add tags support in secret imports

reduce k8 events
Merge pull request #889 from EBEN4REAL/custom-tag-colors
2025-04-06 22:14:48 +00:00 · 2023-08-24 17:21:14 -04:00 · 2023-08-24 15:41:29 -04:00 · 2023-08-23 21:03:46 -07:00 · 2023-08-24 03:59:49 +01:00 · 2023-08-24 03:39:46 +01:00
788 changed files with 40394 additions and 19612 deletions
--- a/.env.example
+++ b/.env.example
@ -25,6 +25,9 @@ JWT_PROVIDER_AUTH_LIFETIME=
 # Required
 MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin

+# Redis
+REDIS_URL=redis://redis:6379
+
 # Optional credentials for MongoDB container instance and Mongo-Express
 MONGO_USERNAME=root
 MONGO_PASSWORD=example
@ -47,11 +50,13 @@ CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
 CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
 CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=

 # Sentry (optional) for monitoring errors
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -1,11 +1,17 @@
 name: Release standalone docker image
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"

 jobs:
  infisical-standalone:
    name: Build infisical standalone image
    runs-on: ubuntu-latest
    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
        with:
@ -64,5 +70,6 @@ jobs:
          tags: |
            infisical/infisical:latest
            infisical/infisical:${{ steps.commit.outputs.short }}
+            infisical/infisical:${{ steps.extract_version.outputs.version }}
          platforms: linux/amd64,linux/arm64
          file: Dockerfile.standalone-infisical
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -108,6 +108,22 @@ brews:
      zsh_completion.install "completions/infisical.zsh" => "_infisical"
      fish_completion.install "completions/infisical.fish"
      man1.install "manpages/infisical.1.gz"
+  - name: 'infisical@{{.Version}}'
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"

 nfpms:
  - id: infisical
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1,4 +1,3 @@
-
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,3 +0,0 @@
-{
-	"workbench.editor.wrapTabs": true
-}
--- a/README.md
+++ b/README.md
--- a/backend/.eslintrc
+++ b/backend/.eslintrc
@ -10,6 +10,7 @@
    "plugin:@typescript-eslint/recommended"
  ],
  "rules": {
+    "no-empty-function": "off",
    "@typescript-eslint/no-empty-function": "off",
    "no-console": 2,
    "quotes": [
@ -34,11 +35,6 @@
        "argsIgnorePattern": "^_"
      }
    ],
-    "sort-imports": [
-      "error",
-      {
-        "ignoreDeclarationSort": true
-      }
-    ]
+    "sort-imports": 1
  }
 }
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -14,14 +14,20 @@ FROM node:16-alpine

 WORKDIR /app

+ENV npm_config_cache /home/node/.npm
+
 COPY package*.json ./
 RUN npm ci --only-production

 COPY --from=build /app .

+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1
+
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js

 EXPOSE 4000

-CMD ["npm", "run", "start"]
+CMD ["npm", "run", "start"]
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -2,6 +2,7 @@
  "dependencies": {
    "@aws-sdk/client-secrets-manager": "^3.319.0",
    "@godaddy/terminus": "^4.12.0",
+    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/rest": "^19.0.5",
    "@sentry/node": "^7.49.0",
    "@sentry/tracing": "^7.48.0",
@ -29,13 +30,16 @@
    "jsrp": "^0.2.4",
    "libsodium-wrappers": "^0.7.10",
    "lodash": "^4.17.21",
-    "mongoose": "^6.10.5",
+    "mongodb": "^5.7.0",
+    "mongoose": "^7.4.1",
    "nanoid": "^3.3.6",
    "node-cache": "^5.1.2",
    "nodemailer": "^6.8.0",
    "passport": "^0.6.0",
+    "passport-github": "^1.1.0",
    "passport-google-oauth20": "^2.0.0",
    "posthog-node": "^2.6.0",
+    "probot": "^12.3.1",
    "query-string": "^7.1.3",
    "rate-limit-mongo": "^2.3.2",
    "rimraf": "^3.0.2",
@ -46,7 +50,7 @@
    "typescript": "^4.9.3",
    "utility-types": "^3.10.0",
    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
+    "winston-loki": "^6.0.7"
  },
  "name": "infisical-api",
  "version": "1.0.0",
@ -80,6 +84,7 @@
    "@posthog/plugin-scaffold": "^1.3.4",
    "@types/bcrypt": "^5.0.0",
    "@types/bcryptjs": "^2.4.2",
+    "@types/bull": "^4.10.0",
    "@types/cookie-parser": "^1.4.3",
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
@ -103,6 +108,7 @@
    "jest-junit": "^15.0.0",
    "nodemon": "^2.0.19",
    "npm": "^8.19.3",
+    "smee-client": "^1.2.3",
    "supertest": "^6.3.3",
    "ts-jest": "^29.0.3",
    "ts-node": "^10.9.1"
--- a/backend/spec.json
+++ b/backend/spec.json
@ -3203,6 +3203,9 @@
                  "name": {
                    "example": "any"
                  },
+                  "tagColor": {
+                    "example": "any"
+                  },
                  "slug": {
                    "example": "any"
                  }
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -10,7 +10,7 @@ export const getEncryptionKey = async () => {
  return secretValue === "" ? undefined : secretValue;
 }
 export const getRootEncryptionKey = async () => {
-  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue; 
+  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
 }
 export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
@ -36,15 +36,21 @@ export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_
 export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
 export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
 export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
-export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
+export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
 export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
 export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
 export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
 export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
 export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
 export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
-export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
+export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
 export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+
+export const getClientIdGoogleLogin = async () => (await client.getSecret("CLIENT_ID_GOOGLE_LOGIN")).secretValue;
+export const getClientSecretGoogleLogin = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE_LOGIN")).secretValue;
+export const getClientIdGitHubLogin = async () => (await client.getSecret("CLIENT_ID_GITHUB_LOGIN")).secretValue;
+export const getClientSecretGitHubLogin = async () => (await client.getSecret("CLIENT_SECRET_GITHUB_LOGIN")).secretValue;
+
 export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
 export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
 export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
@ -57,6 +63,13 @@ export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWOR
 export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
 export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";

+export const getSecretScanningWebhookProxy = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_PROXY")).secretValue;
+export const getSecretScanningWebhookSecret = async () => (await client.getSecret("SECRET_SCANNING_WEBHOOK_SECRET")).secretValue;
+export const getSecretScanningGitAppId = async () => (await client.getSecret("SECRET_SCANNING_GIT_APP_ID")).secretValue;
+export const getSecretScanningPrivateKey = async () => (await client.getSecret("SECRET_SCANNING_PRIVATE_KEY")).secretValue;
+
+export const getRedisUrl = async () => (await client.getSecret("REDIS_URL")).secretValue;
+
 export const getLicenseKey = async () => {
  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
  return secretValue === "" ? undefined : secretValue;
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -15,20 +15,20 @@ import { checkUserDevice } from "../../helpers/user";
 import {
  ACTION_LOGIN,
  ACTION_LOGOUT,
-  AUTH_MODE_JWT,
 } from "../../variables";
 import { 
  BadRequestError,
  UnauthorizedRequestError,
 } from "../../utils/errors";
 import { EELogService } from "../../ee/services";
-import { getChannelFromUserAgent } from "../../utils/posthog";
+import { getUserAgentType } from "../../utils/posthog";
 import {
  getHttpsEnabled,
  getJwtAuthLifetime,
  getJwtAuthSecret,
  getJwtRefreshSecret,
 } from "../../config";
+import { ActorType } from "../../ee/models";

 declare module "jsonwebtoken" {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -142,7 +142,7 @@ export const login2 = async (req: Request, res: Response) => {
        loginAction && await EELogService.createLog({
          userId: user._id,
          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          channel: getUserAgentType(req.headers["user-agent"]),
          ipAddress: req.realIP,
        });

@ -170,7 +170,7 @@ export const login2 = async (req: Request, res: Response) => {
 * @returns
 */
 export const logout = async (req: Request, res: Response) => {
-  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
+  if (req.authData.actor.type === ActorType.USER && req.authData.tokenVersionId) {
    await clearTokens(req.authData.tokenVersionId)
  }

@ -190,7 +190,7 @@ export const logout = async (req: Request, res: Response) => {
  logoutAction && await EELogService.createLog({
    userId: req.user._id,
    actions: [logoutAction],
-    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    channel: getUserAgentType(req.headers["user-agent"]),
    ipAddress: req.realIP,
  });

--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
@ -13,21 +13,27 @@ import * as signupController from "./signupController";
 import * as userActionController from "./userActionController";
 import * as userController from "./userController";
 import * as workspaceController from "./workspaceController";
+import * as secretScanningController from "./secretScanningController";
+import * as webhookController from "./webhookController";
+import * as secretImportController from "./secretImportController";

 export {
-	authController,
-	botController,
-	integrationAuthController,
-	integrationController,
-	keyController,
-	membershipController,
-	membershipOrgController,
-	organizationController,
-	passwordController,
-	secretController,
-	serviceTokenController,
-	signupController,
-	userActionController,
-	userController,
-	workspaceController,
+  authController,
+  botController,
+  integrationAuthController,
+  integrationController,
+  keyController,
+  membershipController,
+  membershipOrgController,
+  organizationController,
+  passwordController,
+  secretController,
+  serviceTokenController,
+  signupController,
+  userActionController,
+  userController,
+  workspaceController,
+  secretScanningController,
+  webhookController,
+  secretImportController
 };
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -3,10 +3,14 @@ import { Types } from "mongoose";
 import { standardRequest } from "../../config/request";
 import { getApps, getTeams, revokeAccess } from "../../integrations";
 import { Bot, IntegrationAuth } from "../../models";
+import { EventType } from "../../ee/models";
 import { IntegrationService } from "../../services";
+import { EEAuditLogService } from "../../ee/services";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
+  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_NORTHFLANK_API_URL,
  INTEGRATION_RAILWAY_API_URL,
  INTEGRATION_SET,
  INTEGRATION_VERCEL_API_URL,
@ -60,6 +64,19 @@ export const oAuthExchange = async (req: Request, res: Response) => {
    environment: environments[0].slug
  });

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.AUTHORIZE_INTEGRATION,
+      metadata: {
+        integration: integrationAuth.integration
+      }
+    },
+    {
+      workspaceId: integrationAuth.workspace
+    }
+  );
+
  return res.status(200).send({
    integrationAuth
  });
@ -127,6 +144,19 @@ export const saveIntegrationAccessToken = async (req: Request, res: Response) =>
  });

  if (!integrationAuth) throw new Error("Failed to save integration access token");
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.AUTHORIZE_INTEGRATION,
+      metadata: {
+        integration: integrationAuth.integration
+      }
+    },
+    {
+      workspaceId: integrationAuth.workspace
+    }
+  );

  return res.status(200).send({
    integrationAuth
@ -141,12 +171,14 @@ export const saveIntegrationAccessToken = async (req: Request, res: Response) =>
 */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  const teamId = req.query.teamId as string;
+  const workspaceSlug = req.query.workspaceSlug as string;

  const apps = await getApps({
    integrationAuth: req.integrationAuth,
    accessToken: req.accessToken,
    accessId: req.accessId,
-    ...(teamId && { teamId })
+    ...(teamId && { teamId }),
+    ...(workspaceSlug && { workspaceSlug })
  });

  return res.status(200).send({
@ -382,6 +414,139 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
  });
 };

+/**
+ * Return list of workspaces allowed for Bitbucket integration
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: Response) => {
+  
+  interface WorkspaceResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Workspace>;
+  }
+
+  interface Workspace {
+    type: string;
+    uuid: string;
+    name: string;
+    slug: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  const workspaces: Workspace[] = [];
+  let hasNextPage = true;
+  let workspaceUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/workspaces`
+
+  while (hasNextPage) {
+    const { data }: { data: WorkspaceResponse } = await standardRequest.get(
+      workspaceUrl,
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+    
+    if (data?.values.length > 0) {
+      data.values.forEach((workspace) => {
+        workspaces.push(workspace)
+      })
+    }
+
+    if (data.next) {
+      workspaceUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  return res.status(200).send({
+    workspaces
+  });
+};
+
+/**
+ * Return list of secret groups for Northflank project with id [appId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getIntegrationAuthNorthflankSecretGroups = async (req: Request, res: Response) => {
+  const appId = req.query.appId as string;
+  
+  interface NorthflankSecretGroup {
+    id: string;
+    name: string;
+    description: string;
+    priority: number;
+    projectId: string;
+  }
+  
+  interface SecretGroup {
+    name: string;
+    groupId: string;
+  }
+  
+  const secretGroups: SecretGroup[] = [];
+
+  if (appId && appId !== "") { 
+    let page = 1;
+    const perPage = 10;
+    let hasMorePages = true;
+    
+    while(hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage),
+        filter: "all",
+      });
+
+      const {
+        data: {
+          data: {
+            secrets
+          }
+        }
+      } = await standardRequest.get<{ data: { secrets: NorthflankSecretGroup[] }}>(
+        `${INTEGRATION_NORTHFLANK_API_URL}/v1/projects/${appId}/secrets`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${req.accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      );
+      
+      secrets.forEach((a: any) => {
+        secretGroups.push({
+          name: a.name,
+          groupId: a.id
+        });
+      });
+
+      if (secrets.length < perPage) {
+        hasMorePages = false;
+      }
+
+      page++;
+    }
+  }
+  
+  return res.status(200).send({
+    secretGroups
+  });
+}
+
 /**
 * Delete integration authorization with id [integrationAuthId]
 * @param req
@ -393,8 +558,26 @@ export const deleteIntegrationAuth = async (req: Request, res: Response) => {
    integrationAuth: req.integrationAuth,
    accessToken: req.accessToken
  });
+  
+  if (!integrationAuth) return res.status(400).send({
+    message: "Failed to find integration authorization"
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UNAUTHORIZE_INTEGRATION,
+      metadata: {
+        integration: integrationAuth.integration
+      }
+    },
+    {
+      workspaceId: integrationAuth.workspace
+    }
+  );

  return res.status(200).send({
    integrationAuth
  });
 };
+
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -2,10 +2,13 @@ import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { Integration } from "../../models";
 import { EventService } from "../../services";
-import { eventPushSecrets } from "../../events";
+import { eventStartIntegration } from "../../events";
 import Folder from "../../models/folder";
 import { getFolderByPath } from "../../services/FolderService";
 import { BadRequestError } from "../../utils/errors";
+import { EEAuditLogService } from "../../ee/services";
+import { EventType } from "../../ee/models";
+import { syncSecretsToActiveIntegrationsQueue } from "../../queues/integrations/syncSecretsToThirdPartyServices";

 /**
 * Create/initialize an (empty) integration for integration authorization
@ -27,19 +30,19 @@ export const createIntegration = async (req: Request, res: Response) => {
    owner,
    path,
    region,
-    secretPath,
+    secretPath
  } = req.body;

  const folders = await Folder.findOne({
    workspace: req.integrationAuth.workspace._id,
-    environment: sourceEnvironment,
+    environment: sourceEnvironment
  });

  if (folders) {
    const folder = getFolderByPath(folders.nodes, secretPath);
    if (!folder) {
      throw BadRequestError({
-        message: "Path for service token does not exist",
+        message: "Path for service token does not exist"
      });
    }
  }
@ -62,21 +65,46 @@ export const createIntegration = async (req: Request, res: Response) => {
    region,
    secretPath,
    integration: req.integrationAuth.integration,
-    integrationAuth: new Types.ObjectId(integrationAuthId),
+    integrationAuth: new Types.ObjectId(integrationAuthId)
  }).save();

  if (integration) {
    // trigger event - push secrets
    EventService.handleEvent({
-      event: eventPushSecrets({
+      event: eventStartIntegration({
        workspaceId: integration.workspace,
-        environment: sourceEnvironment,
-      }),
+        environment: sourceEnvironment
+      })
    });
  }

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_INTEGRATION,
+      metadata: {
+        integrationId: integration._id.toString(),
+        integration: integration.integration,
+        environment: integration.environment,
+        secretPath,
+        url: integration.url,
+        app: integration.app,
+        appId: integration.appId,
+        targetEnvironment: integration.targetEnvironment,
+        targetEnvironmentId: integration.targetEnvironmentId,
+        targetService: integration.targetService,
+        targetServiceId: integration.targetServiceId,
+        path: integration.path,
+        region: integration.region
+      }
+    },
+    {
+      workspaceId: integration.workspace
+    }
+  );
+
  return res.status(200).send({
-    integration,
+    integration
  });
 };

@ -97,26 +125,26 @@ export const updateIntegration = async (req: Request, res: Response) => {
    appId,
    targetEnvironment,
    owner, // github-specific integration param
-    secretPath,
+    secretPath
  } = req.body;

  const folders = await Folder.findOne({
    workspace: req.integration.workspace,
-    environment,
+    environment
  });

  if (folders) {
    const folder = getFolderByPath(folders.nodes, secretPath);
    if (!folder) {
      throw BadRequestError({
-        message: "Path for service token does not exist",
+        message: "Path for service token does not exist"
      });
    }
  }

  const integration = await Integration.findOneAndUpdate(
    {
-      _id: req.integration._id,
+      _id: req.integration._id
    },
    {
      environment,
@ -125,31 +153,30 @@ export const updateIntegration = async (req: Request, res: Response) => {
      appId,
      targetEnvironment,
      owner,
-      secretPath,
+      secretPath
    },
    {
-      new: true,
+      new: true
    }
  );

  if (integration) {
    // trigger event - push secrets
    EventService.handleEvent({
-      event: eventPushSecrets({
+      event: eventStartIntegration({
        workspaceId: integration.workspace,
-        environment,
-      }),
+        environment
+      })
    });
  }

  return res.status(200).send({
-    integration,
+    integration
  });
 };

 /**
- * Delete integration with id [integrationId] and deactivate bot if there are
- * no integrations left
+ * Delete integration with id [integrationId]
 * @param req
 * @param res
 * @returns
@ -158,12 +185,49 @@ export const deleteIntegration = async (req: Request, res: Response) => {
  const { integrationId } = req.params;

  const integration = await Integration.findOneAndDelete({
-    _id: integrationId,
+    _id: integrationId
  });

  if (!integration) throw new Error("Failed to find integration");

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_INTEGRATION,
+      metadata: {
+        integrationId: integration._id.toString(),
+        integration: integration.integration,
+        environment: integration.environment,
+        secretPath: integration.secretPath,
+        url: integration.url,
+        app: integration.app,
+        appId: integration.appId,
+        targetEnvironment: integration.targetEnvironment,
+        targetEnvironmentId: integration.targetEnvironmentId,
+        targetService: integration.targetService,
+        targetServiceId: integration.targetServiceId,
+        path: integration.path,
+        region: integration.region
+      }
+    },
+    {
+      workspaceId: integration.workspace
+    }
+  );
+
  return res.status(200).send({
-    integration,
+    integration
  });
 };
+
+// Will trigger sync for all integrations within the given env and workspace id 
+export const manualSync = async (req: Request, res: Response) => {
+  const { workspaceId, environment } = req.body;
+  syncSecretsToActiveIntegrationsQueue({
+    workspaceId,
+    environment
+  })
+
+  res.status(200).send()
+};
+
--- a/backend/src/controllers/v1/keyController.ts
+++ b/backend/src/controllers/v1/keyController.ts
@ -1,6 +1,9 @@
+import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { Key } from "../../models";
 import { findMembership } from "../../helpers/membership";
+import { EventType } from "../../ee/models";
+import { EEAuditLogService } from "../../ee/services";

 /**
 * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@ -44,7 +47,7 @@ export const uploadKey = async (req: Request, res: Response) => {
 */
 export const getLatestKey = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;
-
+  
  // get latest key
  const latestKey = await Key.find({
    workspace: workspaceId,
@ -58,6 +61,18 @@ export const getLatestKey = async (req: Request, res: Response) => {

 	if (latestKey.length > 0) {
 		resObj["latestKey"] = latestKey[0];
+    await EEAuditLogService.createAuditLog(
+      req.authData,
+      {
+        type: EventType.GET_WORKSPACE_KEY,
+        metadata: {
+          keyId: latestKey[0]._id.toString()
+        }
+      },
+      {
+        workspaceId: new Types.ObjectId(workspaceId)
+      }
+    );
 	}

 	return res.status(200).send(resObj);
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,9 +1,12 @@
 import { Request, Response } from "express";
-import { Key, Membership, MembershipOrg, User } from "../../models";
+import { Types } from "mongoose";
+import { IUser, Key, Membership, MembershipOrg, User } from "../../models";
+import { EventType } from "../../ee/models";
 import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
 import { sendMail } from "../../helpers/nodemailer";
 import { ACCEPTED, ADMIN, MEMBER } from "../../variables";
 import { getSiteURL } from "../../config";
+import { EEAuditLogService } from "../../ee/services";

 /**
 * Check that user is a member of workspace with id [workspaceId]
@ -36,11 +39,11 @@ export const validateMembership = async (req: Request, res: Response) => {
 */
 export const deleteMembership = async (req: Request, res: Response) => {
  const { membershipId } = req.params;
-
+  
  // check if membership to delete exists
  const membershipToDelete = await Membership.findOne({
    _id: membershipId
-  }).populate("user");
+  }).populate<{ user: IUser }>("user");

  if (!membershipToDelete) {
    throw new Error("Failed to delete workspace membership that doesn't exist");
@ -66,6 +69,20 @@ export const deleteMembership = async (req: Request, res: Response) => {
  const deletedMembership = await deleteMember({
    membershipId: membershipToDelete._id.toString()
  });
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.REMOVE_WORKSPACE_MEMBER,
+      metadata: {
+        userId: membershipToDelete.user._id.toString(),
+        email: membershipToDelete.user.email
+      }
+    },
+    {
+      workspaceId: membership.workspace
+    }
+  );

  return res.status(200).send({
    deletedMembership
@ -87,9 +104,9 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  }

  // validate target membership
-  const membershipToChangeRole = await findMembership({
-    _id: membershipId
-  });
+  const membershipToChangeRole = await Membership
+    .findById(membershipId)
+    .populate<{ user: IUser }>("user");

  if (!membershipToChangeRole) {
    throw new Error("Failed to find membership to change role");
@ -110,9 +127,27 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
    // user is not an admin member of the workspace
    throw new Error("Insufficient role for changing member roles");
  }
+  
+  const oldRole = membershipToChangeRole.role;

  membershipToChangeRole.role = role;
  await membershipToChangeRole.save();
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_USER_WORKSPACE_ROLE,
+      metadata: {
+        userId: membershipToChangeRole.user._id.toString(),
+        email: membershipToChangeRole.user.email,
+        oldRole,
+        newRole: membershipToChangeRole.role
+      }
+    },
+    {
+      workspaceId: membershipToChangeRole.workspace
+    }
+  );

  return res.status(200).send({
    membership: membershipToChangeRole
@ -140,7 +175,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
  const inviteeMembership = await Membership.findOne({
    user: invitee._id,
    workspace: workspaceId
-  });
+  }).populate<{ user: IUser }>("user");

  if (inviteeMembership) throw new Error("Failed to add existing member of workspace");

@ -181,6 +216,20 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
    }
  });

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.ADD_WORKSPACE_MEMBER,
+      metadata: {
+        userId: invitee._id.toString(),
+        email: invitee.email
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
  return res.status(200).send({
    invitee,
    latestKey
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,6 +1,7 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { MembershipOrg, Organization, User } from "../../models";
+import { SSOConfig } from "../../ee/models";
 import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
 import { createToken } from "../../helpers/auth";
 import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
@ -102,14 +103,26 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  // validate membership
  const membershipOrg = await MembershipOrg.findOne({
    user: req.user._id,
-    organization: organizationId
+    organization: new Types.ObjectId(organizationId)
  });

  if (!membershipOrg) {
    throw new Error("Failed to validate organization membership");
  }

-  const plan = await EELicenseService.getPlan(organizationId);
+  const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
+  
+  const ssoConfig = await SSOConfig.findOne({
+    organization: new Types.ObjectId(organizationId)
+  });
+
+  if (ssoConfig && ssoConfig.isActive) {
+    // case: SAML SSO is enabled for the organization
+    return res.status(400).send({
+      message:
+        "Failed to invite member due to SAML SSO configured for organization"
+    }); 
+  }

  if (plan.memberLimit !== null) {
    // case: limit imposed on number of members allowed
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -9,7 +9,7 @@ import {
 import { createOrganization as create } from "../../helpers/organization";
 import { addMembershipsOrg } from "../../helpers/membershipOrg";
 import { ACCEPTED, OWNER } from "../../variables";
-import { getSiteURL, getLicenseServerUrl } from "../../config";
+import { getLicenseServerUrl, getSiteURL } from "../../config";
 import { licenseServerKeyRequest } from "../../config/request";

 export const getOrganizations = async (req: Request, res: Response) => {
@ -260,22 +260,6 @@ export const createOrganizationPortalSession = async (
  }
 };

