
MFA configuration must be managed in the provider
MFA indicators are used to evaluate relevant compliance tests
If an MFA-related test fails, refer to Test 86: MFA on Identity Provider for remediation guidance.
Important considerations
Changes made in the version control system may take time to appear in Drata
Some fields are informational and do not directly affect monitoring outcomes
Account visibility does not mean Drata can enforce access
Drata reflects what it observes from the provider and preserves that information for compliance and audit purposes.
Instructions for the Classic Experience ⬇️
After you connect a Version Control system to Drata, Drata will sync and auto-match accounts to a personnel (except for Bitbucket and AWS CodeCommit). You can also manually link personnel to synced version control accounts and verify the access levels of each account within your company’s version control system.
Drata has read-only access to your company’s version control system. The actions you take following this article on Drata’s ‘Version Control Accounts’ page does not change permissions or access levels on your company's version control system.
The version control system is integrated to let Drata know what the users should have access to. Drata's daily, automated tests will confirm and collect evidence for future audits. If unauthorized access is detected, your team will be alerted automatically.
BEFORE DIVING IN
Remember, Drata is only provided with Read-Only access to your company's systems. The toggles on this page are not changing any permissions or access levels on your actual version control system. They're only telling Drata what the user should have access to.
HERE'S HOW
1. Select "Connections'' on the side navigation menu.
2. Search for your active version control connection and select ‘Manage Accounts’. The following image is an example when GitHub is the version control connection. Go to your version control connection to select ‘Manage Accounts’.
Note: If you do not see any connections under the Active connections tab, go to Available connections to connect to a version control connection.
3. View all of your synced version control accounts in the Version Control Accounts page.
Add personnel to version control accounts
When new version control accounts are synced, Drata attempts to find a match to a personnel, by matching between personnel’s details coming from HRIS (such as name and email) and version control account details (such as username, name, and email). If no match is found, that account remains unlinked.
If you are using Bitbucket or AWS CodeCommit, the accounts remain unlinked. Bitbucket and AWS CodeCommit do not share required details like email and name for auto-matching.
You can always update, add, or remove linked version control accounts. To do so, select the dropdown in the Personnel column and begin entering the name of the personnel.
To verify that the user is linked, a link icon should appear under the Status column.
In the following sections, learn more about the following columns in the table: Access Revoked, Write Access, Merge to Default Branch, Has MFA, and Settings Gear.
Access Revoked
Access Revoked column indicates the timestamp of a removal of an account. The account is not removed from Drata. This is important as it creates an audit trail, allowing for tracking of access control SLAs.
Note: It can take up to 24 hours for Drata to update. This is due to the connection API.
Write Access
The Write Access column indicates what level of write access the user should have.
By default, the column indicates that users do not have write access; the toggle is off. Verify each user's access and toggle on (
) if a user is supposed to have write access.
Note: If the user has write access to one or multiple repositories in your connected version control account, ensure to toggle on in the column.
Merge to Default Branch
The Merge to Default Branch column indicates if the user should have the authority to push code to your production application.
By default, the column indicates that users do not have write access; the toggle is off. Verify each user's access and toggle on (
Note: If the user has merge to default branch access to one or multiple repositories in your connected version control account, ensure to toggle on in the column.
Has MFA
The Has MFA column is automated and pulls information from the version control tool. It's important that your personnel have MFA enabled for security and compliance.
Settings Gear
The last column has a Gear icon.
Hover over the icon to view tooltip with a "Make Out of Scope (Ignore)." message. Select the gear for version control users that are not actual real people at your company, but instead are accounts meant for conducting specific services automatically. When you select the icon, a modal appears. The following image showcases the modal.
You'll be prompted to provide the business rationale for having an account that is not unique to any individual at your company. Inputting this information here will save you time during your next audit. This action also makes this record appear with the link icon in the far left column, and will help avoid test failures for this record.