-/**
- * Return organization subscriptions
- * @param req
- * @param res
- * @returns
- */
-export const getOrganizationSubscriptions = async (
-	req: Request,
-	res: Response
-) => {
-	return res.status(200).send({
-		subscriptions: []
-	});
-};
-
-
 /**
 * Given a org id, return the projects each member of the org belongs to
 * @param req
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -5,7 +5,7 @@ import * as bigintConversion from "bigint-conversion";
 import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
 import { clearTokens, createToken, sendMail } from "../../helpers";
 import { TokenService } from "../../services";
-import { AUTH_MODE_JWT, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
 import { BadRequestError } from "../../utils/errors";
 import {
  getHttpsEnabled,
@ -13,6 +13,7 @@ import {
  getJwtSignupSecret,
  getSiteURL
 } from "../../config";
+import { ActorType } from "../../ee/models";

 /**
 * Password reset step 1: Send email verification link to email [email]
@ -208,8 +209,7 @@ export const changePassword = async (req: Request, res: Response) => {
        );

        if (
-          req.authData.authMode === AUTH_MODE_JWT &&
-          req.authData.authPayload instanceof User &&
+          req.authData.actor.type === ActorType.USER &&
          req.authData.tokenVersionId
        ) {
          await clearTokens(req.authData.tokenVersionId);
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -80,7 +80,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
  EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
-      environment
+      environment,
+      secretPath: "/"
    })
  });

--- a/backend/src/controllers/v1/secretImportController.ts
+++ b/backend/src/controllers/v1/secretImportController.ts
@ -0,0 +1,354 @@
+import { Request, Response } from "express";
+import { isValidScope, validateMembership } from "../../helpers";
+import { ServiceTokenData } from "../../models";
+import Folder from "../../models/folder";
+import SecretImport from "../../models/secretImports";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import { getFolderWithPathFromId } from "../../services/FolderService";
+import { BadRequestError, ResourceNotFoundError,UnauthorizedRequestError } from "../../utils/errors";
+import { ADMIN, MEMBER } from "../../variables";
+import { EEAuditLogService } from "../../ee/services";
+import { EventType } from "../../ee/models";
+
+export const createSecretImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId, secretImport } = req.body;
+
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  }).lean();
+
+  if (!folders && folderId !== "root") {
+    throw ResourceNotFoundError({
+      message: "Failed to find folder"
+    });
+  }
+
+  let secretPath = "/";
+  if (folders) {
+    const { folderPath } = getFolderWithPathFromId(folders.nodes, folderId);
+    secretPath = folderPath;
+  }
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // root check
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+  
+  const importToSecretPath = folders?getFolderWithPathFromId(folders.nodes, folderId).folderPath:"/";
+
+  if (!importSecDoc) {
+    const doc = new SecretImport({
+      workspace: workspaceId,
+      environment,
+      folderId,
+      imports: [{ environment: secretImport.environment, secretPath: secretImport.secretPath }]
+    });
+    
+    await doc.save();
+    await EEAuditLogService.createAuditLog(
+      req.authData,
+      {
+        type: EventType.CREATE_SECRET_IMPORT,
+        metadata: {
+          secretImportId: doc._id.toString(),
+          folderId: doc.folderId.toString(),
+          importFromEnvironment: secretImport.environment,
+          importFromSecretPath: secretImport.secretPath,
+          importToEnvironment: environment,
+          importToSecretPath
+        }
+      },
+      {
+        workspaceId: doc.workspace
+      }
+    );
+    return res.status(200).json({ message: "successfully created secret import" });
+  }
+
+  const doesImportExist = importSecDoc.imports.find(
+    (el) => el.environment === secretImport.environment && el.secretPath === secretImport.secretPath
+  );
+  if (doesImportExist) {
+    throw BadRequestError({ message: "Secret import already exist" });
+  }
+
+  importSecDoc.imports.push({
+    environment: secretImport.environment,
+    secretPath: secretImport.secretPath
+  });
+  await importSecDoc.save();
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_SECRET_IMPORT,
+      metadata: {
+        secretImportId: importSecDoc._id.toString(),
+        folderId: importSecDoc.folderId.toString(),
+        importFromEnvironment: secretImport.environment,
+        importFromSecretPath: secretImport.secretPath,
+        importToEnvironment: environment,
+        importToSecretPath
+      }
+    },
+    {
+      workspaceId: importSecDoc.workspace
+    }
+  );
+  return res.status(200).json({ message: "successfully created secret import" });
+};
+
+// to keep the ordering, you must pass all the imports in here not the only updated one
+// this is because the order decide which import gets overriden
+export const updateSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImports } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
+    await validateMembership({
+      userId: req.user._id.toString(),
+      workspaceId: importSecDoc.workspace,
+      acceptedRoles: [ADMIN, MEMBER]
+    });
+  } else {
+    // check for service token validity
+    const folders = await Folder.findOne({
+      workspace: importSecDoc.workspace,
+      environment: importSecDoc.environment
+    }).lean();
+
+    let secretPath = "/";
+    if (folders) {
+      const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
+      secretPath = folderPath;
+    }
+
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      importSecDoc.environment,
+      secretPath
+    );
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  const orderBefore = importSecDoc.imports;
+  importSecDoc.imports = secretImports;
+  
+  await importSecDoc.save();
+  
+  const folders = await Folder.findOne({
+    workspace: importSecDoc.workspace,
+    environment: importSecDoc.environment,
+  }).lean();
+  
+  if (!folders) throw ResourceNotFoundError({
+    message: "Failed to find folder"
+  });
+  
+  const importToSecretPath = folders?getFolderWithPathFromId(folders.nodes, importSecDoc.folderId).folderPath:"/";
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_SECRET_IMPORT,
+      metadata: {
+        importToEnvironment: importSecDoc.environment,
+        importToSecretPath,
+        secretImportId: importSecDoc._id.toString(),
+        folderId: importSecDoc.folderId.toString(),
+        orderBefore,
+        orderAfter: secretImports
+      }
+    },
+    {
+      workspaceId: importSecDoc.workspace
+    }
+  );
+  return res.status(200).json({ message: "successfully updated secret import" });
+};
+
+export const deleteSecretImport = async (req: Request, res: Response) => {
+  const { id } = req.params;
+  const { secretImportEnv, secretImportPath } = req.body;
+  const importSecDoc = await SecretImport.findById(id);
+  if (!importSecDoc) {
+    throw BadRequestError({ message: "Import not found" });
+  }
+
+  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
+    await validateMembership({
+      userId: req.user._id.toString(),
+      workspaceId: importSecDoc.workspace,
+      acceptedRoles: [ADMIN, MEMBER]
+    });
+  } else {
+    // check for service token validity
+    const folders = await Folder.findOne({
+      workspace: importSecDoc.workspace,
+      environment: importSecDoc.environment
+    }).lean();
+
+    let secretPath = "/";
+    if (folders) {
+      const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
+      secretPath = folderPath;
+    }
+
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      importSecDoc.environment,
+      secretPath
+    );
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  importSecDoc.imports = importSecDoc.imports.filter(
+    ({ environment, secretPath }) =>
+      !(environment === secretImportEnv && secretPath === secretImportPath)
+  );
+  await importSecDoc.save();
+
+  const folders = await Folder.findOne({
+    workspace: importSecDoc.workspace,
+    environment: importSecDoc.environment,
+  }).lean();
+  
+  if (!folders) throw ResourceNotFoundError({
+    message: "Failed to find folder"
+  });
+  
+  const importToSecretPath = folders?getFolderWithPathFromId(folders.nodes, importSecDoc.folderId).folderPath:"/";
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_SECRET_IMPORT,
+      metadata: {
+        secretImportId: importSecDoc._id.toString(),
+        folderId: importSecDoc.folderId.toString(),
+        importFromEnvironment: secretImportEnv,
+        importFromSecretPath: secretImportPath,
+        importToEnvironment: importSecDoc.environment,
+        importToSecretPath
+      }
+    },
+    {
+      workspaceId: importSecDoc.workspace
+    }
+  );
+
+  return res.status(200).json({ message: "successfully delete secret import" });
+};
+
+export const getSecretImports = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query;
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secretImport: {} });
+  }
+
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // check for service token validity
+    const folders = await Folder.findOne({
+      workspace: importSecDoc.workspace,
+      environment: importSecDoc.environment
+    }).lean();
+
+    let secretPath = "/";
+    if (folders) {
+      const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
+      secretPath = folderPath;
+    }
+
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      importSecDoc.environment,
+      secretPath
+    );
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  return res.status(200).json({ secretImport: importSecDoc });
+};
+
+export const getAllSecretsFromImport = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderId } = req.query as {
+    workspaceId: string;
+    environment: string;
+    folderId: string;
+  };
+  const importSecDoc = await SecretImport.findOne({
+    workspace: workspaceId,
+    environment,
+    folderId
+  });
+
+  if (!importSecDoc) {
+    return res.status(200).json({ secrets: [] });
+  }
+
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // check for service token validity
+    const folders = await Folder.findOne({
+      workspace: importSecDoc.workspace,
+      environment: importSecDoc.environment
+    }).lean();
+
+    let secretPath = "/";
+    if (folders) {
+      const { folderPath } = getFolderWithPathFromId(folders.nodes, importSecDoc.folderId);
+      secretPath = folderPath;
+    }
+
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      importSecDoc.environment,
+      secretPath
+    );
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.GET_SECRET_IMPORTS,
+      metadata: {
+        environment,
+        secretImportId: importSecDoc._id.toString(),
+        folderId,
+        numberOfImports: importSecDoc.imports.length
+      }
+    },
+    {
+      workspaceId: importSecDoc.workspace
+    }
+  );
+
+  const secrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+  return res.status(200).json({ secrets });
+};
--- a/backend/src/controllers/v1/secretScanningController.ts
+++ b/backend/src/controllers/v1/secretScanningController.ts
@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import GitAppInstallationSession from "../../ee/models/gitAppInstallationSession";
+import crypto from "crypto";
+import { Types } from "mongoose";
+import { UnauthorizedRequestError } from "../../utils/errors";
+import GitAppOrganizationInstallation from "../../ee/models/gitAppOrganizationInstallation";
+import { MembershipOrg } from "../../models";
+import GitRisks, { STATUS_RESOLVED_FALSE_POSITIVE, STATUS_RESOLVED_NOT_REVOKED, STATUS_RESOLVED_REVOKED } from "../../ee/models/gitRisks";
+
+export const createInstallationSession = async (req: Request, res: Response) => {
+  const sessionId = crypto.randomBytes(16).toString("hex");
+  await GitAppInstallationSession.findByIdAndUpdate(
+    req.organization,
+    {
+      organization: new Types.ObjectId(req.organization),
+      sessionId: sessionId,
+      user: new Types.ObjectId(req.user._id)
+    },
+    { upsert: true }
+  ).lean();
+
+  res.send({
+    sessionId: sessionId
+  })
+}
+
+export const linkInstallationToOrganization = async (req: Request, res: Response) => {
+  const { installationId, sessionId } = req.body
+
+  const installationSession = await GitAppInstallationSession.findOneAndDelete({ sessionId: sessionId })
+  if (!installationSession) {
+    throw UnauthorizedRequestError()
+  }
+
+  const userMembership = await MembershipOrg.find({ user: req.user._id, organization: installationSession.organization })
+  if (!userMembership) {
+    throw UnauthorizedRequestError()
+  }
+
+  const installationLink = await GitAppOrganizationInstallation.findOneAndUpdate({
+    organizationId: installationSession.organization,
+  }, {
+    installationId: installationId,
+    organizationId: installationSession.organization,
+    user: installationSession.user
+  }, {
+    upsert: true
+  }).lean()
+
+  res.json(installationLink)
+}
+
+export const getCurrentOrganizationInstallationStatus = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  try {
+    const appInstallation = await GitAppOrganizationInstallation.findOne({ organizationId: organizationId }).lean()
+    if (!appInstallation) {
+      res.json({
+        appInstallationComplete: false
+      })
+    }
+
+    res.json({
+      appInstallationComplete: true
+    })
+  } catch {
+    res.json({
+      appInstallationComplete: false
+    })
+  }
+}
+
+export const getRisksForOrganization = async (req: Request, res: Response) => {
+  const { organizationId } = req.params
+  const risks = await GitRisks.find({ organization: organizationId }).sort({ createdAt: -1 }).lean()
+  res.json({
+    risks: risks
+  })
+}
+
+export const updateRisksStatus = async (req: Request, res: Response) => {
+  const { riskId } = req.params
+  const { status } = req.body
+  const isRiskResolved = status == STATUS_RESOLVED_FALSE_POSITIVE || status == STATUS_RESOLVED_REVOKED || status == STATUS_RESOLVED_NOT_REVOKED ? true : false
+  const risk = await GitRisks.findByIdAndUpdate(riskId, {
+    status: status,
+    isResolved: isRiskResolved
+  }).lean()
+
+  res.json(risk)
+}
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@ -1,39 +1,49 @@
 import { Request, Response } from "express";
-import { Secret } from "../../models";
+import { Types } from "mongoose";
+import { EventType, FolderVersion } from "../../ee/models";
+import { EEAuditLogService, EESecretService } from "../../ee/services";
+import { validateMembership } from "../../helpers/membership";
+import { isValidScope } from "../../helpers/secrets";
+import { Secret, ServiceTokenData } from "../../models";
 import Folder from "../../models/folder";
-import { BadRequestError } from "../../utils/errors";
 import {
  appendFolder,
  deleteFolderById,
  generateFolderId,
  getAllFolderIds,
  getFolderByPath,
+  getFolderWithPathFromId,
  getParentFromFolderId,
-  searchByFolderId,
-  searchByFolderIdWithDir,
-  validateFolderName,
+  validateFolderName
 } from "../../services/FolderService";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { ADMIN, MEMBER } from "../../variables";
-import { validateMembership } from "../../helpers/membership";
-import { FolderVersion } from "../../ee/models";
-import { EESecretService } from "../../ee/services";

-// TODO
 // verify workspace id/environment
 export const createFolder = async (req: Request, res: Response) => {
  const { workspaceId, environment, folderName, parentFolderId } = req.body;
  if (!validateFolderName(folderName)) {
    throw BadRequestError({
-      message: "Folder name cannot contain spaces. Only underscore and dashes",
+      message: "Folder name cannot contain spaces. Only underscore and dashes"
    });
  }

  const folders = await Folder.findOne({
    workspace: workspaceId,
-    environment,
+    environment
  }).lean();
+
  // space has no folders initialized
+  
  if (!folders) {
+    if (req.authData.authPayload instanceof ServiceTokenData) {
+      // root check
+      const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, "/");
+      if (!isValidScopeAccess) {
+        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+      }
+    }
+
    const id = generateFolderId();
    const folder = new Folder({
      workspace: workspaceId,
@ -42,39 +52,93 @@ export const createFolder = async (req: Request, res: Response) => {
        id: "root",
        name: "root",
        version: 1,
-        children: [{ id, name: folderName, children: [], version: 1 }],
-      },
+        children: [{ id, name: folderName, children: [], version: 1 }]
+      }
    });
    await folder.save();
    const folderVersion = new FolderVersion({
      workspace: workspaceId,
      environment,
-      nodes: folder.nodes,
+      nodes: folder.nodes
    });
    await folderVersion.save();
    await EESecretService.takeSecretSnapshot({
      workspaceId,
-      environment,
+      environment
    });
+    
+    await EEAuditLogService.createAuditLog(
+      req.authData,
+      {
+        type: EventType.CREATE_FOLDER,
+        metadata: {
+          environment,
+          folderId: id,
+          folderName,
+          folderPath: `root/${folderName}`
+        }
+      },
+      {
+        workspaceId: new Types.ObjectId(workspaceId)
+      }
+    );
+
    return res.json({ folder: { id, name: folderName } });
  }

  const folder = appendFolder(folders.nodes, { folderName, parentFolderId });
+  
+  await Folder.findByIdAndUpdate(folders._id, folders);
+  
+  const { folder: parentFolder, folderPath: parentFolderPath } = getFolderWithPathFromId(
+    folders.nodes,
+    parentFolderId || "root"
+  );
+
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    // root check
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      environment,
+      parentFolderPath
+    );
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
  await Folder.findByIdAndUpdate(folders._id, folders);

-  const parentFolder = searchByFolderId(folders.nodes, parentFolderId);
  const folderVersion = new FolderVersion({
    workspace: workspaceId,
    environment,
-    nodes: parentFolder,
+    nodes: parentFolder
  });
  await folderVersion.save();

  await EESecretService.takeSecretSnapshot({
    workspaceId,
    environment,
-    folderId: parentFolderId,
+    folderId: parentFolderId
  });
+  
+  const {folderPath} = getFolderWithPathFromId(folders.nodes, folder.id);
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_FOLDER,
+      metadata: {
+        environment,
+        folderId: folder.id,
+        folderName,
+        folderPath
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );

  return res.json({ folder });
 };
@ -82,28 +146,46 @@ export const createFolder = async (req: Request, res: Response) => {
 export const updateFolderById = async (req: Request, res: Response) => {
  const { folderId } = req.params;
  const { name, workspaceId, environment } = req.body;
+  if (!validateFolderName(name)) {
+    throw BadRequestError({
+      message: "Folder name cannot contain spaces. Only underscore and dashes"
+    });
+  }

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
  if (!folders) {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }

-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
-  });
+  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
+    // check that user is a member of the workspace
+    await validateMembership({
+      userId: req.user._id.toString(),
+      workspaceId,
+      acceptedRoles: [ADMIN, MEMBER]
+    });
+  }

  const parentFolder = getParentFromFolderId(folders.nodes, folderId);
  if (!parentFolder) {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }
  const folder = parentFolder.children.find(({ id }) => id === folderId);
+  
  if (!folder) {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }

+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { folderPath: secretPath } = getFolderWithPathFromId(folders.nodes, parentFolder.id);
+    // root check
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  const oldFolderName = folder.name;
  parentFolder.version += 1;
  folder.name = name;

@ -111,19 +193,38 @@ export const updateFolderById = async (req: Request, res: Response) => {
  const folderVersion = new FolderVersion({
    workspace: workspaceId,
    environment,
-    nodes: parentFolder,
+    nodes: parentFolder
  });
  await folderVersion.save();

  await EESecretService.takeSecretSnapshot({
    workspaceId,
    environment,
-    folderId: parentFolder.id,
+    folderId: parentFolder.id
  });

+  const {folderPath} = getFolderWithPathFromId(folders.nodes, folder.id);
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_FOLDER,
+      metadata: {
+        environment,
+        folderId: folder.id,
+        oldFolderName,
+        newFolderName: name,
+        folderPath
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
  return res.json({
    message: "Successfully updated folder",
-    folder: { name: folder.name, id: folder.id },
+    folder: { name: folder.name, id: folder.id }
  });
 };

@ -136,12 +237,16 @@ export const deleteFolder = async (req: Request, res: Response) => {
    throw BadRequestError({ message: "The folder doesn't exist" });
  }

-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
-  });
+  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
+    // check that user is a member of the workspace
+    await validateMembership({
+      userId: req.user._id.toString(),
+      workspaceId,
+      acceptedRoles: [ADMIN, MEMBER]
+    });
+  }
+
+  const {folderPath} = getFolderWithPathFromId(folders.nodes, folderId);

  const delOp = deleteFolderById(folders.nodes, folderId);
  if (!delOp) {
@ -149,6 +254,14 @@ export const deleteFolder = async (req: Request, res: Response) => {
  }
  const { deletedNode: delFolder, parent: parentFolder } = delOp;

+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { folderPath: secretPath } = getFolderWithPathFromId(folders.nodes, parentFolder.id);
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
  parentFolder.version += 1;
  const delFolderIds = getAllFolderIds(delFolder);

@ -156,35 +269,50 @@ export const deleteFolder = async (req: Request, res: Response) => {
  const folderVersion = new FolderVersion({
    workspace: workspaceId,
    environment,
-    nodes: parentFolder,
+    nodes: parentFolder
  });
  await folderVersion.save();
  if (delFolderIds.length) {
    await Secret.deleteMany({
      folder: { $in: delFolderIds.map(({ id }) => id) },
      workspace: workspaceId,
-      environment,
+      environment
    });
  }

  await EESecretService.takeSecretSnapshot({
    workspaceId,
    environment,
-    folderId: parentFolder.id,
+    folderId: parentFolder.id
  });

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_FOLDER ,
+      metadata: {
+        environment,
+        folderId,
+        folderName: delFolder.name,
+        folderPath
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );
+
  res.send({ message: "successfully deleted folders", folders: delFolderIds });
 };

 // TODO: validate workspace
 export const getFolders = async (req: Request, res: Response) => {
-  const { workspaceId, environment, parentFolderId, parentFolderPath } =
-    req.query as {
-      workspaceId: string;
-      environment: string;
-      parentFolderId?: string;
-      parentFolderPath?: string;
-    };
+  const { workspaceId, environment, parentFolderId, parentFolderPath } = req.query as {
+    workspaceId: string;
+    environment: string;
+    parentFolderId?: string;
+    parentFolderPath?: string;
+  };

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
  if (!folders) {
@ -192,16 +320,29 @@ export const getFolders = async (req: Request, res: Response) => {
    return;
  }

-  // check that user is a member of the workspace
-  await validateMembership({
-    userId: req.user._id.toString(),
-    workspaceId,
-    acceptedRoles: [ADMIN, MEMBER],
-  });
+  if (!(req.authData.authPayload instanceof ServiceTokenData)) {
+    // check that user is a member of the workspace
+    await validateMembership({
+      userId: req.user._id.toString(),
+      workspaceId,
+      acceptedRoles: [ADMIN, MEMBER]
+    });
+  }

  // if instead of parentFolderId given a path like /folder1/folder2
  if (parentFolderPath) {
+    if (req.authData.authPayload instanceof ServiceTokenData) {
+      const isValidScopeAccess = isValidScope(
+        req.authData.authPayload,
+        environment,
+        parentFolderPath
+      );
+      if (!isValidScopeAccess) {
+        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+      }
+    }
    const folder = getFolderByPath(folders.nodes, parentFolderPath);
+
    if (!folder) {
      res.send({ folders: [], dir: [] });
      return;
@ -209,27 +350,36 @@ export const getFolders = async (req: Request, res: Response) => {
    // dir is not needed at present as this is only used in overview section of secrets
    res.send({
      folders: folder.children.map(({ id, name }) => ({ id, name })),
-      dir: [{ name: folder.name, id: folder.id }],
+      dir: [{ name: folder.name, id: folder.id }]
    });
  }

  if (!parentFolderId) {
+    if (req.authData.authPayload instanceof ServiceTokenData) {
+      const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, "/");
+      if (!isValidScopeAccess) {
+        throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+      }
+    }
+
    const rootFolders = folders.nodes.children.map(({ id, name }) => ({
      id,
-      name,
+      name
    }));
    res.send({ folders: rootFolders });
    return;
  }

-  const folderBySearch = searchByFolderIdWithDir(folders.nodes, parentFolderId);
-  if (!folderBySearch) {
-    throw BadRequestError({ message: "The folder doesn't exist" });
+  const { folder, folderPath, dir } = getFolderWithPathFromId(folders.nodes, parentFolderId);
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, folderPath);
+    if (!isValidScopeAccess) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
  }
-  const { folder, dir } = folderBySearch;

  res.send({
    folders: folder.children.map(({ id, name }) => ({ id, name })),
-    dir,
+    dir
  });
 };
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,5 +1,5 @@
 import { Request, Response } from "express";
-import { User } from "../../models";
+import { AuthMethod, User } from "../../models";
 import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
 import { createToken } from "../../helpers/auth";
 import { BadRequestError } from "../../utils/errors";
@ -81,7 +81,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {

  if (!user) {
    user = await new User({
-      email
+      email,
+      authMethods: [AuthMethod.EMAIL]
    }).save();
  }

--- a/backend/src/controllers/v1/webhookController.ts
+++ b/backend/src/controllers/v1/webhookController.ts
@ -0,0 +1,199 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { client, getRootEncryptionKey } from "../../config";
+import { validateMembership } from "../../helpers";
+import Webhook from "../../models/webhooks";
+import { getWebhookPayload, triggerWebhookRequest } from "../../services/WebhookService";
+import { BadRequestError, ResourceNotFoundError } from "../../utils/errors";
+import { EEAuditLogService } from "../../ee/services";
+import { EventType } from "../../ee/models";
+import { ADMIN, ALGORITHM_AES_256_GCM, ENCODING_SCHEME_BASE64, MEMBER } from "../../variables";
+
+export const createWebhook = async (req: Request, res: Response) => {
+  const { webhookUrl, webhookSecretKey, environment, workspaceId, secretPath } = req.body;
+  const webhook = new Webhook({
+    workspace: workspaceId,
+    environment,
+    secretPath,
+    url: webhookUrl,
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_BASE64
+  });
+
+  if (webhookSecretKey) {
+    const rootEncryptionKey = await getRootEncryptionKey();
+    const { ciphertext, iv, tag } = client.encryptSymmetric(webhookSecretKey, rootEncryptionKey);
+    webhook.iv = iv;
+    webhook.tag = tag;
+    webhook.encryptedSecretKey = ciphertext;
+  }
+
+  await webhook.save();
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_WEBHOOK,
+      metadata: {
+        webhookId: webhook._id.toString(),
+        environment,
+        secretPath,
+        webhookUrl,
+        isDisabled: false
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully created webhook"
+  });
+};
+
+export const updateWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const { isDisabled } = req.body;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  if (typeof isDisabled !== undefined) {
+    webhook.isDisabled = isDisabled;
+  }
+  await webhook.save();
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_WEBHOOK_STATUS,
+      metadata: {
+        webhookId: webhook._id.toString(),
+        environment: webhook.environment,
+        secretPath: webhook.secretPath,
+        webhookUrl: webhook.url,
+        isDisabled
+      }
+    },
+    {
+      workspaceId: webhook.workspace
+    }
+  );
+
+  return res.status(200).send({
+    webhook,
+    message: "successfully updated webhook"
+  });
+};
+
+export const deleteWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  let webhook = await Webhook.findById(webhookId);
+
+  if (!webhook) {
+    throw ResourceNotFoundError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+  
+  webhook = await Webhook.findByIdAndDelete(webhookId);
+
+  if (!webhook) {
+    throw ResourceNotFoundError({ message: "Webhook not found!!" });
+  }
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_WEBHOOK,
+      metadata: {
+        webhookId: webhook._id.toString(),
+        environment: webhook.environment,
+        secretPath: webhook.secretPath,
+        webhookUrl: webhook.url,
+        isDisabled: webhook.isDisabled
+      }
+    },
+    {
+      workspaceId: webhook.workspace
+    }
+  );
+
+  return res.status(200).send({
+    message: "successfully removed webhook"
+  });
+};
+
+export const testWebhook = async (req: Request, res: Response) => {
+  const { webhookId } = req.params;
+  const webhook = await Webhook.findById(webhookId);
+  if (!webhook) {
+    throw BadRequestError({ message: "Webhook not found!!" });
+  }
+
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: webhook.workspace,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  try {
+    await triggerWebhookRequest(
+      webhook,
+      getWebhookPayload(
+        "test",
+        webhook.workspace.toString(),
+        webhook.environment,
+        webhook.secretPath
+      )
+    );
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "success",
+      lastRunErrorMessage: null
+    });
+  } catch (err) {
+    await Webhook.findByIdAndUpdate(webhookId, {
+      lastStatus: "failed",
+      lastRunErrorMessage: (err as Error).message
+    });
+    return res.status(400).send({
+      message: "Failed to receive response",
+      error: (err as Error).message
+    });
+  }
+
+  return res.status(200).send({
+    message: "Successfully received response"
+  });
+};
+
+export const listWebhooks = async (req: Request, res: Response) => {
+  const { environment, workspaceId, secretPath } = req.query;
+
+  const optionalFilters: Record<string, string> = {};
+  if (environment) optionalFilters.environment = environment as string;
+  if (secretPath) optionalFilters.secretPath = secretPath as string;
+
+  const webhooks = await Webhook.find({
+    workspace: new Types.ObjectId(workspaceId as string),
+    ...optionalFilters
+  });
+
+  return res.status(200).send({
+    webhooks
+  });
+};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,3 +1,4 @@
+import { Types } from "mongoose";
 import { Request, Response } from "express";
 import {
  IUser,
@ -108,14 +109,14 @@ export const createWorkspace = async (req: Request, res: Response) => {
  // validate organization membership
  const membershipOrg = await MembershipOrg.findOne({
    user: req.user._id,
-    organization: organizationId,
+    organization: new Types.ObjectId(organizationId),
  });

  if (!membershipOrg) {
    throw new Error("Failed to validate organization membership");
  }

-  const plan = await EELicenseService.getPlan(organizationId);
+  const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
  
  if (plan.workspaceLimit !== null) {
    // case: limit imposed on number of workspaces allowed
@ -134,7 +135,7 @@ export const createWorkspace = async (req: Request, res: Response) => {
  // create workspace and add user as member
  const workspace = await create({
    name: workspaceName,
-    organizationId,
+    organizationId: new Types.ObjectId(organizationId),
  });

  await addMemberships({
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -14,7 +14,7 @@ import {
  ACTION_LOGIN,
  TOKEN_EMAIL_MFA,
 } from "../../variables";
-import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
+import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
 import {
  getHttpsEnabled,
  getJwtMfaLifetime,
@ -203,7 +203,7 @@ export const login2 = async (req: Request, res: Response) => {
        loginAction && await EELogService.createLog({
          userId: user._id,
          actions: [loginAction],
-          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          channel: getUserAgentType(req.headers["user-agent"]),
          ipAddress: req.ip,
        });

@ -336,7 +336,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
  loginAction && await EELogService.createLog({
    userId: user._id,
    actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    channel: getUserAgentType(req.headers["user-agent"]),
    ipAddress: req.realIP,
  });

--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -1,4 +1,5 @@
 import { Request, Response } from "express";
+import { Types } from "mongoose";
 import {
  Integration,
  Membership,
@ -7,8 +8,8 @@ import {
  ServiceTokenData,
  Workspace,
 } from "../../models";
-import { SecretVersion } from "../../ee/models";
-import { EELicenseService } from "../../ee/services";
+import { EventType, SecretVersion } from "../../ee/models";
+import { EEAuditLogService, EELicenseService } from "../../ee/services";
 import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
 import _ from "lodash";
 import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
@ -27,16 +28,16 @@ export const createWorkspaceEnvironment = async (
  const { workspaceId } = req.params;
  const { environmentName, environmentSlug } = req.body;
  const workspace = await Workspace.findById(workspaceId).exec();
-  
+
  if (!workspace) throw WorkspaceNotFoundError();
-  
-  const plan = await EELicenseService.getPlan(workspace.organization.toString());
-  
+
+  const plan = await EELicenseService.getPlan(workspace.organization);
+
  if (plan.environmentLimit !== null) {
    // case: limit imposed on number of environments allowed
    if (workspace.environments.length >= plan.environmentLimit) {
      // case: number of environments used exceeds the number of environments allowed
-      
+
      return res.status(400).send({
        message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
      });
@ -58,7 +59,21 @@ export const createWorkspaceEnvironment = async (
  });
  await workspace.save();

-  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+  await EELicenseService.refreshPlan(workspace.organization, new Types.ObjectId(workspaceId));
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_ENVIRONMENT,
+      metadata: {
+        name: environmentName,
+        slug: environmentSlug
+      }
+    },
+    {
+      workspaceId: workspace._id
+    }
+  );

  return res.status(200).send({
    message: "Successfully created new environment",
@ -70,6 +85,43 @@ export const createWorkspaceEnvironment = async (
  });
 };

+/**
+ * Swaps the ordering of two environments in the database. This is purely for aesthetic purposes.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const reorderWorkspaceEnvironments = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const { environmentSlug, environmentName, otherEnvironmentSlug, otherEnvironmentName } = req.body;
+
+  // atomic update the env to avoid conflict
+  const workspace = await Workspace.findById(workspaceId).exec();
+  if (!workspace) {
+    throw BadRequestError({message: "Couldn't load workspace"});
+  }
+
+  const environmentIndex = workspace.environments.findIndex((env) => env.name === environmentName && env.slug === environmentSlug)
+  const otherEnvironmentIndex = workspace.environments.findIndex((env) => env.name === otherEnvironmentName && env.slug === otherEnvironmentSlug)
+
+  if (environmentIndex === -1 || otherEnvironmentIndex === -1) {
+    throw BadRequestError({message: "environment or otherEnvironment couldn't be found"})
+  }
+
+  // swap the order of the environments
+  [workspace.environments[environmentIndex], workspace.environments[otherEnvironmentIndex]] = [workspace.environments[otherEnvironmentIndex], workspace.environments[environmentIndex]]
+
+  await workspace.save()
+
+  return res.status(200).send({
+    message: "Successfully reordered environments",
+    workspace: workspaceId,
+  });
+};
+
 /**
 * Rename workspace environment with new name and slug of a workspace with [workspaceId]
 * Old slug [oldEnvironmentSlug] must be provided
@ -110,6 +162,8 @@ export const renameWorkspaceEnvironment = async (
    throw new Error("Invalid environment given");
  }

+  const oldEnvironment = workspace.environments[envIndex];
+
  workspace.environments[envIndex].name = environmentName;
  workspace.environments[envIndex].slug = environmentSlug.toLowerCase();

@ -141,8 +195,23 @@ export const renameWorkspaceEnvironment = async (
    },
    { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
    { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-  )
+  );

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_ENVIRONMENT,
+      metadata: {
+        oldName: oldEnvironment.name,
+        newName: environmentName,
+        oldSlug: oldEnvironment.slug,
+        newSlug: environmentSlug.toLowerCase()
+      }
+    },
+    {
+      workspaceId: workspace._id
+    }
+  );

  return res.status(200).send({
    message: "Successfully update environment",
@ -179,6 +248,8 @@ export const deleteWorkspaceEnvironment = async (
    throw new Error("Invalid environment given");
  }

+  const oldEnvironment = workspace.environments[envIndex];
+
  workspace.environments.splice(envIndex, 1);
  await workspace.save();

@ -191,14 +262,21 @@ export const deleteWorkspaceEnvironment = async (
    workspace: workspaceId,
    environment: environmentSlug,
  });
-  await ServiceToken.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await ServiceTokenData.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
+
+  // await ServiceToken.deleteMany({
+  //   workspace: workspaceId,
+  //   environment: environmentSlug,
+  // });
+
+  const result = await ServiceTokenData.updateMany(
+    { workspace: workspaceId },
+    { $pull: { scopes: { environment: environmentSlug } } }
+  );
+
+  if (result.modifiedCount > 0) {
+    await ServiceTokenData.deleteMany({ workspace: workspaceId, scopes: { $size: 0 } });
+  }
+
  await Integration.deleteMany({
    workspace: workspaceId,
    environment: environmentSlug,
@ -208,7 +286,21 @@ export const deleteWorkspaceEnvironment = async (
    { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
  );

-  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+  await EELicenseService.refreshPlan(workspace.organization, new Types.ObjectId(workspaceId));
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_ENVIRONMENT,
+      metadata: {
+        name: oldEnvironment.name,
+        slug: oldEnvironment.slug
+      }
+    },
+    {
+      workspaceId: workspace._id
+    }
+  );

  return res.status(200).send({
    message: "Successfully deleted environment",
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -9,8 +9,6 @@ import {
 } from "../../types/secret";
 const { ValidationError } = mongoose.Error;
 import {
-  BadRequestError,
-  InternalServerError,
  ValidationError as RouteValidationError,
  UnauthorizedRequestError
 } from "../../utils/errors";
@ -311,16 +309,16 @@ export const updateSecret = async (req: Request, res: Response) => {
    { _id: secretModificationsRequested._id, workspace: workspaceId },
    { $inc: { version: 1 }, $set: sanitizedSecret }
  )
-  .catch((error) => {
-    if (error instanceof ValidationError) {
-      throw RouteValidationError({
-        message: "Unable to apply modifications, please try again",
-        stack: error.stack
-      });
-    }
+    .catch((error) => {
+      if (error instanceof ValidationError) {
+        throw RouteValidationError({
+          message: "Unable to apply modifications, please try again",
+          stack: error.stack
+        });
+      }

-    throw error;
-  });
+      throw error;
+    });

  if (postHogClient) {
    postHogClient.capture({
@ -372,12 +370,12 @@ export const getSecrets = async (req: Request, res: Response) => {
    $or: [{ user: userId }, { user: { $exists: false } }],
    type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
  })
-  .catch((err) => {
-    throw RouteValidationError({
-      message: "Failed to get secrets, please try again",
-      stack: err.stack
-    });
-  })
+    .catch((err) => {
+      throw RouteValidationError({
+        message: "Failed to get secrets, please try again",
+        stack: err.stack
+      });
+    })

  if (postHogClient) {
    postHogClient.capture({
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,7 +1,7 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { ISecret, Secret, ServiceTokenData } from "../../models";
-import { IAction, SecretVersion } from "../../ee/models";
+import { AuditLog, EventType, IAction, SecretVersion } from "../../ee/models";
 import {
  ACTION_ADD_SECRETS,
  ACTION_DELETE_SECRETS,
@ -9,14 +9,15 @@ import {
  ACTION_UPDATE_SECRETS,
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
+  K8_USER_AGENT_NAME,
  SECRET_PERSONAL
 } from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EELogService, EESecretService } from "../../ee/services";
+import { EEAuditLogService, EELogService, EESecretService } from "../../ee/services";
 import { SecretService, TelemetryService } from "../../services";
-import { getChannelFromUserAgent } from "../../utils/posthog";
+import { getUserAgentType } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
 import {
  userHasNoAbility,
@ -30,9 +31,12 @@ import Folder from "../../models/folder";
 import {
  getFolderByPath,
  getFolderIdFromServiceToken,
-  searchByFolderId
+  searchByFolderId,
+  searchByFolderIdWithDir
 } from "../../services/FolderService";
 import { isValidScope } from "../../helpers/secrets";
+import path from "path";
+import { getAllImportedSecrets } from "../../services/SecretImportService";

 /**
 * Peform a batch of any specified CUD secret operations
@ -41,25 +45,25 @@ import { isValidScope } from "../../helpers/secrets";
 * @param res
 */
 export const batchSecrets = async (req: Request, res: Response) => {
-  const channel = getChannelFromUserAgent(req.headers["user-agent"]);
+  const channel = getUserAgentType(req.headers["user-agent"]);
  const postHogClient = await TelemetryService.getPostHogClient();

  const {
    workspaceId,
    environment,
-    requests,
-    secretPath
+    requests
  }: {
    workspaceId: string;
    environment: string;
    requests: BatchSecretRequest[];
-    secretPath: string;
  } = req.body;
+
+  let secretPath = req.body.secretPath as string;
  let folderId = req.body.folderId as string;

  const createSecrets: BatchSecret[] = [];
  const updateSecrets: BatchSecret[] = [];
-  const deleteSecrets: Types.ObjectId[] = [];
+  const deleteSecrets: { _id: Types.ObjectId, secretName: string; }[] = [];
  const actions: IAction[] = [];

  // get secret blind index salt
@ -68,10 +72,6 @@ export const batchSecrets = async (req: Request, res: Response) => {
  });

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (folders && folderId !== "root") {
-    const folder = searchByFolderId(folders.nodes, folderId as string);
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
-  }

  if (req.authData.authPayload instanceof ServiceTokenData) {
    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
@ -87,6 +87,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
  }

+  if (folders && folderId !== "root") {
+    const folder = searchByFolderIdWithDir(folders.nodes, folderId as string);
+    if (!folder?.folder) throw BadRequestError({ message: "Folder not found" });
+    secretPath = path.join(
+      "/",
+      ...folder.dir.map(({ name }) => name).filter((name) => name !== "root")
+    );
+  }
+
  for await (const request of requests) {
    // do a validation

@ -126,7 +135,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
        });
        break;
      case "DELETE":
-        deleteSecrets.push(new Types.ObjectId(request.secret._id));
+        deleteSecrets.push({ _id: new Types.ObjectId(request.secret._id), secretName: request.secret.secretName });
        break;
    }
  }
@ -147,6 +156,30 @@ export const batchSecrets = async (req: Request, res: Response) => {
      })
    });

+    const auditLogs = await Promise.all(
+      createdSecrets.map((secret, index) => {
+        return EEAuditLogService.createAuditLog(
+          req.authData,
+          {
+            type: EventType.CREATE_SECRET,
+            metadata: {
+              environment: secret.environment,
+              secretPath: secretPath ?? "/",
+              secretId: secret._id.toString(),
+              secretKey: createSecrets[index].secretName,
+              secretVersion: secret.version
+            }
+          },
+          {
+            workspaceId: secret.workspace
+          },
+          false
+        );
+      })
+    );
+
+    await AuditLog.insertMany(auditLogs);
+
    const addAction = (await EELogService.createAction({
      name: ACTION_ADD_SECRETS,
      userId: req.user?._id,
@ -202,6 +235,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
          $inc: {
            version: 1
          },
+          $unset: {
+            'metadata.source': true as true
+          },
          ...u,
          _id: new Types.ObjectId(u._id)
        }
@ -246,6 +282,30 @@ export const batchSecrets = async (req: Request, res: Response) => {
      }
    });

+    const auditLogs = await Promise.all(
+      updateSecrets.map((secret) => {
+        return EEAuditLogService.createAuditLog(
+          req.authData,
+          {
+            type: EventType.UPDATE_SECRET,
+            metadata: {
+              environment,
+              secretPath: secretPath ?? "/",
+              secretId: secret._id.toString(),
+              secretKey: secret.secretName,
+              secretVersion: listedSecretsObj[secret._id.toString()].version
+            }
+          },
+          {
+            workspaceId: new Types.ObjectId(workspaceId)
+          },
+          false
+        );
+      })
+    );
+
+    await AuditLog.insertMany(auditLogs);
+
    const updateAction = (await EELogService.createAction({
      name: ACTION_UPDATE_SECRETS,
      userId: req.user._id,
@ -272,21 +332,60 @@ export const batchSecrets = async (req: Request, res: Response) => {

  // handle delete secrets
  if (deleteSecrets.length > 0) {
+    const deleteSecretIds: Types.ObjectId[] = deleteSecrets.map((s) => s._id);
+
+    const deletedSecretsObj = (await Secret.find({
+      _id: {
+        $in: deleteSecretIds
+      }
+    }))
+      .reduce(
+        (obj: any, secret: ISecret) => ({
+          ...obj,
+          [secret._id.toString()]: secret
+        }),
+        {}
+      );
+
    await Secret.deleteMany({
      _id: {
-        $in: deleteSecrets
+        $in: deleteSecretIds
      }
    });

    await EESecretService.markDeletedSecretVersions({
-      secretIds: deleteSecrets
+      secretIds: deleteSecretIds
    });

+    const auditLogs = await Promise.all(
+      deleteSecrets.map((secret) => {
+        return EEAuditLogService.createAuditLog(
+          req.authData,
+          {
+            type: EventType.DELETE_SECRET,
+            metadata: {
+              environment,
+              secretPath: secretPath ?? "/",
+              secretId: secret._id.toString(),
+              secretKey: secret.secretName,
+              secretVersion: deletedSecretsObj[secret._id.toString()].version
+            }
+          },
+          {
+            workspaceId: new Types.ObjectId(workspaceId)
+          },
+          false
+        );
+      })
+    );
+
+    await AuditLog.insertMany(auditLogs);
+
    const deleteAction = (await EELogService.createAction({
      name: ACTION_DELETE_SECRETS,
      userId: req.user._id,
      workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecrets
+      secretIds: deleteSecretIds
    })) as IAction;
    actions.push(deleteAction);

@ -319,7 +418,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
  // // trigger event - push secrets
  await EventService.handleEvent({
    event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId)
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      // root condition else this will be filled according to the path or folderid
+      secretPath: secretPath || "/"
    })
  });

@ -341,7 +443,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
  }

  if (deleteSecrets.length > 0) {
-    resObj["deletedSecrets"] = deleteSecrets.map((d) => d.toString());
+    resObj["deletedSecrets"] = deleteSecrets.map((d) => d._id.toString());
  }

  return res.status(200).send(resObj);
@ -406,7 +508,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    }   
    */

-  const channel = getChannelFromUserAgent(req.headers["user-agent"]);
+  const channel = getUserAgentType(req.headers["user-agent"]);
  const {
    workspaceId,
    environment,
@ -535,7 +637,9 @@ export const createSecrets = async (req: Request, res: Response) => {
    // trigger event - push secrets
    await EventService.handleEvent({
      event: eventPushSecrets({
-        workspaceId: new Types.ObjectId(workspaceId)
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        secretPath: secretPath || "/"
      })
    });
  }, 5000);
@ -679,16 +783,22 @@ export const getSecrets = async (req: Request, res: Response) => {
    }   
    */

-  const { tagSlugs, secretPath } = req.query;
+  const { tagSlugs, secretPath, include_imports } = req.query;
  let { folderId } = req.query;
  const workspaceId = req.query.workspaceId as string;
  const environment = req.query.environment as string;

  const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if ((!folders && folderId && folderId !== "root") || (!folders && secretPath)) {
+
+  if (
+    // if no folders and asking for a non root folder id or non root secret path
+    (!folders && folderId && folderId !== "root") ||
+    (!folders && secretPath && secretPath !== "/")
+  ) {
    res.send({ secrets: [] });
    return;
  }
+
  if (folders && folderId !== "root") {
    const folder = searchByFolderId(folders.nodes, folderId as string);
    if (!folder) {
@ -816,7 +926,13 @@ export const getSecrets = async (req: Request, res: Response) => {
    secrets = await Secret.find(secretQuery).populate("tags");
  }

-  const channel = getChannelFromUserAgent(req.headers["user-agent"]);
+  // TODO(akhilmhdh) - secret-imp change this to org type
+  let importedSecrets: any[] = [];
+  if (include_imports === "true") {
+    importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId as string);
+  }
+
+  const channel = getUserAgentType(req.headers["user-agent"]);

  const readAction = await EELogService.createAction({
    name: ACTION_READ_SECRETS,
@ -838,26 +954,57 @@ export const getSecrets = async (req: Request, res: Response) => {
      ipAddress: req.realIP
    }));

-  const postHogClient = await TelemetryService.getPostHogClient();
-  if (postHogClient) {
-    postHogClient.capture({
-      event: "secrets pulled",
-      distinctId: await TelemetryService.getDistinctId({
-        authData: req.authData
-      }),
-      properties: {
-        numberOfSecrets: secrets.length,
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.GET_SECRETS,
+      metadata: {
        environment,
-        workspaceId,
-        channel,
-        folderId,
-        userAgent: req.headers?.["user-agent"]
+        secretPath: (secretPath as string) ?? "/",
+        numberOfSecrets: secrets.length
      }
-    });
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId as string)
+    }
+  );
+
+  const postHogClient = await TelemetryService.getPostHogClient();
+
+  // reduce the number of events captured
+  let shouldRecordK8Event = false
+  if (req.authData instanceof ServiceTokenData && req.authData.userAgent == K8_USER_AGENT_NAME) {
+    const randomNumber = Math.random();
+    if (randomNumber > 0.9) {
+      shouldRecordK8Event = true
+    }
+  }
+
+  if (postHogClient) {
+    const shouldCapture = req.authData.userAgent !== K8_USER_AGENT_NAME || shouldRecordK8Event;
+    const approximateForNoneCapturedEvents = secrets.length * 10
+
+    if (shouldCapture) {
+      postHogClient.capture({
+        event: "secrets pulled",
+        distinctId: await TelemetryService.getDistinctId({
+          authData: req.authData
+        }),
+        properties: {
+          numberOfSecrets: shouldRecordK8Event ? approximateForNoneCapturedEvents : secrets.length,
+          environment,
+          workspaceId,
+          folderId,
+          channel: req.authData.userAgentType,
+          userAgent: req.authData.userAgent
+        }
+      });
+    }
  }

  return res.status(200).send({
-    secrets
+    secrets,
+    ...(include_imports && { imports: importedSecrets })
  });
 };

@ -959,10 +1106,10 @@ export const updateSecrets = async (req: Request, res: Response) => {
          tags,
          ...(secretCommentCiphertext !== undefined && secretCommentIV && secretCommentTag
            ? {
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag
-              }
+              secretCommentCiphertext,
+              secretCommentIV,
+              secretCommentTag
+            }
            : {})
        }
      }
@ -1033,13 +1180,16 @@ export const updateSecrets = async (req: Request, res: Response) => {

  Object.keys(workspaceSecretObj).forEach(async (key) => {
    // trigger event - push secrets
-    setTimeout(async () => {
-      await EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: new Types.ObjectId(key)
-        })
-      });
-    }, 10000);
+    // This route is not used anymore thus keep it commented out as it does not expose environment
+    // it will end up creating a lot of requests from the server
+    // setTimeout(async () => {
+    //   await EventService.handleEvent({
+    //     event: eventPushSecrets({
+    //       workspaceId: new Types.ObjectId(key),
+    //       environment,
+    //     })
+    //   });
+    // }, 10000);

    const updateAction = await EELogService.createAction({
      name: ACTION_UPDATE_SECRETS,
@ -1148,7 +1298,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
    }   
    */

-  const channel = getChannelFromUserAgent(req.headers["user-agent"]);
+  const channel = getUserAgentType(req.headers["user-agent"]);
  const toDelete = req.secrets.map((s: any) => s._id);

  await Secret.deleteMany({
@ -1174,11 +1324,13 @@ export const deleteSecrets = async (req: Request, res: Response) => {

  Object.keys(workspaceSecretObj).forEach(async (key) => {
    // trigger event - push secrets
-    await EventService.handleEvent({
-      event: eventPushSecrets({
-        workspaceId: new Types.ObjectId(key)
-      })
-    });
+    // DEPRECIATED(akhilmhdh): as this would cause server to send so many request
+    // and this route is not used anymore thus like snapshot keeping it commented out
+    // await EventService.handleEvent({
+    //   event: eventPushSecrets({
+    //     workspaceId: new Types.ObjectId(key)
+    //   })
+    // });
    const deleteAction = await EELogService.createAction({
      name: ACTION_DELETE_SECRETS,
      userId: req.user?._id,
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -2,7 +2,7 @@ import { Request, Response } from "express";
 import { Types } from "mongoose";
 import crypto from "crypto";
 import bcrypt from "bcrypt";
-import { 
+import {
    ServiceAccount,
    ServiceAccountKey,
    ServiceAccountOrganizationPermission,
@ -21,11 +21,11 @@ import { getSaltRounds } from "../../config";
 */
 export const getCurrentServiceAccount = async (req: Request, res: Response) => {
    const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
-    
+
    if (!serviceAccount) {
        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
    }
-    
+
    return res.status(200).send({
        serviceAccount,
    });
@ -38,13 +38,13 @@ export const getCurrentServiceAccount = async (req: Request, res: Response) => {
 */
 export const getServiceAccountById = async (req: Request, res: Response) => {
    const { serviceAccountId } = req.params;
-    
+
    const serviceAccount = await ServiceAccount.findById(serviceAccountId);
-    
+
    if (!serviceAccount) {
        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
    }
-    
+
    return res.status(200).send({
        serviceAccount,
    });
@ -73,7 +73,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {

    const secret = crypto.randomBytes(16).toString("base64");
    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-    
+
    // create service account
    const serviceAccount = await new ServiceAccount({
        name,
@ -83,17 +83,17 @@ export const createServiceAccount = async (req: Request, res: Response) => {
        lastUsed: new Date(),
        expiresAt,
        secretHash,
-    }).save();
-    
+    }).save()
+
    const serviceAccountObj = serviceAccount.toObject();
-    
-    delete serviceAccountObj.secretHash;
+
+    delete (serviceAccountObj as any).secretHash;

    // provision default org-level permission for service account
    await new ServiceAccountOrganizationPermission({
        serviceAccount: serviceAccount._id,
    }).save();
-    
+
    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");

    return res.status(200).send({
@ -111,7 +111,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
 export const changeServiceAccountName = async (req: Request, res: Response) => {
    const { serviceAccountId } = req.params;
    const { name } = req.body;
-    
+
    const serviceAccount = await ServiceAccount.findOneAndUpdate(
        {
            _id: new Types.ObjectId(serviceAccountId),
@ -123,7 +123,7 @@ export const changeServiceAccountName = async (req: Request, res: Response) => {
            new: true,
        }
    );
-    
+
    return res.status(200).send({
        serviceAccount,
    });
@ -142,7 +142,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
        encryptedKey,
        nonce,
    } = req.body;
-    
+
    const serviceAccountKey = await new ServiceAccountKey({
        encryptedKey,
        nonce,
@ -163,7 +163,7 @@ export const getServiceAccountWorkspacePermissions = async (req: Request, res: R
    const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
        serviceAccount: req.serviceAccount._id,
    }).populate("workspace");
-    
+
    return res.status(200).send({
        serviceAccountWorkspacePermissions,
    });
@ -184,19 +184,19 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
        encryptedKey,
        nonce,
    } = req.body;
-    
+
    if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
        return res.status(400).send({
            message: "Failed to validate workspace environment",
        });
    }
-    
+
    const existingPermission = await ServiceAccountWorkspacePermission.findOne({
        serviceAccount: new Types.ObjectId(serviceAccountId),
        workspace: new Types.ObjectId(workspaceId),
        environment,
    });
-    
+
    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });

    const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
@ -206,12 +206,12 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
        read,
        write,
    }).save();
-    
+
    const existingServiceAccountKey = await ServiceAccountKey.findOne({
        serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId), 
+        workspace: new Types.ObjectId(workspaceId),
    });
-    
+
    if (!existingServiceAccountKey) {
        await new ServiceAccountKey({
            encryptedKey,
@ -242,7 +242,7 @@ export const deleteServiceAccountWorkspacePermission = async (req: Request, res:
            serviceAccount,
            workspace,
        });
-        
+
        if (count === 0) {
            await ServiceAccountKey.findOneAndDelete({
                serviceAccount,
@ -294,12 +294,12 @@ export const deleteServiceAccount = async (req: Request, res: Response) => {
 */
 export const getServiceAccountKeys = async (req: Request, res: Response) => {
    const workspaceId = req.query.workspaceId as string;
-    
+
    const serviceAccountKeys = await ServiceAccountKey.find({
        serviceAccount: req.serviceAccount._id,
        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
    });
-    
+
    return res.status(200).send({
        serviceAccountKeys,
    });
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -1,12 +1,11 @@
 import { Request, Response } from "express";
 import crypto from "crypto";
 import bcrypt from "bcrypt";
-import { ServiceAccount, ServiceTokenData, User } from "../../models";
-import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
+import { ServiceTokenData } from "../../models";
 import { getSaltRounds } from "../../config";
 import { BadRequestError } from "../../utils/errors";
-import Folder from "../../models/folder";
-import { getFolderByPath } from "../../services/FolderService";
+import { ActorType, EventType } from "../../ee/models";
+import { EEAuditLogService } from "../../ee/services";

 /**
 * Return service token data associated with service token on request
@ -75,24 +74,16 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
  }

-  let user, serviceAccount;
-
-  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+  let user;
+  
+  if (req.authData.actor.type === ActorType.USER) {
    user = req.authData.authPayload._id;
  }

-  if (
-    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
-    req.authData.authPayload instanceof ServiceAccount
-  ) {
-    serviceAccount = req.authData.authPayload._id;
-  }
-
  serviceTokenData = await new ServiceTokenData({
    name,
    workspace: workspaceId,
    user,
-    serviceAccount,
    scopes,
    lastUsed: new Date(),
    expiresAt,
@ -109,6 +100,20 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
  if (!serviceTokenData) throw new Error("Failed to find service token data");

  const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.CREATE_SERVICE_TOKEN,
+      metadata: {
+        name,
+        scopes
+      }
+    },
+    {
+      workspaceId
+    }
+  );

  return res.status(200).send({
    serviceToken,
@ -126,6 +131,24 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
  const { serviceTokenDataId } = req.params;

  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+  
+  if (!serviceTokenData) return res.status(200).send({
+    message: "Failed to delete service token"
+  });
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_SERVICE_TOKEN,
+      metadata: {
+        name: serviceTokenData.name,
+        scopes: serviceTokenData?.scopes
+      }
+    },
+    {
+      workspaceId: serviceTokenData.workspace
+    }
+  );

  return res.status(200).send({
    serviceTokenData
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -18,7 +18,7 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 * @returns
 */
 export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
  const {
    email,
    firstName,
@ -119,7 +119,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
    userAgent: req.headers["user-agent"] ?? "",
  });

-  token = tokens.token;
+  const token = tokens.token;

  // sending a welcome email to new users
  if (await getLoopsApiKey()) {
@ -159,7 +159,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 * @returns
 */
 export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
  const {
    email,
    firstName,
@ -244,7 +244,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
    userAgent: req.headers["user-agent"] ?? "",
  });

-  token = tokens.token;
+  const token = tokens.token;

  // store (refresh) token in httpOnly cookie
  res.cookie("jid", tokens.refreshToken, {
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -6,10 +6,11 @@ import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";

 export const createWorkspaceTag = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;
-  const { name, slug } = req.body;
+  const { name, slug, tagColor } = req.body;
  
  const tagToCreate = {
      name,
+      tagColor,
      workspace: new Types.ObjectId(workspaceId),
      slug,
      user: new Types.ObjectId(req.user._id),
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -3,10 +3,11 @@ import { Types } from "mongoose";
 import crypto from "crypto";
 import bcrypt from "bcrypt";
 import {
-    MembershipOrg,
-    User,
    APIKeyData,
-    TokenVersion
+    AuthMethod,
+    MembershipOrg,
+    TokenVersion,
+    User
 } from "../../models";
 import { getSaltRounds } from "../../config";

@ -80,6 +81,79 @@ export const updateMyMfaEnabled = async (req: Request, res: Response) => {
    });
 }

+/**
+ * Update name of the current user to [firstName, lastName].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateName = async (req: Request, res: Response) => {
+    const { 
+        firstName, 
+        lastName 
+    }: { 
+        firstName: string; 
+        lastName: string; 
+    } = req.body;
+    
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            firstName,
+            lastName: lastName ?? ""
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send({
+        user,
+    });
+}
+
+/**
+ * Update auth method of the current user to [authMethods]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+ export const updateAuthMethods = async (req: Request, res: Response) => {
+    const {
+        authMethods
+    } = req.body;
+    
+    const hasSamlEnabled = req.user.authMethods
+        .some(
+            (authMethod: AuthMethod) => [
+                AuthMethod.OKTA_SAML,
+                AuthMethod.AZURE_SAML,
+                AuthMethod.JUMPCLOUD_SAML
+            ].includes(authMethod)
+        );
+
+    if (hasSamlEnabled) {
+        return res.status(400).send({
+            message: "Failed to update user authentication method because SAML SSO is enforced"
+        });
+    }
+
+    const user = await User.findByIdAndUpdate(
+        req.user._id.toString(),
+        {
+            authMethods
+        },
+        {
+            new: true
+        }
+    );
+
+    return res.status(200).send({
+        user
+    });
+}
+
+
 /**
 * Return organizations that the current user is part of.
 * @param req 
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -1,34 +1,31 @@
 import { Request, Response } from "express";
 import { Types } from "mongoose";
+import { Key, Membership, ServiceTokenData, Workspace } from "../../models";
 import {
-	Key,
-	Membership,
-	ServiceTokenData,
-	Workspace,
-} from "../../models";
-import {
-	pullSecrets as pull,
-	v2PushSecrets as push,
-	reformatPullSecrets,
+  pullSecrets as pull,
+  v2PushSecrets as push,
+  reformatPullSecrets
 } from "../../helpers/secret";
 import { pushKeys } from "../../helpers/key";
 import { EventService, TelemetryService } from "../../services";
 import { eventPushSecrets } from "../../events";
+import { EEAuditLogService } from "../../ee/services";
+import { EventType } from "../../ee/models";

 interface V2PushSecret {
-	type: string; // personal or shared
-	secretKeyCiphertext: string;
-	secretKeyIV: string;
-	secretKeyTag: string;
-	secretKeyHash: string;
-	secretValueCiphertext: string;
-	secretValueIV: string;
-	secretValueTag: string;
-	secretValueHash: string;
-	secretCommentCiphertext?: string;
-	secretCommentIV?: string;
-	secretCommentTag?: string;
-	secretCommentHash?: string;
+  type: string; // personal or shared
+  secretKeyCiphertext: string;
+  secretKeyIV: string;
+  secretKeyTag: string;
+  secretKeyHash: string;
+  secretValueCiphertext: string;
+  secretValueIV: string;
+  secretValueTag: string;
+  secretValueHash: string;
+  secretCommentCiphertext?: string;
+  secretCommentIV?: string;
+  secretCommentTag?: string;
+  secretCommentHash?: string;
 }

 /**
@ -39,7 +36,7 @@ interface V2PushSecret {
 * @returns
 */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
+  // upload (encrypted) secrets to workspace with id [workspaceId]
  const postHogClient = await TelemetryService.getPostHogClient();
  let { secrets }: { secrets: V2PushSecret[] } = req.body;
  const { keys, environment, channel } = req.body;
@ -62,13 +59,13 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
    environment,
    secrets,
    channel: channel ? channel : "cli",
-    ipAddress: req.realIP,
+    ipAddress: req.realIP
  });

  await pushKeys({
    userId: req.user._id,
    workspaceId,
-    keys,
+    keys
  });

  if (postHogClient) {
@ -79,8 +76,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
        numberOfSecrets: secrets.length,
        environment,
        workspaceId,
-        channel: channel ? channel : "cli",
-      },
+        channel: channel ? channel : "cli"
+      }
    });
  }

@ -89,12 +86,13 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath: "/"
+    })
  });

-	return res.status(200).send({
-		message: "Successfully uploaded workspace secrets",
-	});
+  return res.status(200).send({
+    message: "Successfully uploaded workspace secrets"
+  });
 };

 /**
@ -105,7 +103,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 * @returns
 */
 export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
+  let secrets;
  const postHogClient = await TelemetryService.getPostHogClient();
  const environment: string = req.query.environment as string;
  const channel: string = req.query.channel as string;
@ -128,7 +126,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
    workspaceId,
    environment,
    channel: channel ? channel : "cli",
-    ipAddress: req.realIP,
+    ipAddress: req.realIP
  });

  if (channel !== "cli") {
@ -144,18 +142,18 @@ export const pullSecrets = async (req: Request, res: Response) => {
        numberOfSecrets: secrets.length,
        environment,
        workspaceId,
-        channel: channel ? channel : "cli",
-      },
+        channel: channel ? channel : "cli"
+      }
    });
  }

-	return res.status(200).send({
-		secrets,
-	});
+  return res.status(200).send({
+    secrets
+  });
 };

 export const getWorkspaceKey = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Return encrypted project key'
    #swagger.description = 'Return encrypted project key'
    
@ -183,43 +181,51 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
        }
    }   
    */
-	let key;
  const { workspaceId } = req.params;
-
-  key = await Key.findOne({
+  
+  const key = await Key.findOne({
    workspace: workspaceId,
-    receiver: req.user._id,
+    receiver: req.user._id
  }).populate("sender", "+publicKey");

  if (!key) throw new Error("Failed to find workspace key");
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.GET_WORKSPACE_KEY,
+      metadata: {
+        keyId: key._id.toString()
+      }
+    },
+    {
+      workspaceId: new Types.ObjectId(workspaceId)
+    }
+  );

-	return res.status(200).json(key);
-}
-export const getWorkspaceServiceTokenData = async (
-	req: Request,
-	res: Response
-) => {
+  return res.status(200).json(key);
+};
+
+export const getWorkspaceServiceTokenData = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;

-  const serviceTokenData = await ServiceTokenData
-    .find({
-      workspace: workspaceId,
-    })
-    .select("+encryptedKey +iv +tag");
+  const serviceTokenData = await ServiceTokenData.find({
+    workspace: workspaceId
+  }).select("+encryptedKey +iv +tag");

-	return res.status(200).send({
-		serviceTokenData,
-	});
-}
+  return res.status(200).send({
+    serviceTokenData
+  });
+};

 /**
 * Return memberships for workspace with id [workspaceId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Return project memberships'
    #swagger.description = 'Return project memberships'
    
@ -255,22 +261,22 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  const { workspaceId } = req.params;

  const memberships = await Membership.find({
-    workspace: workspaceId,
+    workspace: workspaceId
  }).populate("user", "+publicKey");

-	return res.status(200).send({
-		memberships,
-	});
-}
+  return res.status(200).send({
+    memberships
+  });
+};

 /**
 * Update role of membership with id [membershipId] to role [role]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const updateWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Update project membership'
    #swagger.description = 'Update project membership'
    
@ -323,33 +329,32 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
        }
    }   
    */
-  const {
-    membershipId,
-  } = req.params;
+  const { membershipId } = req.params;
  const { role } = req.body;
-  
+
  const membership = await Membership.findByIdAndUpdate(
    membershipId,
    {
-      role,
-    }, {
-      new: true,
+      role
+    },
+    {
+      new: true
    }
  );

-	return res.status(200).send({
-		membership,
-	}); 
-}
+  return res.status(200).send({
+    membership
+  });
+};

 /**
 * Delete workspace membership with id [membershipId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const deleteWorkspaceMembership = async (req: Request, res: Response) => {
-	/* 
+  /* 
    #swagger.summary = 'Delete project membership'
    #swagger.description = 'Delete project membership'
    
@ -385,23 +390,21 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
        }
    }   
    */
-  const { 
-    membershipId,
-  } = req.params;
-  
+  const { membershipId } = req.params;
+
  const membership = await Membership.findByIdAndDelete(membershipId);
-  
+
  if (!membership) throw new Error("Failed to delete workspace membership");
-  
+
  await Key.deleteMany({
    receiver: membership.user,
-    workspace: membership.workspace,
+    workspace: membership.workspace
  });
-	
-	return res.status(200).send({
-		membership,
-	});
-}
+
+  return res.status(200).send({
+    membership
+  });
+};

 /**
 * Change autoCapitilzation Rule of workspace
@ -415,18 +418,18 @@ export const toggleAutoCapitalization = async (req: Request, res: Response) => {

  const workspace = await Workspace.findOneAndUpdate(
    {
-      _id: workspaceId,
+      _id: workspaceId
    },
    {
-      autoCapitalization,
+      autoCapitalization
    },
    {
-      new: true,
+      new: true
    }
  );

-	return res.status(200).send({
-		message: "Successfully changed autoCapitalization setting",
-		workspace,
-	});
+  return res.status(200).send({
+    message: "Successfully changed autoCapitalization setting",
+    workspace
+  });
 };
--- a/backend/src/controllers/v3/authController.ts
+++ b/backend/src/controllers/v3/authController.ts
@ -1,7 +1,6 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
 import { Request, Response } from "express";
 import jwt from "jsonwebtoken";
-import * as Sentry from "@sentry/node";
 import * as bigintConversion from "bigint-conversion";
 const jsrp = require("jsrp");
 import { LoginSRPDetail, User } from "../../models";
@ -15,19 +14,19 @@ import {
    ACTION_LOGIN,
    TOKEN_EMAIL_MFA,
 } from "../../variables";
-import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
+import { getUserAgentType } from "../../utils/posthog"; // TODO: move this
 import {
    getHttpsEnabled,
    getJwtMfaLifetime,
    getJwtMfaSecret,
 } from "../../config";
-import { AuthProvider } from "../../models/user";
+import { AuthMethod } from "../../models/user";

 declare module "jsonwebtoken" {
    export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
        userId: string;
        email: string;
-        authProvider: AuthProvider;
+        authProvider: AuthMethod;
        isUserCompleted: boolean,
    }
 }
@ -39,62 +38,53 @@ declare module "jsonwebtoken" {
 * @returns
 */
 export const login1 = async (req: Request, res: Response) => {
-    try {
-        const {
+    const {
+        email,
+        providerAuthToken,
+        clientPublicKey,
+    }: {
+        email: string;
+        clientPublicKey: string,
+        providerAuthToken?: string;
+    } = req.body;
+    
+    const user = await User.findOne({
+        email,
+    }).select("+salt +verifier");
+
+    if (!user) throw new Error("Failed to find user");
+    
+    if (!user.authMethods.includes(AuthMethod.EMAIL)) {
+        await validateProviderAuthToken({
            email,
            providerAuthToken,
-            clientPublicKey,
-        }: {
-            email: string;
-            clientPublicKey: string,
-            providerAuthToken?: string;
-        } = req.body;
-
-        const user = await User.findOne({
-            email,
-        }).select("+salt +verifier");
-
-        if (!user) throw new Error("Failed to find user");
-
-        if (user.authProvider) {
-            await validateProviderAuthToken({
-                email,
-                user,
-                providerAuthToken,
-            })
-        }
-
-        const server = new jsrp.server();
-        server.init(
-            {
-                salt: user.salt,
-                verifier: user.verifier,
-            },
-            async () => {
-                // generate server-side public key
-                const serverPublicKey = server.getPublicKey();
-                await LoginSRPDetail.findOneAndReplace({
-                    email: email,
-                }, {
-                    email,
-                    userId: user.id,
-                    clientPublicKey: clientPublicKey,
-                    serverBInt: bigintConversion.bigintToBuf(server.bInt),
-                }, { upsert: true, returnNewDocument: false });
-
-                return res.status(200).send({
-                    serverPublicKey,
-                    salt: user.salt,
-                });
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: "Failed to start authentication process",
        });
    }
+
+    const server = new jsrp.server();
+    server.init(
+        {
+            salt: user.salt,
+            verifier: user.verifier,
+        },
+        async () => {
+            // generate server-side public key
+            const serverPublicKey = server.getPublicKey();
+            await LoginSRPDetail.findOneAndReplace({
+                email: email,
+            }, {
+                email,
+                userId: user.id,
+                clientPublicKey: clientPublicKey,
+                serverBInt: bigintConversion.bigintToBuf(server.bInt),
+            }, { upsert: true, returnNewDocument: false });
+
+            return res.status(200).send({
+                serverPublicKey,
+                salt: user.salt,
+            });
+        }
+    );
 };

 /**
@ -105,160 +95,150 @@ export const login1 = async (req: Request, res: Response) => {
 * @returns
 */
 export const login2 = async (req: Request, res: Response) => {
-    try {
+    if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });

-        if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
+    const { email, clientProof, providerAuthToken } = req.body;

-        const { email, clientProof, providerAuthToken } = req.body;
+    const user = await User.findOne({
+        email,
+    }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");

-        const user = await User.findOne({
+    if (!user) throw new Error("Failed to find user");
+    
+    if (!user.authMethods.includes(AuthMethod.EMAIL)) {
+        await validateProviderAuthToken({
            email,
-        }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
+            providerAuthToken,
+        })
+    }

-        if (!user) throw new Error("Failed to find user");
+    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })

-        if (user.authProvider) {
-            await validateProviderAuthToken({
-                email,
-                user,
-                providerAuthToken,
-            })
-        }
+    if (!loginSRPDetail) {
+        return BadRequestError(Error("Failed to find login details for SRP"))
+    }

-        const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+    const server = new jsrp.server();
+    server.init(
+        {
+            salt: user.salt,
+            verifier: user.verifier,
+            b: loginSRPDetail.serverBInt,
+        },
+        async () => {
+            server.setClientPublicKey(loginSRPDetail.clientPublicKey);

-        if (!loginSRPDetail) {
-            return BadRequestError(Error("Failed to find login details for SRP"))
-        }
+            // compare server and client shared keys
+            if (server.checkClientProof(clientProof)) {

-        const server = new jsrp.server();
-        server.init(
-            {
-                salt: user.salt,
-                verifier: user.verifier,
-                b: loginSRPDetail.serverBInt,
-            },
-            async () => {
-                server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+                if (user.isMfaEnabled) {
+                    // case: user has MFA enabled

-                // compare server and client shared keys
-                if (server.checkClientProof(clientProof)) {
-
-                    if (user.isMfaEnabled) {
-                        // case: user has MFA enabled
-
-                        // generate temporary MFA token
-                        const token = createToken({
-                            payload: {
-                                userId: user._id.toString(),
-                            },
-                            expiresIn: await getJwtMfaLifetime(),
-                            secret: await getJwtMfaSecret(),
-                        });
-
-                        const code = await TokenService.createToken({
-                            type: TOKEN_EMAIL_MFA,
-                            email,
-                        });
-
-                        // send MFA code [code] to [email]
-                        await sendMail({
-                            template: "emailMfa.handlebars",
-                            subjectLine: "Infisical MFA code",
-                            recipients: [user.email],
-                            substitutions: {
-                                code,
-                            },
-                        });
-
-                        return res.status(200).send({
-                            mfaEnabled: true,
-                            token,
-                        });
-                    }
-
-                    await checkUserDevice({
-                        user,
-                        ip: req.realIP,
-                        userAgent: req.headers["user-agent"] ?? "",
+                    // generate temporary MFA token
+                    const token = createToken({
+                        payload: {
+                            userId: user._id.toString(),
+                        },
+                        expiresIn: await getJwtMfaLifetime(),
+                        secret: await getJwtMfaSecret(),
                    });

-                    // issue tokens
-                    const tokens = await issueAuthTokens({ 
-                        userId: user._id,
-                        ip: req.realIP,
-                        userAgent: req.headers["user-agent"] ?? "",
+                    const code = await TokenService.createToken({
+                        type: TOKEN_EMAIL_MFA,
+                        email,
                    });

-                    // store (refresh) token in httpOnly cookie
-                    res.cookie("jid", tokens.refreshToken, {
-                        httpOnly: true,
-                        path: "/",
-                        sameSite: "strict",
-                        secure: await getHttpsEnabled(),
+                    // send MFA code [code] to [email]
+                    await sendMail({
+                        template: "emailMfa.handlebars",
+                        subjectLine: "Infisical MFA code",
+                        recipients: [user.email],
+                        substitutions: {
+                            code,
+                        },
                    });

-                    // case: user does not have MFA enablgged
-                    // return (access) token in response
-
-                    interface ResponseData {
-                        mfaEnabled: boolean;
-                        encryptionVersion: any;
-                        protectedKey?: string;
-                        protectedKeyIV?: string;
-                        protectedKeyTag?: string;
-                        token: string;
-                        publicKey?: string;
-                        encryptedPrivateKey?: string;
-                        iv?: string;
-                        tag?: string;
-                    }
-
-                    const response: ResponseData = {
-                        mfaEnabled: false,
-                        encryptionVersion: user.encryptionVersion,
-                        token: tokens.token,
-                        publicKey: user.publicKey,
-                        encryptedPrivateKey: user.encryptedPrivateKey,
-                        iv: user.iv,
-                        tag: user.tag,
-                    }
-
-                    if (
-                        user?.protectedKey &&
-                        user?.protectedKeyIV &&
-                        user?.protectedKeyTag
-                    ) {
-                        response.protectedKey = user.protectedKey;
-                        response.protectedKeyIV = user.protectedKeyIV
-                        response.protectedKeyTag = user.protectedKeyTag;
-                    }
-
-                    const loginAction = await EELogService.createAction({
-                        name: ACTION_LOGIN,
-                        userId: user._id,
+                    return res.status(200).send({
+                        mfaEnabled: true,
+                        token,
                    });
-
-                    loginAction && await EELogService.createLog({
-                        userId: user._id,
-                        actions: [loginAction],
-                        channel: getChannelFromUserAgent(req.headers["user-agent"]),
-                        ipAddress: req.realIP,
-                    });
-
-                    return res.status(200).send(response);
                }

-                return res.status(400).send({
-                    message: "Failed to authenticate. Try again?",
+                await checkUserDevice({
+                    user,
+                    ip: req.realIP,
+                    userAgent: req.headers["user-agent"] ?? "",
                });
+
+                // issue tokens
+                const tokens = await issueAuthTokens({ 
+                    userId: user._id,
+                    ip: req.realIP,
+                    userAgent: req.headers["user-agent"] ?? "",
+                });
+                
+                // store (refresh) token in httpOnly cookie
+                res.cookie("jid", tokens.refreshToken, {
+                    httpOnly: true,
+                    path: "/",
+                    sameSite: "strict",
+                    secure: await getHttpsEnabled(),
+                });
+
+                // case: user does not have MFA enablgged
+                // return (access) token in response
+
+                interface ResponseData {
+                    mfaEnabled: boolean;
+                    encryptionVersion: any;
+                    protectedKey?: string;
+                    protectedKeyIV?: string;
+                    protectedKeyTag?: string;
+                    token: string;
+                    publicKey?: string;
+                    encryptedPrivateKey?: string;
+                    iv?: string;
+                    tag?: string;
+                }
+
+                const response: ResponseData = {
+                    mfaEnabled: false,
+                    encryptionVersion: user.encryptionVersion,
+                    token: tokens.token,
+                    publicKey: user.publicKey,
+                    encryptedPrivateKey: user.encryptedPrivateKey,
+                    iv: user.iv,
+                    tag: user.tag,
+                }
+
+                if (
+                    user?.protectedKey &&
+                    user?.protectedKeyIV &&
+                    user?.protectedKeyTag
+                ) {
+                    response.protectedKey = user.protectedKey;
+                    response.protectedKeyIV = user.protectedKeyIV
+                    response.protectedKeyTag = user.protectedKeyTag;
+                }
+
+                const loginAction = await EELogService.createAction({
+                    name: ACTION_LOGIN,
+                    userId: user._id,
+                });
+
+                loginAction && await EELogService.createLog({
+                    userId: user._id,
+                    actions: [loginAction],
+                    channel: getUserAgentType(req.headers["user-agent"]),
+                    ipAddress: req.realIP,
+                });
+
+                return res.status(200).send(response);
            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: "Failed to authenticate. Try again?",
-        });
-    }
+
+            return res.status(400).send({
+                message: "Failed to authenticate. Try again?",
+            });
+        }
+    );
 };
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -3,8 +3,15 @@ import { Types } from "mongoose";
 import { EventService, SecretService } from "../../services";
 import { eventPushSecrets } from "../../events";
 import { BotService } from "../../services";
-import { repackageSecretToRaw } from "../../helpers/secrets";
+import { containsGlobPatterns, repackageSecretToRaw } from "../../helpers/secrets";
 import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+import { getAllImportedSecrets } from "../../services/SecretImportService";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";
+import { IServiceTokenData } from "../../models";
+import { requireWorkspaceAuth } from "../../middleware";
+import { ADMIN, MEMBER, PERMISSION_READ_SECRETS } from "../../variables";

 /**
 * Return secrets for workspace with id [workspaceId] and environment
@ -13,30 +20,75 @@ import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
 * @param res
 */
 export const getSecretsRaw = async (req: Request, res: Response) => {
-  const workspaceId = req.query.workspaceId as string;
-  const environment = req.query.environment as string;
-  const secretPath = req.query.secretPath as string;
+  let workspaceId = req.query.workspaceId as string;
+  let environment = req.query.environment as string;
+  let secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;
+
+  // if the service token has single scope, it will get all secrets for that scope by default
+  const serviceTokenDetails: IServiceTokenData = req?.serviceTokenData;
+  if (serviceTokenDetails && serviceTokenDetails.scopes.length == 1 && !containsGlobPatterns(serviceTokenDetails.scopes[0].secretPath)) {
+    const scope = serviceTokenDetails.scopes[0];
+    secretPath = scope.secretPath;
+    environment = scope.environment;
+    workspaceId = serviceTokenDetails.workspace.toString();
+  } else {
+    requireWorkspaceAuth({
+      acceptedRoles: [ADMIN, MEMBER],
+      locationWorkspaceId: "query",
+      locationEnvironment: "query",
+      requiredPermissions: [PERMISSION_READ_SECRETS],
+      requireBlindIndicesEnabled: true,
+      requireE2EEOff: true
+    });
+  }
+

  const secrets = await SecretService.getSecrets({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

+  if (includeImports === "true") {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets: secrets.map((secret) =>
+        repackageSecretToRaw({
+          secret,
+          key
+        })
+      ),
+      imports: importedSecrets.map((el) => ({
+        ...el,
+        secrets: el.secrets.map((secret) => repackageSecretToRaw({ secret, key }))
+      }))
+    });
+  }
+
  return res.status(200).send({
    secrets: secrets.map((secret) => {
      const rep = repackageSecretToRaw({
        secret,
-        key,
+        key
      });
-
      return rep;
-    }),
+    })
  });
 };

@ -58,54 +110,47 @@ export const getSecretByNameRaw = async (req: Request, res: Response) => {
    environment,
    type,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  return res.status(200).send({
    secret: repackageSecretToRaw({
      secret,
-      key,
-    }),
+      key
+    })
  });
 };

 /**
 * Create secret with name [secretName] in plaintext
 * @param req
- * @param res 
+ * @param res
 */
 export const createSecretRaw = async (req: Request, res: Response) => {
  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretValue,
-    secretComment,
-    secretPath = "/",
-  } = req.body;
+  const { workspaceId, environment, type, secretValue, secretComment, secretPath = "/" } = req.body;

  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
    plaintext: secretName,
-    key,
+    key
  });

  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
    plaintext: secretValue,
-    key,
+    key
  });

  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
    plaintext: secretComment,
-    key,
+    key
  });

  const secret = await SecretService.createSecret({
@ -123,14 +168,15 @@ export const createSecretRaw = async (req: Request, res: Response) => {
    secretPath,
    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
    secretCommentIV: secretCommentEncrypted.iv,
-    secretCommentTag: secretCommentEncrypted.tag,
+    secretCommentTag: secretCommentEncrypted.tag
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  const secretWithoutBlindIndex = secret.toObject();
@ -139,10 +185,10 @@ export const createSecretRaw = async (req: Request, res: Response) => {
  return res.status(200).send({
    secret: repackageSecretToRaw({
      secret: secretWithoutBlindIndex,
-      key,
-    }),
+      key
+    })
  });
-}
+};

 /**
 * Update secret with name [secretName]
@ -151,21 +197,15 @@ export const createSecretRaw = async (req: Request, res: Response) => {
 */
 export const updateSecretByNameRaw = async (req: Request, res: Response) => {
  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretValue,
-    secretPath = "/",
-  } = req.body;
+  const { workspaceId, environment, type, secretValue, secretPath = "/" } = req.body;

  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
    plaintext: secretValue,
-    key,
+    key
  });

  const secret = await SecretService.updateSecret({
@ -177,21 +217,22 @@ export const updateSecretByNameRaw = async (req: Request, res: Response) => {
    secretValueCiphertext: secretValueEncrypted.ciphertext,
    secretValueIV: secretValueEncrypted.iv,
    secretValueTag: secretValueEncrypted.tag,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  return res.status(200).send({
    secret: repackageSecretToRaw({
      secret,
-      key,
-    }),
+      key
+    })
  });
 };

@ -202,12 +243,7 @@ export const updateSecretByNameRaw = async (req: Request, res: Response) => {
 */
 export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretPath = "/",
-  } = req.body;
+  const { workspaceId, environment, type, secretPath = "/" } = req.body;

  const { secret } = await SecretService.deleteSecret({
    secretName,
@ -215,25 +251,26 @@ export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
    environment,
    type,
    authData: req.authData,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  const key = await BotService.getWorkspaceKeyWithBot({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
  });

  return res.status(200).send({
    secret: repackageSecretToRaw({
      secret,
-      key,
-    }),
+      key
+    })
  });
 };

@ -247,16 +284,35 @@ export const getSecrets = async (req: Request, res: Response) => {
  const workspaceId = req.query.workspaceId as string;
  const environment = req.query.environment as string;
  const secretPath = req.query.secretPath as string;
+  const includeImports = req.query.include_imports as string;

  const secrets = await SecretService.getSecrets({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

+  if (includeImports === "true") {
+    const folders = await Folder.findOne({ workspace: workspaceId, environment });
+    let folderId = "root";
+    // if folder exist get it and replace folderid with new one
+    if (folders) {
+      const folder = getFolderByPath(folders.nodes, secretPath as string);
+      if (!folder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = folder.id;
+    }
+    const importedSecrets = await getAllImportedSecrets(workspaceId, environment, folderId);
+    return res.status(200).send({
+      secrets,
+      imports: importedSecrets
+    });
+  }
+
  return res.status(200).send({
-    secrets,
+    secrets
  });
 };

@ -278,11 +334,11 @@ export const getSecretByName = async (req: Request, res: Response) => {
    environment,
    type,
    secretPath,
-    authData: req.authData,
+    authData: req.authData
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };

@ -307,6 +363,7 @@ export const createSecret = async (req: Request, res: Response) => {
    secretCommentIV,
    secretCommentTag,
    secretPath = "/",
+    metadata
  } = req.body;

  const secret = await SecretService.createSecret({
@ -325,24 +382,25 @@ export const createSecret = async (req: Request, res: Response) => {
    secretCommentCiphertext,
    secretCommentIV,
    secretCommentTag,
+    metadata
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  const secretWithoutBlindIndex = secret.toObject();
  delete secretWithoutBlindIndex.secretBlindIndex;

  return res.status(200).send({
-    secret: secretWithoutBlindIndex,
+    secret: secretWithoutBlindIndex
  });
 };

-
 /**
 * Update secret with name [secretName]
 * @param req
@ -357,7 +415,7 @@ export const updateSecretByName = async (req: Request, res: Response) => {
    secretValueCiphertext,
    secretValueIV,
    secretValueTag,
-    secretPath = "/",
+    secretPath = "/"
  } = req.body;

  const secret = await SecretService.updateSecret({
@ -369,18 +427,19 @@ export const updateSecretByName = async (req: Request, res: Response) => {
    secretValueCiphertext,
    secretValueIV,
    secretValueTag,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };

@ -391,12 +450,7 @@ export const updateSecretByName = async (req: Request, res: Response) => {
 */
 export const deleteSecretByName = async (req: Request, res: Response) => {
  const { secretName } = req.params;
-  const {
-    workspaceId,
-    environment,
-    type,
-    secretPath = "/",
-  } = req.body;
+  const { workspaceId, environment, type, secretPath = "/" } = req.body;

  const { secret } = await SecretService.deleteSecret({
    secretName,
@ -404,17 +458,18 @@ export const deleteSecretByName = async (req: Request, res: Response) => {
    environment,
    type,
    authData: req.authData,
-    secretPath,
+    secretPath
  });

  await EventService.handleEvent({
    event: eventPushSecrets({
      workspaceId: new Types.ObjectId(workspaceId),
      environment,
-    }),
+      secretPath
+    })
  });

  return res.status(200).send({
-    secret,
+    secret
  });
 };
--- a/backend/src/controllers/v3/signupController.ts
+++ b/backend/src/controllers/v3/signupController.ts
@ -12,6 +12,7 @@ import { standardRequest } from "../../config/request";
 import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
 import { BadRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
+import { AuthMethod } from "../../models";

 /**
 * Complete setting up user by adding their personal and auth information as part of the
@ -70,8 +71,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		if (providerAuthToken) {
 			await validateProviderAuthToken({
 				email,
-				providerAuthToken,
-				user,
+				providerAuthToken
 			});
 		} else {
 			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers["authorization"]?.split(" ", 2) ?? [null, null]
@ -116,11 +116,15 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		if (!user)
 			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null

-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user,
-		});
+		const hasSamlEnabled = user.authMethods.some((authMethod: AuthMethod) => [AuthMethod.OKTA_SAML, AuthMethod.AZURE_SAML, AuthMethod.JUMPCLOUD_SAML].includes(authMethod));
+		
+		if (!hasSamlEnabled) { // TODO: modify this part
+			// initialize default organization and workspace
+			await initializeDefaultOrg({
+				organizationName,
+				user,
+			});
+		}

 		// update organization membership statuses that are
 		// invited to completed with user attached
@ -174,7 +178,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				distinctId: email,
 				properties: {
 					email,
-					attributionSource,
+					...(attributionSource ? { attributionSource } : {})
 				},
 			});
 		}
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,6 +1,8 @@
 import * as secretController from "./secretController";
 import * as secretSnapshotController from "./secretSnapshotController";
 import * as organizationsController from "./organizationsController";
+import * as ssoController from "./ssoController";
+import * as usersController from "./usersController";
 import * as workspaceController from "./workspaceController";
 import * as actionController from "./actionController";
 import * as membershipController from "./membershipController";
@ -10,6 +12,8 @@ export {
    secretController,
    secretSnapshotController,
    organizationsController,
+    ssoController,
+    usersController,
    workspaceController,
    actionController,
    membershipController,
--- a/backend/src/ee/controllers/v1/membershipController.ts
+++ b/backend/src/ee/controllers/v1/membershipController.ts
@ -1,10 +1,12 @@
 import { Request, Response } from "express";
-import { Membership, Workspace } from "../../../models";
+import { IUser, Membership, Workspace } from "../../../models";
+import { EventType } from "../../../ee/models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
 import { ADMIN, MEMBER } from "../../../variables/organization";
 import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../../variables";
 import _ from "lodash";
+import { EEAuditLogService } from "../../services";

 export const denyMembershipPermissions = async (req: Request, res: Response) => {
  const { membershipId } = req.params;
@ -51,12 +53,33 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
    { _id: membershipToModify._id },
    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
    { new: true }
-  )
+  ).populate<{ user: IUser }>("user");

  if (!updatedMembershipWithPermissions) {
    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
  }

+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
+      metadata: {
+        userId: updatedMembershipWithPermissions.user._id.toString(),
+        email: updatedMembershipWithPermissions.user.email,
+        deniedPermissions: updatedMembershipWithPermissions.deniedPermissions.map(({
+          environmentSlug,
+          ability
+        }) => ({
+          environmentSlug,
+          ability
+        }))
+      }
+    },
+    {
+      workspaceId: updatedMembershipWithPermissions.workspace
+    }
+  );
+
  res.send({
    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions,
  })
--- a/backend/src/ee/controllers/v1/organizationsController.ts
+++ b/backend/src/ee/controllers/v1/organizationsController.ts
@ -1,3 +1,4 @@
+import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { getLicenseServerUrl } from "../../../config";
 import { licenseServerKeyRequest } from "../../../config/request";
@ -20,7 +21,7 @@ export const getOrganizationPlan = async (req: Request, res: Response) => {
    const { organizationId } = req.params;
    const workspaceId = req.query.workspaceId as string;

-    const plan = await EELicenseService.getPlan(organizationId, workspaceId);
+    const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId), new Types.ObjectId(workspaceId));

    return res.status(200).send({
        plan,
@ -44,7 +45,7 @@ export const startOrganizationTrial = async (req: Request, res: Response) => {
        }
    ); 
    
-    EELicenseService.delPlan(organizationId);
+    EELicenseService.delPlan(new Types.ObjectId(organizationId));
    
    return res.status(200).send({
        url
@ -137,6 +138,12 @@ export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
    }); 
 }

+/**
+ * Delete payment method with id [pmtMethodId] for organization
+ * @param req 
+ * @param res 
+ * @returns 
+ */
 export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
    const { pmtMethodId } = req.params;

@ -178,6 +185,12 @@ export const addOrganizationTaxId = async (req: Request, res: Response) => {
    return res.status(200).send(data); 
 }

+/**
+ * Delete tax id with id [taxId] from organization tax ids on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
 export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
    const { taxId } = req.params;

@ -188,10 +201,30 @@ export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
    return res.status(200).send(data); 
 }

+/**
+ * Return organization's invoices on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
 export const getOrganizationInvoices = async (req: Request, res: Response) => {
    const { data: { invoices } } = await licenseServerKeyRequest.get(
        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`
    );

    return res.status(200).send(invoices); 
+}
+
+/**
+ * Return organization's licenses on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationLicenses = async (req: Request, res: Response) => {
+    const { data: { licenses } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/licenses`
+    );
+
+    return res.status(200).send(licenses); 
 }
--- a/backend/src/ee/controllers/v1/ssoController.ts
+++ b/backend/src/ee/controllers/v1/ssoController.ts
@ -0,0 +1,240 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { BotOrgService } from "../../../services";
+import { SSOConfig } from "../../models";
+import { 
+    AuthMethod,
+    MembershipOrg,
+    User
+} from "../../../models";
+import { getSSOConfigHelper } from "../../helpers/organizations";
+import { client } from "../../../config";
+import { ResourceNotFoundError } from "../../../utils/errors";
+import { getSiteURL } from "../../../config";
+import { EELicenseService } from "../../services";
+
+/**
+ * Redirect user to appropriate SSO endpoint after successful authentication
+ * to finish inputting their master key for logging in or signing up
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const redirectSSO = async (req: Request, res: Response) => {
+    if (req.isUserCompleted) {
+        return res.redirect(`${await getSiteURL()}/login/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+    }
+    
+    return res.redirect(`${await getSiteURL()}/signup/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+}
+
+/**
+ * Return organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSSOConfig = async (req: Request, res: Response) => {
+    const organizationId = req.query.organizationId as string;
+    
+    const data = await getSSOConfigHelper({
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    return res.status(200).send(data);
+}
+
+/**
+ * Update organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+    });
+    
+    interface PatchUpdate {
+        authProvider?: string;
+        isActive?: boolean;
+        encryptedEntryPoint?: string;
+        entryPointIV?: string;
+        entryPointTag?: string;
+        encryptedIssuer?: string;
+        issuerIV?: string;
+        issuerTag?: string;
+        encryptedCert?: string;
+        certIV?: string;
+        certTag?: string;
+    }
+    
+    const update: PatchUpdate = {};
+    
+    if (authProvider) {
+        update.authProvider = authProvider;
+    }
+    
+    if (isActive !== undefined) {
+        update.isActive = isActive;
+    }
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+    
+    if (entryPoint) {
+        const {
+            ciphertext: encryptedEntryPoint,
+            iv: entryPointIV,
+            tag: entryPointTag
+        } = client.encryptSymmetric(entryPoint, key);
+        
+        update.encryptedEntryPoint = encryptedEntryPoint;
+        update.entryPointIV = entryPointIV;
+        update.entryPointTag = entryPointTag;
+    }
+
+    if (issuer) {
+        const {
+            ciphertext: encryptedIssuer,
+            iv: issuerIV,
+            tag: issuerTag
+        } = client.encryptSymmetric(issuer, key);
+        
+        update.encryptedIssuer = encryptedIssuer;
+        update.issuerIV = issuerIV;
+        update.issuerTag = issuerTag;
+    }
+
+    if (cert) {
+        const {
+            ciphertext: encryptedCert,
+            iv: certIV,
+            tag: certTag
+        } = client.encryptSymmetric(cert, key);
+        
+        update.encryptedCert = encryptedCert;
+        update.certIV = certIV;
+        update.certTag = certTag;
+    }
+    
+    const ssoConfig = await SSOConfig.findOneAndUpdate(
+        {
+            organization: new Types.ObjectId(organizationId)
+        },
+        update,
+        {
+            new: true
+        }
+    );
+    
+    if (!ssoConfig) throw ResourceNotFoundError({
+        message: "Failed to find SSO config to update"
+    });
+    
+    if (update.isActive !== undefined) {
+        const membershipOrgs = await MembershipOrg.find({
+            organization: new Types.ObjectId(organizationId)
+        }).select("user");
+        
+        if (update.isActive) {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    authMethods: [ssoConfig.authProvider],
+                }
+            );
+        } else {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    authMethods: [AuthMethod.EMAIL],
+                }
+            );
+        }
+    }
+    
+    return res.status(200).send(ssoConfig);
+}
+
+/**
+ * Create organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert
+    } = req.body;
+
+    const plan = await EELicenseService.getPlan(new Types.ObjectId(organizationId));
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to add SSO configuration."
+    });
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+
+    const {
+        ciphertext: encryptedEntryPoint,
+        iv: entryPointIV,
+        tag: entryPointTag
+    } = client.encryptSymmetric(entryPoint, key);
+
+    const {
+        ciphertext: encryptedIssuer,
+        iv: issuerIV,
+        tag: issuerTag
+    } = client.encryptSymmetric(issuer, key);
+
+    const {
+        ciphertext: encryptedCert,
+        iv: certIV,
+        tag: certTag
+    } = client.encryptSymmetric(cert, key);
+    
+    const ssoConfig = await new SSOConfig({
+        organization: new Types.ObjectId(organizationId),
+        authProvider,
+        isActive,
+        encryptedEntryPoint,
+        entryPointIV,
+        entryPointTag,
+        encryptedIssuer,
+        issuerIV,
+        issuerTag,
+        encryptedCert,
+        certIV,
+        certTag
+    }).save();
+
+    return res.status(200).send(ssoConfig);
+}
--- a/backend/src/ee/controllers/v1/usersController.ts
+++ b/backend/src/ee/controllers/v1/usersController.ts
@ -0,0 +1,13 @@
+import { Request, Response } from "express";
+
+/**
+ * Return the ip address of the current user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMyIp = (req: Request, res: Response) => {
+    return res.status(200).send({
+        ip: req.authData.ipAddress
+    });
+}
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -1,18 +1,27 @@
 import { Request, Response } from "express";
 import { PipelineStage, Types } from "mongoose";
-import { Secret } from "../../../models";
+import { Membership, Secret, ServiceTokenData, User } from "../../../models";
 import {
+  ActorType,
+  AuditLog,
+  EventType,
  FolderVersion,
+  IPType,
  ISecretVersion,
  Log,
  SecretSnapshot,
  SecretVersion,
+  ServiceActor,
  TFolderRootVersionSchema,
+  TrustedIP,
+  UserActor
 } from "../../models";
 import { EESecretService } from "../../services";
 import { getLatestSecretVersionIds } from "../../helpers/secretVersion";
 import Folder, { TFolderSchema } from "../../../models/folder";
 import { searchByFolderId } from "../../../services/FolderService";
+import { EEAuditLogService, EELicenseService } from "../../services";
+import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";

 /**
 * Return secret snapshots for workspace with id [workspaceId]
@ -588,3 +597,295 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
    logs,
  });
 };
+
+/**
+ * Return audit logs for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ */
+export const getWorkspaceAuditLogs = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+  const eventType = req.query.eventType;
+  const userAgentType = req.query.userAgentType;
+  const actor = req.query.actor as string | undefined;
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
+  
+  const startDate = req.query.startDate as string;
+  const endDate = req.query.endDate as string;
+  
+  const query = {
+    workspace: new Types.ObjectId(workspaceId),
+    ...(eventType ? {
+        "event.type": eventType
+      } : {}),
+    ...(userAgentType ? {
+      userAgentType
+    } : {}),
+    ...(actor ? {
+      "actor.type": actor.split("-", 2)[0],
+      ...(actor.split("-", 2)[0] === ActorType.USER ? {
+        "actor.metadata.userId": actor.split("-", 2)[1]
+      } : {
+        "actor.metadata.serviceId": actor.split("-", 2)[1]
+      })
+    } : {}),
+    ...(startDate || endDate ? {
+      createdAt: {
+        ...(startDate && { $gte: new Date(startDate) }),
+        ...(endDate && { $lte: new Date(endDate) })
+      }
+    } : {})
+  }
+  
+  const auditLogs = await AuditLog.find(query)
+  .sort({ createdAt: -1 })
+  .skip(offset)
+  .limit(limit);
+
+  const totalCount = await AuditLog.countDocuments(query);
+  
+  return res.status(200).send({
+    auditLogs,
+    totalCount
+  });
+}
+
+/**
+ * Return audit log actor filter options for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ */
+export const getWorkspaceAuditLogActorFilterOpts = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+  
+  const userIds = await Membership.distinct("user", {
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  const userActors: UserActor[] = (await User.find({
+    _id: {
+      $in: userIds
+    }
+  })
+  .select("email"))
+  .map((user) => ({
+    type: ActorType.USER,
+    metadata: {
+      userId: user._id.toString(),
+      email: user.email
+    }
+  }));
+  
+  const serviceActors: ServiceActor[] = (await ServiceTokenData.find({
+    workspace: new Types.ObjectId(workspaceId)
+  })
+  .select("name"))
+  .map((serviceTokenData) => ({
+    type: ActorType.SERVICE,
+    metadata: {
+      serviceId: serviceTokenData._id.toString(),
+      name: serviceTokenData.name
+    }
+  }));
+
+  return res.status(200).send({
+    actors: [...userActors, ...serviceActors]
+  });
+}
+
+/**
+ * Return trusted ips for workspace with id [workspaceId]
+ * @param req
+ * @param res 
+ */
+export const getWorkspaceTrustedIps = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+
+  const trustedIps = await TrustedIP.find({
+    workspace: new Types.ObjectId(workspaceId)
+  });
+    
+  return res.status(200).send({
+    trustedIps
+  });
+}
+
+/**
+ * Add a trusted ip to workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const addWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId } = req.params;
+  const {
+    ipAddress: ip,
+    comment,
+    isActive
+  } = req.body;
+  
+  const plan = await EELicenseService.getPlan(req.workspace.organization);
+  
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to add IP access range due to plan restriction. Upgrade plan to add IP access range."
+  });
+  
+  const isValidIPOrCidr = isValidIpOrCidr(ip);
+  
+  if (!isValidIPOrCidr) return res.status(400).send({
+    message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+  });
+  
+  const { ipAddress, type, prefix } = extractIPDetails(ip);
+
+  const trustedIp = await new TrustedIP({
+    workspace: new Types.ObjectId(workspaceId),
+    ipAddress,
+    type,
+    prefix,
+    isActive,
+    comment,
+  }).save();
+  
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.ADD_TRUSTED_IP,
+      metadata: {
+        trustedIpId: trustedIp._id.toString(),
+        ipAddress: trustedIp.ipAddress,
+        prefix: trustedIp.prefix
+      }
+    },
+    {
+      workspaceId: trustedIp.workspace
+    }
+  );
+
+  return res.status(200).send({
+    trustedIp
+  });
+}
+
+/**
+ * Update trusted ip with id [trustedIpId] workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const updateWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId, trustedIpId } = req.params;
+  const {
+    ipAddress: ip,
+    comment
+  } = req.body;
+
+  const plan = await EELicenseService.getPlan(req.workspace.organization);
+
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to update IP access range due to plan restriction. Upgrade plan to update IP access range."
+  });
+
+  const isValidIPOrCidr = isValidIpOrCidr(ip);
+  
+  if (!isValidIPOrCidr) return res.status(400).send({
+    message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+  });
+  
+  const { ipAddress, type, prefix } = extractIPDetails(ip);
+
+  const updateObject: {
+    ipAddress: string;
+    type: IPType;
+    comment: string;
+    prefix?: number;
+    $unset?: {
+      prefix: number;
+    }
+  } = {
+    ipAddress,
+    type,
+    comment
+  };
+  
+  if (prefix !== undefined) {
+    updateObject.prefix = prefix;
+  } else {
+    updateObject.$unset = { prefix: 1 };
+  }
+  
+  const trustedIp = await TrustedIP.findOneAndUpdate(
+    {
+      _id: new Types.ObjectId(trustedIpId),
+      workspace: new Types.ObjectId(workspaceId),
+    },
+    updateObject,
+    {
+      new: true
+    }
+  );
+  
+  if (!trustedIp) return res.status(400).send({
+    message: "Failed to update trusted IP"
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.UPDATE_TRUSTED_IP,
+      metadata: {
+        trustedIpId: trustedIp._id.toString(),
+        ipAddress: trustedIp.ipAddress,
+        prefix: trustedIp.prefix
+      }
+    },
+    {
+      workspaceId: trustedIp.workspace
+    }
+  );
+  
+  return res.status(200).send({
+    trustedIp
+  });
+}
+
+/**
+ * Delete IP access range from workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const deleteWorkspaceTrustedIp = async (req: Request, res: Response) => {
+  const { workspaceId, trustedIpId } = req.params;
+
+  const plan = await EELicenseService.getPlan(req.workspace.organization);
+  
+  if (!plan.ipAllowlisting) return res.status(400).send({
+    message: "Failed to delete IP access range due to plan restriction. Upgrade plan to delete IP access range."
+  });
+  
+  const trustedIp = await TrustedIP.findOneAndDelete({
+    _id: new Types.ObjectId(trustedIpId),
+    workspace: new Types.ObjectId(workspaceId)
+  });
+  
+  if (!trustedIp) return res.status(400).send({
+    message: "Failed to delete trusted IP"
+  });
+
+  await EEAuditLogService.createAuditLog(
+    req.authData,
+    {
+      type: EventType.DELETE_TRUSTED_IP,
+      metadata: {
+        trustedIpId: trustedIp._id.toString(),
+        ipAddress: trustedIp.ipAddress,
+        prefix: trustedIp.prefix
+      }
+    },
+    {
+      workspaceId: trustedIp.workspace
+    }
+  );
+
+  return res.status(200).send({
+    trustedIp
+  });
+}
--- a/backend/src/ee/helpers/organizations.ts
+++ b/backend/src/ee/helpers/organizations.ts
@ -0,0 +1,64 @@
+import { Types } from "mongoose";
+import {
+    SSOConfig
+} from "../models";
+import {
+    BotOrgService
+} from "../../services";
+import { client } from "../../config";
+import { ValidationError } from "../../utils/errors";
+
+export const getSSOConfigHelper = async ({
+    organizationId,
+    ssoConfigId
+}: {
+    organizationId?: Types.ObjectId;
+    ssoConfigId?: Types.ObjectId;
+}) => {
+    
+    if (!organizationId && !ssoConfigId) throw ValidationError({
+        message: "Getting SSO data requires either id of organization or SSO data"
+    });
+    
+    const ssoConfig = await SSOConfig.findOne({
+        ...(organizationId ? { organization: organizationId } : {}),
+        ...(ssoConfigId ? { _id: ssoConfigId } : {})
+    });
+    
+    if (!ssoConfig) throw new Error("Failed to find organization SSO data");
+    
+    const key = await BotOrgService.getSymmetricKey(
+        ssoConfig.organization
+    );
+    
+    const entryPoint = client.decryptSymmetric(
+        ssoConfig.encryptedEntryPoint,
+        key,
+        ssoConfig.entryPointIV,
+        ssoConfig.entryPointTag
+    );
+
+    const issuer = client.decryptSymmetric(
+        ssoConfig.encryptedIssuer,
+        key,
+        ssoConfig.issuerIV,
+        ssoConfig.issuerTag
+    );
+
+    const cert = client.decryptSymmetric(
+        ssoConfig.encryptedCert,
+        key,
+        ssoConfig.certIV,
+        ssoConfig.certTag
+    );
+    
+    return ({
+        _id: ssoConfig._id,
+        organization: ssoConfig.organization,
+        authProvider: ssoConfig.authProvider,
+        isActive: ssoConfig.isActive,
+        entryPoint,
+        issuer,
+        cert
+    });
+}
--- a/backend/src/ee/middleware/index.ts
+++ b/backend/src/ee/middleware/index.ts
@ -1,7 +1,5 @@
-import requireLicenseAuth from "./requireLicenseAuth";
 import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";

 export {
-    requireLicenseAuth,
    requireSecretSnapshotAuth,
 }
--- a/backend/src/ee/middleware/requireLicenseAuth.ts
+++ b/backend/src/ee/middleware/requireLicenseAuth.ts
@ -1,23 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-
-/**
- * Validate if organization hosting meets license requirements to 
- * access a license-specific route.
- * @param {Object} obj
- * @param {String[]} obj.acceptedTiers
- */
-const requireLicenseAuth = ({
-    acceptedTiers,
-}: {
-    acceptedTiers: string[];
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-
-        } catch (err) {
-
-        }
-    }
-}
-
-export default requireLicenseAuth;
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -66,6 +66,4 @@ const actionSchema = new Schema<IAction>(
    }
 );

-const Action = model<IAction>("Action", actionSchema);
-
-export default Action;
+export const Action = model<IAction>("Action", actionSchema);
--- a/backend/src/ee/models/auditLog/auditLog.ts
+++ b/backend/src/ee/models/auditLog/auditLog.ts
@ -0,0 +1,76 @@
+import { Schema, Types, model } from "mongoose";
+import {
+    ActorType,
+    EventType,
+    UserAgentType
+} from "./enums";
+import {
+    Actor,
+    Event
+} from "./types";
+
+export interface IAuditLog {
+    actor: Actor;
+    organization: Types.ObjectId;
+    workspace: Types.ObjectId;
+    ipAddress: string;
+    event: Event;
+    userAgent: string;
+    userAgentType: UserAgentType;
+    expiresAt: Date;
+}
+
+const auditLogSchema = new Schema<IAuditLog>(
+    {
+        actor: {
+            type: {
+                type: String,
+                enum: ActorType,
+                required: true
+            },
+            metadata: {
+                type: Schema.Types.Mixed
+            }
+        },
+        organization: {
+            type: Schema.Types.ObjectId,
+            required: false
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            required: false
+        },
+        ipAddress: {
+            type: String,
+            required: true
+        },
+        event: {
+            type: {
+                type: String,
+                enum: EventType,
+                required: true
+            },
+            metadata: {
+                type: Schema.Types.Mixed
+            }
+        },
+        userAgent: {
+            type: String,
+            required: true
+        },
+        userAgentType: {
+            type: String,
+            enum: UserAgentType,
+            required: true
+        },
+        expiresAt: {
+            type: Date,
+            expires: 0
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const AuditLog = model<IAuditLog>("AuditLog", auditLogSchema); 
--- a/backend/src/ee/models/auditLog/enums.ts
+++ b/backend/src/ee/models/auditLog/enums.ts
@ -0,0 +1,47 @@
+export enum ActorType {
+    USER = "user",
+    SERVICE = "service"
+}
+
+export enum UserAgentType {
+    WEB = "web",
+    CLI = "cli",
+    K8_OPERATOR = "k8-operator",
+    OTHER = "other"
+}
+
+export enum EventType {
+    GET_SECRETS = "get-secrets",
+    GET_SECRET = "get-secret",
+    REVEAL_SECRET = "reveal-secret",
+    CREATE_SECRET = "create-secret",
+    UPDATE_SECRET = "update-secret",
+    DELETE_SECRET = "delete-secret",
+    GET_WORKSPACE_KEY = "get-workspace-key",
+    AUTHORIZE_INTEGRATION = "authorize-integration",
+    UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
+    CREATE_INTEGRATION = "create-integration",
+    DELETE_INTEGRATION = "delete-integration",
+    ADD_TRUSTED_IP = "add-trusted-ip",
+    UPDATE_TRUSTED_IP = "update-trusted-ip",
+    DELETE_TRUSTED_IP = "delete-trusted-ip",
+    CREATE_SERVICE_TOKEN = "create-service-token",
+    DELETE_SERVICE_TOKEN = "delete-service-token",
+    CREATE_ENVIRONMENT = "create-environment",
+    UPDATE_ENVIRONMENT = "update-environment",
+    DELETE_ENVIRONMENT = "delete-environment",
+    ADD_WORKSPACE_MEMBER = "add-workspace-member",
+    REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
+    CREATE_FOLDER = "create-folder",
+    UPDATE_FOLDER = "update-folder",
+    DELETE_FOLDER = "delete-folder",
+    CREATE_WEBHOOK = "create-webhook",
+    UPDATE_WEBHOOK_STATUS = "update-webhook-status",
+    DELETE_WEBHOOK = "delete-webhook",
+    GET_SECRET_IMPORTS = "get-secret-imports",
+    CREATE_SECRET_IMPORT = "create-secret-import",
+    UPDATE_SECRET_IMPORT = "update-secret-import",
+    DELETE_SECRET_IMPORT = "delete-secret-import",
+    UPDATE_USER_WORKSPACE_ROLE = "update-user-workspace-role",
+    UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions"
+}
--- a/backend/src/ee/models/auditLog/index.ts
+++ b/backend/src/ee/models/auditLog/index.ts
@ -0,0 +1,3 @@
+export * from "./auditLog";
+export * from "./enums";
+export * from "./types";
--- a/backend/src/ee/models/auditLog/types.ts
+++ b/backend/src/ee/models/auditLog/types.ts
@ -0,0 +1,403 @@
+import {
+    ActorType,
+    EventType
+} from "./enums";
+
+interface UserActorMetadata {
+    userId: string;
+    email: string;
+}
+
+interface ServiceActorMetadata {
+    serviceId: string;
+    name: string;
+}
+
+export interface UserActor {
+    type: ActorType.USER;
+    metadata: UserActorMetadata;
+}
+
+export interface ServiceActor {
+    type: ActorType.SERVICE;
+    metadata: ServiceActorMetadata;
+}
+
+export type Actor = 
+    | UserActor
+    | ServiceActor;
+
+interface GetSecretsEvent {
+    type: EventType.GET_SECRETS;
+    metadata: {
+        environment: string;
+        secretPath: string;
+        numberOfSecrets: number;
+    };
+}
+
+interface GetSecretEvent {
+    type: EventType.GET_SECRET;
+    metadata: {
+        environment: string;
+        secretPath: string;
+        secretId: string;
+        secretKey: string;
+        secretVersion: number;
+    };
+}
+
+interface CreateSecretEvent {
+    type: EventType.CREATE_SECRET;
+    metadata: {
+        environment: string;
+        secretPath: string;
+        secretId: string;
+        secretKey: string;
+        secretVersion: number;
+    }
+}
+
+interface UpdateSecretEvent {
+    type: EventType.UPDATE_SECRET;
+    metadata: {
+        environment: string;
+        secretPath: string;
+        secretId: string;
+        secretKey: string;
+        secretVersion: number;
+    }
+}
+
+interface DeleteSecretEvent {
+    type: EventType.DELETE_SECRET;
+    metadata: {
+        environment: string;
+        secretPath: string;
+        secretId: string;
+        secretKey: string;
+        secretVersion: number;
+    }
+}
+
+interface GetWorkspaceKeyEvent {
+    type: EventType.GET_WORKSPACE_KEY,
+    metadata: {
+        keyId: string;
+    }
+}
+
+interface AuthorizeIntegrationEvent {
+    type: EventType.AUTHORIZE_INTEGRATION;
+    metadata: {
+        integration: string;
+    }
+}
+
+interface UnauthorizeIntegrationEvent {
+    type: EventType.UNAUTHORIZE_INTEGRATION;
+    metadata: {
+        integration: string;
+    }
+}
+
+interface CreateIntegrationEvent {
+    type: EventType.CREATE_INTEGRATION;
+    metadata: {
+        integrationId: string;
+        integration: string; // TODO: fix type
+        environment: string;
+        secretPath: string;
+        url?: string;
+        app?: string;
+        appId?: string;
+        targetEnvironment?: string;
+        targetEnvironmentId?: string;
+        targetService?: string;
+        targetServiceId?: string;
+        path?: string;
+        region?: string;
+    }
+}
+
+interface DeleteIntegrationEvent {
+    type: EventType.DELETE_INTEGRATION;
+    metadata: {
+        integrationId: string;
+        integration: string; // TODO: fix type
+        environment: string;
+        secretPath: string;
+        url?: string;
+        app?: string;
+        appId?: string;
+        targetEnvironment?: string;
+        targetEnvironmentId?: string;
+        targetService?: string;
+        targetServiceId?: string;
+        path?: string;
+        region?: string;
+    }
+}
+
+interface AddTrustedIPEvent {
+    type: EventType.ADD_TRUSTED_IP;
+    metadata: {
+        trustedIpId: string;
+        ipAddress: string;
+        prefix?: number;
+    }
+}
+
+interface UpdateTrustedIPEvent {
+    type: EventType.UPDATE_TRUSTED_IP;
+    metadata: {
+        trustedIpId: string;
+        ipAddress: string;
+        prefix?: number;
+    }
+}
+
+interface DeleteTrustedIPEvent {
+    type: EventType.DELETE_TRUSTED_IP;
+    metadata: {
+        trustedIpId: string;
+        ipAddress: string;
+        prefix?: number;
+    }
+}
+
+interface CreateServiceTokenEvent {
+    type: EventType.CREATE_SERVICE_TOKEN;
+    metadata: {
+        name: string;
+        scopes: Array<{
+            environment: string;
+            secretPath: string;
+        }>;
+    }
+}
+
+interface DeleteServiceTokenEvent {
+    type: EventType.DELETE_SERVICE_TOKEN;
+    metadata: {
+        name: string;
+        scopes: Array<{
+            environment: string;
+            secretPath: string;
+        }>;
+    }
+}
+
+interface CreateEnvironmentEvent {
+    type: EventType.CREATE_ENVIRONMENT;
+    metadata: {
+        name: string;
+        slug: string;
+    }
+}
+
+interface UpdateEnvironmentEvent {
+    type: EventType.UPDATE_ENVIRONMENT;
+    metadata: {
+        oldName: string;
+        newName: string;
+        oldSlug: string;
+        newSlug: string;
+    }
+}
+
+interface DeleteEnvironmentEvent {
+    type: EventType.DELETE_ENVIRONMENT;
+    metadata: {
+        name: string;
+        slug: string;
+    }
+}
+
+interface AddWorkspaceMemberEvent {
+    type: EventType.ADD_WORKSPACE_MEMBER;
+    metadata: {
+        userId: string;
+        email: string;
+    }
+}
+
+interface RemoveWorkspaceMemberEvent {
+    type: EventType.REMOVE_WORKSPACE_MEMBER;
+    metadata: {
+        userId: string;
+        email: string;
+    }
+}
+
+interface CreateFolderEvent {
+    type: EventType.CREATE_FOLDER;
+    metadata: {
+        environment: string;
+        folderId: string;
+        folderName: string;
+        folderPath: string;
+    }
+}
+
+interface UpdateFolderEvent {
+    type: EventType.UPDATE_FOLDER;
+    metadata: {
+        environment: string;
+        folderId: string;
+        oldFolderName: string;
+        newFolderName: string;
+        folderPath: string;
+    }
+}
+
+interface DeleteFolderEvent {
+    type: EventType.DELETE_FOLDER;
+    metadata: {
+        environment: string;
+        folderId: string;
+        folderName: string;
+        folderPath: string;
+    }
+}
+
+interface CreateWebhookEvent {
+    type: EventType.CREATE_WEBHOOK,
+    metadata: {
+        webhookId: string;
+        environment: string;
+        secretPath: string;
+        webhookUrl: string;
+        isDisabled: boolean;
+    }
+}
+
+interface UpdateWebhookStatusEvent {
+    type: EventType.UPDATE_WEBHOOK_STATUS,
+    metadata: {
+        webhookId: string;
+        environment: string;
+        secretPath: string;
+        webhookUrl: string;
+        isDisabled: boolean;
+    }
+}
+
+interface DeleteWebhookEvent {
+    type: EventType.DELETE_WEBHOOK,
+    metadata: {
+        webhookId: string;
+        environment: string;
+        secretPath: string;
+        webhookUrl: string;
+        isDisabled: boolean;
+    }
+}
+
+interface GetSecretImportsEvent {
+    type: EventType.GET_SECRET_IMPORTS,
+    metadata: {
+        environment: string;
+        secretImportId: string;
+        folderId: string;
+        numberOfImports: number;
+    }
+}
+
+interface CreateSecretImportEvent {
+    type: EventType.CREATE_SECRET_IMPORT,
+    metadata: {
+        secretImportId: string;
+        folderId: string;
+        importFromEnvironment: string;
+        importFromSecretPath: string;
+        importToEnvironment: string;
+        importToSecretPath: string;
+    }
+}
+
+interface UpdateSecretImportEvent {
+    type: EventType.UPDATE_SECRET_IMPORT,
+    metadata: {
+        secretImportId: string;
+        folderId: string;
+        importToEnvironment: string;
+        importToSecretPath: string;
+        orderBefore: {
+          environment: string;
+          secretPath: string;
+        }[],
+        orderAfter: {
+          environment: string;
+          secretPath: string;
+        }[]
+    }
+}
+
+interface DeleteSecretImportEvent {
+    type: EventType.DELETE_SECRET_IMPORT,
+    metadata: {
+        secretImportId: string;
+        folderId: string;
+        importFromEnvironment: string;
+        importFromSecretPath: string;
+        importToEnvironment: string;
+        importToSecretPath: string;
+    }
+}
+
+interface UpdateUserRole {
+    type: EventType.UPDATE_USER_WORKSPACE_ROLE,
+    metadata: {
+        userId: string;
+        email: string;
+        oldRole: string;
+        newRole: string;
+    }
+}
+
+interface UpdateUserDeniedPermissions {
+    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
+    metadata: {
+        userId: string;
+        email: string;
+        deniedPermissions: {
+            environmentSlug: string;
+            ability: string;
+        }[]
+    }
+}
+
+export type Event = 
+    | GetSecretsEvent
+    | GetSecretEvent
+    | CreateSecretEvent
+    | UpdateSecretEvent
+    | DeleteSecretEvent
+    | GetWorkspaceKeyEvent
+    | AuthorizeIntegrationEvent
+    | UnauthorizeIntegrationEvent
+    | CreateIntegrationEvent
+    | DeleteIntegrationEvent
+    | AddTrustedIPEvent
+    | UpdateTrustedIPEvent
+    | DeleteTrustedIPEvent
+    | CreateServiceTokenEvent
+    | DeleteServiceTokenEvent
+    | CreateEnvironmentEvent
+    | UpdateEnvironmentEvent
+    | DeleteEnvironmentEvent
+    | AddWorkspaceMemberEvent
+    | RemoveWorkspaceMemberEvent
+    | CreateFolderEvent
+    | UpdateFolderEvent
+    | DeleteFolderEvent
+    | CreateWebhookEvent
+    | UpdateWebhookStatusEvent
+    | DeleteWebhookEvent
+    | GetSecretImportsEvent
+    | CreateSecretImportEvent
+    | UpdateSecretImportEvent
+    | DeleteSecretImportEvent
+    | UpdateUserRole
+    | UpdateUserDeniedPermissions;
--- a/backend/src/ee/models/folderVersion.ts
+++ b/backend/src/ee/models/folderVersion.ts
@ -52,9 +52,7 @@ const folderRootVersionSchema = new Schema<TFolderRootVersionSchema>(
  }
 );

-const FolderVersion = model<TFolderRootVersionSchema>(
+export const FolderVersion = model<TFolderRootVersionSchema>(
  "FolderVersion",
  folderRootVersionSchema
-);
-
-export default FolderVersion;
+);
--- a/backend/src/ee/models/gitAppInstallationSession.ts
+++ b/backend/src/ee/models/gitAppInstallationSession.ts
@ -0,0 +1,34 @@
+import { Schema, Types, model } from "mongoose";
+
+type GitAppInstallationSession = {
+  id: string;
+  sessionId: string;
+  organization: Types.ObjectId;
+  user: Types.ObjectId;
+}
+
+const gitAppInstallationSession = new Schema<GitAppInstallationSession>({
+  id: {
+    required: true,
+    type: String,
+  },
+  sessionId: {
+    type: String,
+    required: true,
+    unique: true
+  },
+  organization: {
+    type: Schema.Types.ObjectId,
+    required: true,
+    unique: true
+  },
+  user: {
+    type: Schema.Types.ObjectId,
+    ref: "User"
+  }
+});
+
+
+const GitAppInstallationSession = model<GitAppInstallationSession>("git_app_installation_session", gitAppInstallationSession);
+
+export default GitAppInstallationSession;
--- a/backend/src/ee/models/gitAppOrganizationInstallation.ts
+++ b/backend/src/ee/models/gitAppOrganizationInstallation.ts
@ -0,0 +1,31 @@
+import { Schema, model } from "mongoose";
+
+type Installation = {
+  installationId: string
+  organizationId: string
+  user: Schema.Types.ObjectId
+};
+
+
+const gitAppOrganizationInstallation = new Schema<Installation>({
+  installationId: {
+    type: String,
+    required: true,
+    unique: true
+  },
+  organizationId: {
+    type: String,
+    required: true,
+    unique: true
+  },
+  user: {
+    type: Schema.Types.ObjectId,
+    ref: "User",
+    required: true,
+  }
+});
+
+
+const GitAppOrganizationInstallation = model<Installation>("git_app_organization_installation", gitAppOrganizationInstallation);
+
+export default GitAppOrganizationInstallation;
--- a/backend/src/ee/models/gitRisks.ts
+++ b/backend/src/ee/models/gitRisks.ts
@ -0,0 +1,152 @@
+import { Schema, model } from "mongoose";
+
+export const STATUS_RESOLVED_FALSE_POSITIVE = "RESOLVED_FALSE_POSITIVE";
+export const STATUS_RESOLVED_REVOKED = "RESOLVED_REVOKED";
+export const STATUS_RESOLVED_NOT_REVOKED = "RESOLVED_NOT_REVOKED";
+export const STATUS_UNRESOLVED = "UNRESOLVED";
+
+export type GitRisks = {
+  id: string;
+  description: string;
+  startLine: string;
+  endLine: string;
+  startColumn: string;
+  endColumn: string;
+  match: string;
+  secret: string;
+  file: string;
+  symlinkFile: string;
+  commit: string;
+  entropy: string;
+  author: string;
+  email: string;
+  date: string;
+  message: string;
+  tags: string[];
+  ruleID: string;
+  fingerprint: string;
+  fingerPrintWithoutCommitId: string
+
+  isFalsePositive: boolean; // New field for marking risks as false positives
+  isResolved: boolean; // New field for marking risks as resolved
+  riskOwner: string | null; // New field for setting a risk owner (nullable string)
+  installationId: string,
+  repositoryId: string,
+  repositoryLink: string
+  repositoryFullName: string
+  status: string
+  pusher: {
+    name: string,
+    email: string
+  },
+  organization: Schema.Types.ObjectId,
+}
+
+const gitRisks = new Schema<GitRisks>({
+  id: {
+    type: String,
+  },
+  description: {
+    type: String,
+  },
+  startLine: {
+    type: String,
+  },
+  endLine: {
+    type: String,
+  },
+  startColumn: {
+    type: String,
+  },
+  endColumn: {
+    type: String,
+  },
+  file: {
+    type: String,
+  },
+  symlinkFile: {
+    type: String,
+  },
+  commit: {
+    type: String,
+  },
+  entropy: {
+    type: String,
+  },
+  author: {
+    type: String,
+  },
+  email: {
+    type: String,
+  },
+  date: {
+    type: String,
+  },
+  message: {
+    type: String,
+  },
+  tags: {
+    type: [String],
+  },
+  ruleID: {
+    type: String,
+  },
+  fingerprint: {
+    type: String,
+    unique: true
+  },
+  fingerPrintWithoutCommitId: {
+    type: String,
+  },
+  isFalsePositive: {
+    type: Boolean,
+    default: false
+  },
+  isResolved: {
+    type: Boolean,
+    default: false
+  },
+  riskOwner: {
+    type: String,
+    default: null
+  },
+  installationId: {
+    type: String,
+    require: true
+  },
+  repositoryId: {
+    type: String
+  },
+  repositoryLink: {
+    type: String
+  },
+  repositoryFullName: {
+    type: String
+  },
+  pusher: {
+    name: {
+      type: String
+    },
+    email: {
+      type: String
+    },
+  },
+  organization: {
+    type: Schema.Types.ObjectId,
+    ref: "Organization",
+  },
+  status: {
+    type: String,
+    enum: [
+      STATUS_RESOLVED_FALSE_POSITIVE,
+      STATUS_RESOLVED_REVOKED,
+      STATUS_RESOLVED_NOT_REVOKED,
+      STATUS_UNRESOLVED
+    ],
+    default: STATUS_UNRESOLVED
+  }
+}, { timestamps: true });
+
+const GitRisks = model<GitRisks>("GitRisks", gitRisks);
+
+export default GitRisks;
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -1,18 +1,11 @@
-import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
-import SecretVersion, { ISecretVersion } from "./secretVersion";
-import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
-import Log, { ILog } from "./log";
-import Action, { IAction } from "./action";
-
-export {
-  SecretSnapshot,
-  ISecretSnapshot,
-  SecretVersion,
-  ISecretVersion,
-  FolderVersion,
-  TFolderRootVersionSchema,
-  Log,
-  ILog,
-  Action,
-  IAction,
-};
+export * from "./secretSnapshot";
+export * from "./secretVersion";
+export * from "./folderVersion";
+export * from "./log";
+export * from "./action";
+export * from "./ssoConfig";
+export * from "./trustedIp";
+export * from "./auditLog";
+export * from  "./gitRisks";
+export * from  "./gitAppOrganizationInstallation";
+export * from  "./gitAppInstallationSession";
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -63,11 +63,10 @@ const logSchema = new Schema<ILog>(
        ipAddress: {
            type: String,
        },
-    }, {
-    timestamps: true,
-}
+    }, 
+    {
+        timestamps: true,
+    }
 );

-const Log = model<ILog>("Log", logSchema);
-
-export default Log;
+export const Log = model<ILog>("Log", logSchema);
--- a/backend/src/ee/models/secretSnapshot.ts
+++ b/backend/src/ee/models/secretSnapshot.ts
@ -46,9 +46,7 @@ const secretSnapshotSchema = new Schema<ISecretSnapshot>(
  }
 );

-const SecretSnapshot = model<ISecretSnapshot>(
+export const SecretSnapshot = model<ISecretSnapshot>(
  "SecretSnapshot",
  secretSnapshotSchema
-);
-
-export default SecretSnapshot;
+);
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -117,16 +117,14 @@ const secretVersionSchema = new Schema<ISecretVersion>(
      ref: "Tag",
      type: [Schema.Types.ObjectId],
      default: [],
-    },
+    }
  },
  {
    timestamps: true,
  }
 );

-const SecretVersion = model<ISecretVersion>(
+export const SecretVersion = model<ISecretVersion>(
  "SecretVersion",
  secretVersionSchema
-);
-
-export default SecretVersion;
+);
--- a/backend/src/ee/models/ssoConfig.ts
+++ b/backend/src/ee/models/ssoConfig.ts
@ -0,0 +1,72 @@
+import { Schema, Types, model } from "mongoose";
+
+export enum AuthProvider {
+    OKTA_SAML = "okta-saml",
+    AZURE_SAML = "azure-saml",
+    JUMPCLOUD_SAML = "jumpcloud-saml"
+}
+
+export interface ISSOConfig {
+    organization: Types.ObjectId;
+    authProvider: AuthProvider;
+    isActive: boolean;
+    encryptedEntryPoint: string;
+    entryPointIV: string;
+    entryPointTag: string;
+    encryptedIssuer: string;
+    issuerIV: string;
+    issuerTag: string;
+    encryptedCert: string;
+    certIV: string;
+    certTag: string;
+}
+
+const ssoConfigSchema = new Schema<ISSOConfig>(
+    {
+        organization: {
+            type: Schema.Types.ObjectId,
+            ref: "Organization"
+        },
+        authProvider: {
+            type: String,
+            enum: AuthProvider,
+            required: true
+        },
+        isActive: {
+            type: Boolean,
+            required: true
+        },
+        encryptedEntryPoint: {
+            type: String
+        },
+        entryPointIV: {
+            type: String
+        },
+        entryPointTag: {
+            type: String
+        },
+        encryptedIssuer: {
+            type: String
+        },
+        issuerIV: {
+            type: String
+        },
+        issuerTag: {
+            type: String
+        },
+        encryptedCert: {
+            type: String
+        },
+        certIV: {
+            type: String
+        },
+        certTag: {
+            type: String
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const SSOConfig = model<ISSOConfig>("SSOConfig", ssoConfigSchema);
--- a/backend/src/ee/models/trustedIp.ts
+++ b/backend/src/ee/models/trustedIp.ts
@ -0,0 +1,54 @@
+import { Schema, Types, model } from "mongoose";
+
+export enum IPType {
+    IPV4 = "ipv4",
+    IPV6 = "ipv6"
+}
+
+export interface ITrustedIP {
+    _id: Types.ObjectId;
+    workspace: Types.ObjectId;
+    ipAddress: string;
+    type: "ipv4" | "ipv6", // either IPv4/IPv6 address or network IPv4/IPv6 address
+    isActive: boolean;
+    comment: string;
+    prefix?: number; // CIDR
+}
+
+const trustedIpSchema = new Schema<ITrustedIP>(
+    {
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: "Workspace",
+            required: true
+        },
+        ipAddress: {
+            type: String,
+            required: true
+        },
+        type: {
+            type: String,
+            enum: [
+                IPType.IPV4,
+                IPType.IPV6
+            ],
+            required: true
+        },
+        prefix: {
+            type: Number,
+            required: false
+        },
+        isActive: {
+            type: Boolean,
+            required: true
+        },
+        comment: {
+            type: String
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+export const TrustedIP = model<ITrustedIP>("TrustedIP", trustedIpSchema);
--- a/backend/src/ee/routes/v1/cloudProducts.ts
+++ b/backend/src/ee/routes/v1/cloudProducts.ts
@ -6,11 +6,12 @@ import {
 } from "../../../middleware";
 import { query } from "express-validator";
 import { cloudProductsController } from "../../controllers/v1";
+import { AuthMode } from "../../../variables";

 router.get(
    "/",
    requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
+		acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
 	}),
    query("billing-cycle").exists().isIn(["monthly", "yearly"]),
    validateRequest,
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,15 +1,21 @@
 import secret from "./secret";
 import secretSnapshot from "./secretSnapshot";
 import organizations from "./organizations";
+import sso from "./sso";
+import users from "./users";
 import workspace from "./workspace";
 import action from "./action";
 import cloudProducts from "./cloudProducts";
+import secretScanning from "./secretScanning";

 export {
    secret,
    secretSnapshot,
    organizations,
+    sso,
+    users,
    workspace,
    action,
    cloudProducts,
+    secretScanning
 }
--- a/backend/src/ee/routes/v1/organizations.ts
+++ b/backend/src/ee/routes/v1/organizations.ts
@ -8,13 +8,13 @@ import {
 import { body, param, query } from "express-validator";
 import { organizationsController } from "../../controllers/v1";
 import {
-    ACCEPTED, ADMIN, MEMBER, OWNER,
+    ACCEPTED, ADMIN, AuthMode, MEMBER, OWNER
 } from "../../../variables";

 router.get(
    "/:organizationId/plans/table",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -29,7 +29,7 @@ router.get(
 router.get(
    "/:organizationId/plan",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -44,7 +44,7 @@ router.get(
 router.post(
    "/:organizationId/session/trial",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -59,7 +59,7 @@ router.post(
 router.get(
    "/:organizationId/plan/billing",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -74,7 +74,7 @@ router.get(
 router.get(
    "/:organizationId/plan/table",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -89,7 +89,7 @@ router.get(
 router.get(
    "/:organizationId/billing-details",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -103,7 +103,7 @@ router.get(
 router.patch(
    "/:organizationId/billing-details",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -119,7 +119,7 @@ router.patch(
 router.get(
    "/:organizationId/billing-details/payment-methods",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -133,7 +133,7 @@ router.get(
 router.post(
    "/:organizationId/billing-details/payment-methods",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -149,7 +149,7 @@ router.post(
 router.delete(
    "/:organizationId/billing-details/payment-methods/:pmtMethodId",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -164,7 +164,7 @@ router.delete(
 router.get(
    "/:organizationId/billing-details/tax-ids",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -178,7 +178,7 @@ router.get(
 router.post(
    "/:organizationId/billing-details/tax-ids",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -194,7 +194,7 @@ router.post(
 router.delete(
    "/:organizationId/billing-details/tax-ids/:taxId",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -209,7 +209,7 @@ router.delete(
 router.get(
    "/:organizationId/invoices",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireOrganizationAuth({
        acceptedRoles: [OWNER, ADMIN, MEMBER],
@ -220,4 +220,18 @@ router.get(
    organizationsController.getOrganizationInvoices
 );

+router.get(
+    "/:organizationId/licenses",
+    requireAuth({
+		acceptedAuthModes: [AuthMode.JWT],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationLicenses
+);
+
 export default router;
--- a/backend/src/ee/routes/v1/secret.ts
+++ b/backend/src/ee/routes/v1/secret.ts
@ -9,15 +9,16 @@ import { body, param, query } from "express-validator";
 import { secretController } from "../../controllers/v1";
 import {
 	ADMIN, 
+	AuthMode,
 	MEMBER,
 	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS,
+	PERMISSION_WRITE_SECRETS
 } from "../../../variables";

 router.get(
 	"/:secretId/secret-versions",
 	requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
+		acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
@ -33,7 +34,7 @@ router.get(
 router.post(
 	"/:secretId/secret-versions/rollback",
 	requireAuth({
-		acceptedAuthModes: ["jwt", "apiKey"],
+		acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
--- a/backend/src/ee/routes/v1/secretScanning.ts
+++ b/backend/src/ee/routes/v1/secretScanning.ts
@ -0,0 +1,81 @@
+import express from "express";
+const router = express.Router();
+import {
+  requireAuth,
+  requireOrganizationAuth,
+  validateRequest,
+} from "../../../middleware";
+import { body, param } from "express-validator";
+import { createInstallationSession, getCurrentOrganizationInstallationStatus, getRisksForOrganization, linkInstallationToOrganization, updateRisksStatus } from "../../../controllers/v1/secretScanningController";
+import { ACCEPTED, ADMIN, AuthMode, MEMBER, OWNER } from "../../../variables";
+
+router.post(
+  "/create-installation-session/organization/:organizationId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT],
+  }),
+  param("organizationId").exists().trim(),
+  requireOrganizationAuth({
+    acceptedRoles: [OWNER, ADMIN, MEMBER],
+    acceptedStatuses: [ACCEPTED],
+  }),
+  validateRequest,
+  createInstallationSession
+);
+
+router.post(
+  "/link-installation",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT],
+  }),
+  body("installationId").exists().trim(),
+  body("sessionId").exists().trim(),
+  validateRequest,
+  linkInstallationToOrganization
+);
+
+router.get(
+  "/installation-status/organization/:organizationId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT],
+  }),
+  param("organizationId").exists().trim(),
+  requireOrganizationAuth({
+    acceptedRoles: [OWNER, ADMIN, MEMBER],
+    acceptedStatuses: [ACCEPTED],
+  }),
+  validateRequest,
+  getCurrentOrganizationInstallationStatus
+);
+
+router.get(
+  "/organization/:organizationId/risks",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT],
+  }),
+  param("organizationId").exists().trim(),
+  requireOrganizationAuth({
+    acceptedRoles: [OWNER, ADMIN, MEMBER],
+    acceptedStatuses: [ACCEPTED],
+  }),
+  validateRequest,
+  getRisksForOrganization
+);
+
+router.post(
+  "/organization/:organizationId/risks/:riskId/status",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT],
+  }),
+  param("organizationId").exists().trim(),
+  param("riskId").exists().trim(),
+  body("status").exists(),
+  requireOrganizationAuth({
+    acceptedRoles: [OWNER, ADMIN, MEMBER],
+    acceptedStatuses: [ACCEPTED],
+  }),
+  validateRequest,
+  updateRisksStatus
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretSnapshot.ts
+++ b/backend/src/ee/routes/v1/secretSnapshot.ts
@ -8,13 +8,13 @@ import {
    validateRequest,
 } from "../../../middleware";
 import { param } from "express-validator";
-import { ADMIN, MEMBER } from "../../../variables";
+import { ADMIN, AuthMode, MEMBER } from "../../../variables";
 import { secretSnapshotController } from "../../controllers/v1";

 router.get(
    "/:secretSnapshotId",
    requireAuth({
-		acceptedAuthModes: ["jwt"],
+		acceptedAuthModes: [AuthMode.JWT],
 	}),
    requireSecretSnapshotAuth({
        acceptedRoles: [ADMIN, MEMBER],
--- a/backend/src/ee/routes/v1/sso.ts
+++ b/backend/src/ee/routes/v1/sso.ts
@ -0,0 +1,146 @@
+import express from "express";
+const router = express.Router();
+import passport from "passport";
+import {
+  AuthProvider
+} from "../../models";
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest,
+} from "../../../middleware";
+import { body, query } from "express-validator";
+import { ssoController } from "../../controllers/v1";
+import { authLimiter } from "../../../helpers/rateLimiter";
+import {
+    ACCEPTED,
+    ADMIN,
+    AuthMode,
+    OWNER
+} from "../../../variables";
+
+router.get(
+  "/redirect/google",
+  authLimiter,
+  (req, res, next) => {
+    passport.authenticate("google", {
+      scope: ["profile", "email"],
+      session: false,
+      ...(req.query.callback_port ? {
+        state: req.query.callback_port as string
+      } : {})
+    })(req, res, next);
+  }
+);
+
+router.get(
+  "/google",
+  passport.authenticate("google", { 
+    failureRedirect: "/login/provider/error", 
+    session: false 
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+  "/redirect/github",
+  authLimiter,
+  (req, res, next) => {
+    passport.authenticate("github", {
+      session: false,
+      ...(req.query.callback_port ? {
+        state: req.query.callback_port as string
+      } : {})
+    })(req, res, next);
+  }
+);
+
+router.get(
+  "/github",
+  authLimiter,
+  passport.authenticate("github", { 
+    failureRedirect: "/login/provider/error", 
+    session: false 
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+  "/redirect/saml2/:ssoIdentifier",
+  authLimiter,
+  (req, res, next) => {
+    const options = {
+        failureRedirect: "/",
+        additionalParams: {
+          RelayState: req.query.callback_port ?? ""
+        },
+    };
+    passport.authenticate("saml", options)(req, res, next);
+  }
+);
+
+router.post("/saml2/:ssoIdentifier",
+  passport.authenticate("saml", { 
+    failureRedirect: "/login/provider/error", 
+    failureFlash: true, 
+    session: false
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: [AuthMode.JWT],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "query"
+    }),
+    query("organizationId").exists().trim(),
+    validateRequest,
+    ssoController.getSSOConfig
+);
+
+router.post(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: [AuthMode.JWT],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").exists().isString().isIn([AuthProvider.OKTA_SAML]),
+    body("isActive").exists().isBoolean(),
+    body("entryPoint").exists().isString(),
+    body("issuer").exists().isString(),
+    body("cert").exists().isString(),
+    validateRequest,
+    ssoController.createSSOConfig
+);
+
+router.patch(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: [AuthMode.JWT],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").optional().isString(),
+    body("isActive").optional().isBoolean(),
+    body("entryPoint").optional().isString(),
+    body("issuer").optional().isString(),
+    body("cert").optional().isString(),
+    validateRequest,
+    ssoController.updateSSOConfig
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/users.ts
+++ b/backend/src/ee/routes/v1/users.ts
@ -0,0 +1,17 @@
+import express from "express";
+const router = express.Router();
+import {
+    requireAuth
+} from "../../../middleware";
+import { AuthMode } from "../../../variables";
+import { usersController } from "../../controllers/v1";
+
+router.get(
+    "/me/ip",
+    requireAuth({
+        acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
+    }),
+    usersController.getMyIp
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -6,13 +6,18 @@ import {
  validateRequest,
 } from "../../../middleware";
 import { body, param, query } from "express-validator";
-import { ADMIN, MEMBER } from "../../../variables";
+import {
+  ADMIN, 
+  AuthMode,
+  MEMBER
+} from "../../../variables";
 import { workspaceController } from "../../controllers/v1";
+import { EventType, UserAgentType } from "../../models";

 router.get(
  "/:workspaceId/secret-snapshots",
  requireAuth({
-    acceptedAuthModes: ["jwt", "apiKey"],
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
  }),
  requireWorkspaceAuth({
    acceptedRoles: [ADMIN, MEMBER],
@ -30,7 +35,7 @@ router.get(
 router.get(
  "/:workspaceId/secret-snapshots/count",
  requireAuth({
-    acceptedAuthModes: ["jwt"],
+    acceptedAuthModes: [AuthMode.JWT],
  }),
  requireWorkspaceAuth({
    acceptedRoles: [ADMIN, MEMBER],
@ -46,7 +51,7 @@ router.get(
 router.post(
  "/:workspaceId/secret-snapshots/rollback",
  requireAuth({
-    acceptedAuthModes: ["jwt", "apiKey"],
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
  }),
  requireWorkspaceAuth({
    acceptedRoles: [ADMIN, MEMBER],
@ -63,7 +68,7 @@ router.post(
 router.get(
  "/:workspaceId/logs",
  requireAuth({
-    acceptedAuthModes: ["jwt", "apiKey"],
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
  }),
  requireWorkspaceAuth({
    acceptedRoles: [ADMIN, MEMBER],
@ -79,4 +84,101 @@ router.get(
  workspaceController.getWorkspaceLogs
 );

+router.get(
+  "/:workspaceId/audit-logs",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  query("eventType").isString().isIn(Object.values(EventType)).optional({ nullable: true }),
+  query("userAgentType").isString().isIn(Object.values(UserAgentType)).optional({ nullable: true }),
+  query("actor").optional({ nullable: true }),
+  query("startDate").isISO8601().withMessage("Invalid start date format").optional({ nullable: true }),
+  query("endDate").isISO8601().withMessage("Invalid end date format").optional({ nullable: true }),
+  query("offset"),
+  query("limit"),
+  validateRequest,
+  workspaceController.getWorkspaceAuditLogs
+);
+
+router.get(
+  "/:workspaceId/audit-logs/filters/actors",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "params",
+  }),
+  param("workspaceId").exists().trim(),
+  validateRequest,
+  workspaceController.getWorkspaceAuditLogActorFilterOpts
+);
+
+router.get(
+  "/:workspaceId/trusted-ips",
+  param("workspaceId").exists().isString().trim(),
+  requireAuth({
+      acceptedAuthModes: [AuthMode.JWT],
+  }),
+  requireWorkspaceAuth({
+      acceptedRoles: [ADMIN, MEMBER],
+      locationWorkspaceId: "params",
+  }),
+  workspaceController.getWorkspaceTrustedIps
+);
+
+router.post(
+  "/:workspaceId/trusted-ips",
+  param("workspaceId").exists().isString().trim(),
+  body("ipAddress").exists().isString().trim(),
+  body("comment").default("").isString().trim(),
+  body("isActive").exists().isBoolean(),
+  validateRequest,
+  requireAuth({
+      acceptedAuthModes: [AuthMode.JWT],
+  }),
+  requireWorkspaceAuth({
+      acceptedRoles: [ADMIN],
+      locationWorkspaceId: "params",
+  }),
+  workspaceController.addWorkspaceTrustedIp
+);
+
+router.patch(
+  "/:workspaceId/trusted-ips/:trustedIpId",
+  param("workspaceId").exists().isString().trim(),
+  param("trustedIpId").exists().isString().trim(),
+  body("ipAddress").isString().trim().default(""),
+  body("comment").default("").isString().trim(),
+  validateRequest,
+  requireAuth({
+      acceptedAuthModes: [AuthMode.JWT],
+  }),
+  requireWorkspaceAuth({
+      acceptedRoles: [ADMIN],
+      locationWorkspaceId: "params",
+  }),
+  workspaceController.updateWorkspaceTrustedIp
+);
+
+router.delete(
+  "/:workspaceId/trusted-ips/:trustedIpId",
+  param("workspaceId").exists().isString().trim(),
+  param("trustedIpId").exists().isString().trim(),
+  validateRequest,
+  requireAuth({
+      acceptedAuthModes: [AuthMode.JWT],
+  }),
+  requireWorkspaceAuth({
+      acceptedRoles: [ADMIN],
+      locationWorkspaceId: "params",
+  }),
+  workspaceController.deleteWorkspaceTrustedIp
+);
+
 export default router;
--- a/backend/src/ee/services/EEAuditLogService.ts
+++ b/backend/src/ee/services/EEAuditLogService.ts
@ -0,0 +1,50 @@
+import { Types } from "mongoose";
+import { AuditLog, Event } from "../models";
+import { AuthData } from "../../interfaces/middleware";
+import EELicenseService from "./EELicenseService";
+import { Workspace } from "../../models";
+import { OrganizationNotFoundError } from "../../utils/errors";
+
+interface EventScope {
+    workspaceId?: Types.ObjectId;
+    organizationId?: Types.ObjectId;
+}
+
+type ValidEventScope = 
+    | Required<Pick<EventScope, "workspaceId">>
+    | Required<Pick<EventScope, "organizationId">>
+    | Required<EventScope>
+
+export default class EEAuditLogService {
+    static async createAuditLog(authData: AuthData, event: Event, eventScope: ValidEventScope, shouldSave = true) {
+        
+        const MS_IN_DAY = 24 * 60 * 60 * 1000;
+        
+        const organizationId = ("organizationId" in eventScope)
+            ? eventScope.organizationId
+            : (await Workspace.findById(eventScope.workspaceId).select("organization").lean())?.organization;
+        
+        if (!organizationId) throw OrganizationNotFoundError({
+            message: "createAuditLog: Failed to create audit log due to missing organizationId"
+        });
+
+        const ttl = (await EELicenseService.getPlan(organizationId)).auditLogsRetentionDays * MS_IN_DAY;
+        
+        const auditLog = await new AuditLog({
+            actor: authData.actor,
+            organization: organizationId,
+            workspace: ("workspaceId" in eventScope) ? eventScope.workspaceId : undefined,
+            ipAddress: authData.ipAddress,
+            event,
+            userAgent: authData.userAgent,
+            userAgentType: authData.userAgentType,
+            expiresAt: new Date(Date.now() + ttl)
+        });
+        
+        if (shouldSave) {
+            await auditLog.save();
+        }
+        
+        return auditLog;
+    }
+}
--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,3 +1,4 @@
+import { Types } from "mongoose";
 import * as Sentry from "@sentry/node";
 import NodeCache from "node-cache";
 import { 
@ -26,11 +27,14 @@ interface FeatureSet {
    environmentsUsed: number;
    secretVersioning: boolean;
    pitRecovery: boolean;
+    ipAllowlisting: boolean;
    rbac: boolean;
    customRateLimits: boolean;
    customAlerts: boolean;
    auditLogs: boolean;
-    status: 'incomplete' | 'incomplete_expired' | 'trialing' | 'active' | 'past_due' | 'canceled' | 'unpaid' | null;
+    auditLogsRetentionDays: number;
+    samlSSO: boolean;
+    status: "incomplete" | "incomplete_expired" | "trialing" | "active" | "past_due" | "canceled" | "unpaid" | null;
    trial_end: number | null;
    has_used_trial: boolean;
 }
@ -59,10 +63,13 @@ class EELicenseService {
        environmentsUsed: 0,
        secretVersioning: true,
        pitRecovery: false,
+        ipAllowlisting: false,
        rbac: true,
-        customRateLimits: true,
-        customAlerts: true,
+        customRateLimits: false,
+        customAlerts: false,
        auditLogs: false,
+        auditLogsRetentionDays: 0,
+        samlSSO: false,
        status: null,
        trial_end: null,
        has_used_trial: true
@ -77,10 +84,10 @@ class EELicenseService {
        });
    }
    
-    public async getPlan(organizationId: string, workspaceId?: string): Promise<FeatureSet> {
+    public async getPlan(organizationId: Types.ObjectId, workspaceId?: Types.ObjectId): Promise<FeatureSet> {
        try {
            if (this.instanceType === "cloud") {
-                const cachedPlan = this.localFeatureSet.get<FeatureSet>(`${organizationId}-${workspaceId ?? ""}`);
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(`${organizationId.toString()}-${workspaceId?.toString() ?? ""}`);
                if (cachedPlan) {
                    return cachedPlan;
                }
@ -97,7 +104,7 @@ class EELicenseService {
                const { data: { currentPlan } } = await licenseServerKeyRequest.get(url);

                // cache fetched plan for organization
-                this.localFeatureSet.set(`${organizationId}-${workspaceId ?? ""}`, currentPlan);
+                this.localFeatureSet.set(`${organizationId.toString()}-${workspaceId?.toString() ?? ""}`, currentPlan);

                return currentPlan;
            }
@ -108,16 +115,16 @@ class EELicenseService {
        return this.globalFeatureSet;
    }
    
-    public async refreshPlan(organizationId: string, workspaceId?: string) {
+    public async refreshPlan(organizationId: Types.ObjectId, workspaceId?: Types.ObjectId) {
        if (this.instanceType === "cloud") {
-            this.localFeatureSet.del(`${organizationId}-${workspaceId ?? ""}`);
+            this.localFeatureSet.del(`${organizationId.toString()}-${workspaceId?.toString() ?? ""}`);
            await this.getPlan(organizationId, workspaceId);
        }
    }
    
-    public async delPlan(organizationId: string) {
+    public async delPlan(organizationId: Types.ObjectId) {
        if (this.instanceType === "cloud") {
-            this.localFeatureSet.del(`${organizationId}-`);
+            this.localFeatureSet.del(`${organizationId.toString()}-`);
        }
    }

--- a/backend/src/ee/services/EESecretService.ts
+++ b/backend/src/ee/services/EESecretService.ts
@ -10,7 +10,7 @@ import EELicenseService from "./EELicenseService";
 /**
 * Class to handle Enterprise Edition secret actions
 */
-class EESecretService {
+export default class EESecretService {
  /**
   * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
   * [workspaceId] under a new snapshot with incremented version under the
@ -71,5 +71,3 @@ class EESecretService {
    });
  }
 }
-
-export default EESecretService;
--- a/backend/src/ee/services/GithubSecretScanning/GithubSecretScanningService.ts
+++ b/backend/src/ee/services/GithubSecretScanning/GithubSecretScanningService.ts
@ -0,0 +1,45 @@
+import { Probot } from "probot";
+import GitRisks from "../../models/gitRisks";
+import GitAppOrganizationInstallation from "../../models/gitAppOrganizationInstallation";
+import { scanGithubPushEventForSecretLeaks } from "../../../queues/secret-scanning/githubScanPushEvent";
+export default async (app: Probot) => {
+  app.on("installation.deleted", async (context) => {
+    const { payload } = context;
+    const { installation, repositories } = payload;
+    if (repositories) {
+      for (const repository of repositories) {
+        await GitRisks.deleteMany({ repositoryId: repository.id })
+      }
+      await GitAppOrganizationInstallation.deleteOne({ installationId: installation.id })
+    }
+  })
+
+  app.on("installation", async (context) => {
+    const { payload } = context;
+    payload.repositories
+    const { installation, repositories } = payload;
+    // TODO: start full repo scans 
+  })
+
+  app.on("push", async (context) => {
+    const { payload } = context;
+    const { commits, repository, installation, pusher } = payload;
+
+    if (!commits || !repository || !installation || !pusher) {
+      return
+    }
+
+    const installationLinkToOrgExists = await GitAppOrganizationInstallation.findOne({ installationId: installation?.id }).lean()
+    if (!installationLinkToOrgExists) {
+      return
+    }
+
+    scanGithubPushEventForSecretLeaks({
+      commits: commits,
+      pusher: { name: pusher.name, email: pusher.email },
+      repository: { fullName: repository.full_name, id: repository.id },
+      organizationId: installationLinkToOrgExists.organizationId,
+      installationId: installation.id
+    })
+  });
+};
--- a/backend/src/ee/services/GithubSecretScanning/helper.ts
+++ b/backend/src/ee/services/GithubSecretScanning/helper.ts
@ -0,0 +1,125 @@
+import { exec } from "child_process";
+import { mkdir, readFile, rm, writeFile } from "fs";
+import { tmpdir } from "os";
+import { join } from "path"
+import { SecretMatch } from "./types";
+import { Octokit } from "@octokit/rest";
+
+export async function scanContentAndGetFindings(textContent: string): Promise<SecretMatch[]> {
+  const tempFolder = await createTempFolder();
+  const filePath = join(tempFolder, "content.txt");
+  const findingsPath = join(tempFolder, "findings.json");
+
+  try {
+    await writeTextToFile(filePath, textContent);
+    await runInfisicalScan(filePath, findingsPath);
+    const findingsData = await readFindingsFile(findingsPath);
+    return JSON.parse(findingsData);
+  } finally {
+    await deleteTempFolder(tempFolder);
+  }
+}
+
+export function createTempFolder(): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const tempDir = tmpdir()
+    const tempFolderName = Math.random().toString(36).substring(2);
+    const tempFolderPath = join(tempDir, tempFolderName);
+
+    mkdir(tempFolderPath, (err: any) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve(tempFolderPath);
+      }
+    });
+  });
+}
+
+export function writeTextToFile(filePath: string, content: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    writeFile(filePath, content, (err) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
+export function runInfisicalScan(inputPath: string, outputPath: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const command = `cat "${inputPath}" | infisical scan --exit-code=77 --pipe -r "${outputPath}"`;
+    exec(command, (error) => {
+      if (error && error.code != 77) {
+        reject(error);
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
+export function readFindingsFile(filePath: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    readFile(filePath, "utf8", (err, data) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve(data);
+      }
+    });
+  });
+}
+
+export function deleteTempFolder(folderPath: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    rm(folderPath, { recursive: true }, (err) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
+export function convertKeysToLowercase<T>(obj: T): T {
+  const convertedObj = {} as T;
+
+  for (const key in obj) {
+    if (Object.prototype.hasOwnProperty.call(obj, key)) {
+      const lowercaseKey = key.charAt(0).toLowerCase() + key.slice(1);
+      convertedObj[lowercaseKey as keyof T] = obj[key];
+    }
+  }
+
+  return convertedObj;
+}
+
+export async function getCommits(octokit: Octokit, owner: string, repo: string) {
+  let commits: { sha: string }[] = [];
+  let page = 1;
+  while (true) {
+    const response = await octokit.repos.listCommits({
+      owner,
+      repo,
+      per_page: 100,
+      page,
+    });
+
+    commits = commits.concat(response.data);
+    if (response.data.length == 0) break;
+    page++;
+  }
+  return commits;
+}
+
+export async function getFilesFromCommit(octokit: any, owner: string, repo: string, sha: string) {
+  const response = await octokit.repos.getCommit({
+    owner,
+    repo,
+    ref: sha,
+  });
+}
--- a/backend/src/ee/services/GithubSecretScanning/types.ts
+++ b/backend/src/ee/services/GithubSecretScanning/types.ts
@ -0,0 +1,21 @@
+export type SecretMatch = {
+  Description: string;
+  StartLine: number;
+  EndLine: number;
+  StartColumn: number;
+  EndColumn: number;
+  Match: string;
+  Secret: string;
+  File: string;
+  SymlinkFile: string;
+  Commit: string;
+  Entropy: number;
+  Author: string;
+  Email: string;
+  Date: string;
+  Message: string;
+  Tags: string[];
+  RuleID: string;
+  Fingerprint: string;
+  FingerPrintWithoutCommitId: string
+};
--- a/backend/src/ee/services/index.ts
+++ b/backend/src/ee/services/index.ts
@ -1,9 +1,13 @@
 import EELicenseService from "./EELicenseService";
 import EESecretService from "./EESecretService";
 import EELogService from "./EELogService";
+import EEAuditLogService from "./EEAuditLogService";
+import GithubSecretScanningService from "./GithubSecretScanning/GithubSecretScanningService"

 export {
    EELicenseService,
    EESecretService,
    EELogService,
+    EEAuditLogService,
+    GithubSecretScanningService
 }
--- a/backend/src/events/index.ts
+++ b/backend/src/events/index.ts
@ -1,5 +1,4 @@
-import { eventPushSecrets } from "./secret"
+import { eventPushSecrets } from "./secret";
+import { eventStartIntegration } from "./integration";

-export {
-    eventPushSecrets,
-}
+export { eventPushSecrets, eventStartIntegration };
--- a/backend/src/events/integration.ts
+++ b/backend/src/events/integration.ts
@ -0,0 +1,23 @@
+import { Types } from "mongoose";
+import { EVENT_START_INTEGRATION } from "../variables";
+
+/*
+ * Return event for starting integrations
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace to push secrets to
+ * @returns
+ */
+export const eventStartIntegration = ({
+  workspaceId,
+  environment
+}: {
+  workspaceId: Types.ObjectId;
+  environment: string;
+}) => {
+  return {
+    name: EVENT_START_INTEGRATION,
+    workspaceId,
+    environment,
+    payload: {}
+  };
+};
--- a/backend/src/events/secret.ts
+++ b/backend/src/events/secret.ts
@ -1,64 +1,54 @@
 import { Types } from "mongoose";
-import { 
-    EVENT_PULL_SECRETS, 
-    EVENT_PUSH_SECRETS, 
-} from "../variables";
+import { EVENT_PULL_SECRETS, EVENT_PUSH_SECRETS } from "../variables";

 interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	type: "shared" | "personal";
+  ciphertextKey: string;
+  ivKey: string;
+  tagKey: string;
+  hashKey: string;
+  ciphertextValue: string;
+  ivValue: string;
+  tagValue: string;
+  hashValue: string;
+  type: "shared" | "personal";
 }

 /**
 * Return event for pushing secrets
 * @param {Object} obj
 * @param {String} obj.workspaceId - id of workspace to push secrets to
- * @returns 
+ * @returns
 */
 const eventPushSecrets = ({
+  workspaceId,
+  environment,
+  secretPath
+}: {
+  workspaceId: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+}) => {
+  return {
+    name: EVENT_PUSH_SECRETS,
    workspaceId,
    environment,
-}: {
-    workspaceId: Types.ObjectId;
-    environment?: string;
-}) => {
-    return ({
-        name: EVENT_PUSH_SECRETS,
-        workspaceId,
-        environment,
-        payload: {
-
-        },
-    });
-}
+    secretPath,
+    payload: {}
+  };
+};

 /**
 * Return event for pulling secrets
 * @param {Object} obj
 * @param {String} obj.workspaceId - id of workspace to pull secrets from
- * @returns 
+ * @returns
 */
-const eventPullSecrets = ({
+const eventPullSecrets = ({ workspaceId }: { workspaceId: string }) => {
+  return {
+    name: EVENT_PULL_SECRETS,
    workspaceId,
-}: {
-    workspaceId: string;
-}) => {
-    return ({
-        name: EVENT_PULL_SECRETS,
-        workspaceId,
-        payload: {
+    payload: {}
+  };
+};

-        },
-    });
-}
-
-export {
-    eventPushSecrets,
-}
+export { eventPushSecrets };
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,3 +1,4 @@
+import { Request } from "express";
 import { Types } from "mongoose";
 import jwt from "jsonwebtoken";
 import bcrypt from "bcrypt";
@ -5,7 +6,6 @@ import {
 	APIKeyData,
 	ITokenVersion,
 	IUser,
-	ServiceAccount,
 	ServiceTokenData,
 	TokenVersion,
 	User,
@ -14,7 +14,6 @@ import {
 	APIKeyDataNotFoundError,
 	AccountNotFoundError,
 	BadRequestError,
-	ServiceAccountNotFoundError,
 	ServiceTokenDataNotFoundError,
 	UnauthorizedRequestError,
 } from "../utils/errors";
@ -26,11 +25,15 @@ import {
 	getJwtRefreshSecret,
 } from "../config";
 import {
-	AUTH_MODE_API_KEY,
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
+	AuthMode
 } from "../variables";
+import {
+	ServiceTokenAuthData,
+	UserAuthData
+} from "../interfaces/middleware";
+
+import { ActorType } from "../ee/models";
+import { getUserAgentType } from "../utils/posthog";

 /**
 * 
@ -42,7 +45,7 @@ export const validateAuthMode = ({
 	acceptedAuthModes,
 }: {
 	headers: { [key: string]: string | string[] | undefined },
-	acceptedAuthModes: string[]
+	acceptedAuthModes: AuthMode[]
 }) => {
 	const apiKey = headers["x-api-key"];
 	const authHeader = headers["authorization"];
@ -55,7 +58,7 @@ export const validateAuthMode = ({

 	if (typeof apiKey === "string") {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authMode = AUTH_MODE_API_KEY;
+		authMode = AuthMode.API_KEY;
 		authTokenValue = apiKey;
 	}

@ -71,13 +74,10 @@ export const validateAuthMode = ({

 		switch (tokenValue.split(".", 1)[0]) {
 			case "st":
-				authMode = AUTH_MODE_SERVICE_TOKEN;
-				break;
-			case "sa":
-				authMode = AUTH_MODE_SERVICE_ACCOUNT;
+				authMode = AuthMode.SERVICE_TOKEN;
 				break;
 			default:
-				authMode = AUTH_MODE_JWT;
+				authMode = AuthMode.JWT;
 		}

 		authTokenValue = tokenValue;
@ -100,10 +100,12 @@ export const validateAuthMode = ({
 * @returns {User} user - user corresponding to JWT token
 */
 export const getAuthUserPayload = async ({
+	req,
 	authTokenValue,
 }: {
+	req: Request,
 	authTokenValue: string;
-}) => {
+}): Promise<UserAuthData> => {
 	const decodedToken = <jwt.UserIDJwtPayload>(
 		jwt.verify(authTokenValue, await getJwtAuthSecret())
 	);
@ -122,19 +124,33 @@ export const getAuthUserPayload = async ({
 	}, {
 		lastUsed: new Date(),
 	});
-	
+
 	if (!tokenVersion) throw UnauthorizedRequestError({
 		message: "Failed to validate access token",
 	});
-	
+
 	if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError({
 		message: "Failed to validate access token",
 	});
-
-	return ({
-		user,
-		tokenVersionId: tokenVersion._id,
-	});
+	
+	return {
+		actor: {
+			type: ActorType.USER,
+			metadata: {
+				userId: user._id.toString(),
+				email: user.email
+			}
+		},
+		authPayload: user,
+		ipAddress: req.realIP,
+		userAgent: req.headers["user-agent"] ?? "",
+		userAgentType: getUserAgentType(req.headers["user-agent"])
+	}
+	
+	// return ({
+	// 	user,
+	// 	tokenVersionId: tokenVersion._id, // what to do with this? // move this out
+	// });
 }

 /**
@ -144,14 +160,16 @@ export const getAuthUserPayload = async ({
 * @returns {ServiceTokenData} serviceTokenData - service token data
 */
 export const getAuthSTDPayload = async ({
+	req,
 	authTokenValue,
 }: {
+	req: Request,
 	authTokenValue: string;
-}) => {
+}): Promise<ServiceTokenAuthData> => {
 	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);

-	let serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt");
+	const serviceTokenData = await ServiceTokenData
+		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")

 	if (!serviceTokenData) {
 		throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
@ -168,7 +186,7 @@ export const getAuthSTDPayload = async ({
 		message: "Failed to authenticate service token",
 	});

-	serviceTokenData = await ServiceTokenData
+	const serviceTokenDataToReturn = await ServiceTokenData
 		.findOneAndUpdate({
 			_id: new Types.ObjectId(TOKEN_IDENTIFIER),
 		}, {
@ -176,40 +194,25 @@ export const getAuthSTDPayload = async ({
 		}, {
 			new: true,
 		})
-		.select("+encryptedKey +iv +tag");
+		.select("+encryptedKey +iv +tag")

-	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
+	if (!serviceTokenDataToReturn) throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });

-	return serviceTokenData;
-}
-
-/**
- * Return service account access key payload
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service account access token value
- * @returns {ServiceAccount} serviceAccount
- */
-export const getAuthSAAKPayload = async ({
-	authTokenValue,
-}: {
-	authTokenValue: string;
-}) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
-
-	const serviceAccount = await ServiceAccount.findById(
-		Buffer.from(TOKEN_IDENTIFIER, "base64").toString("hex")
-	).select("+secretHash");
-
-	if (!serviceAccount) {
-		throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
+	return {
+		actor: {
+			type: ActorType.SERVICE,
+			metadata: {
+				serviceId: serviceTokenDataToReturn._id.toString(),
+				name: serviceTokenDataToReturn.name
+			}
+		},
+		authPayload: serviceTokenDataToReturn,
+		ipAddress: req.realIP,
+		userAgent: req.headers["user-agent"] ?? "",
+		userAgentType: getUserAgentType(req.headers["user-agent"])
 	}

-	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
-	if (!result) throw UnauthorizedRequestError({
-		message: "Failed to authenticate service account access key",
-	});
-
-	return serviceAccount;
+	// return serviceTokenDataToReturn;
 }

 /**
@ -219,10 +222,12 @@ export const getAuthSAAKPayload = async ({
 * @returns {APIKeyData} apiKeyData - API key data
 */
 export const getAuthAPIKeyPayload = async ({
+	req,
 	authTokenValue,
 }: {
+	req: Request,
 	authTokenValue: string;
-}) => {
+}): Promise<UserAuthData> => {
 	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);

 	let apiKeyData = await APIKeyData
@ -264,7 +269,19 @@ export const getAuthAPIKeyPayload = async ({
 		});
 	}

-	return user;
+	return {
+		actor: {
+			type: ActorType.USER,
+			metadata: {
+				userId: user._id.toString(),
+				email: user.email
+			}
+		},
+		authPayload: user,
+		ipAddress: req.realIP,
+		userAgent: req.headers["user-agent"] ?? "",
+		userAgentType: getUserAgentType(req.headers["user-agent"])
+	}
 }

 /**
@ -275,11 +292,11 @@ export const getAuthAPIKeyPayload = async ({
 * @return {String} obj.token - issued JWT token
 * @return {String} obj.refreshToken - issued refresh token
 */
-export const issueAuthTokens = async ({ 
+export const issueAuthTokens = async ({
 	userId,
 	ip,
 	userAgent,
-}: { 
+}: {
 	userId: Types.ObjectId;
 	ip: string;
 	userAgent: string;
@ -292,7 +309,7 @@ export const issueAuthTokens = async ({
 		ip,
 		userAgent,
 	});
-	
+
 	if (!tokenVersion) {
 		// case: no existing ip and user agent exists
 		// -> create new (session) token version for ip and user agent
@ -375,11 +392,9 @@ export const createToken = ({

 export const validateProviderAuthToken = async ({
 	email,
-	user,
 	providerAuthToken,
 }: {
 	email: string;
-	user: IUser,
 	providerAuthToken?: string;
 }) => {
 	if (!providerAuthToken) {
@ -389,11 +404,8 @@ export const validateProviderAuthToken = async ({
 	const decodedToken = <jwt.ProviderAuthJwtPayload>(
 		jwt.verify(providerAuthToken, await getJwtProviderAuthSecret())
 	);
-	
-	if (
-		decodedToken.authProvider !== user.authProvider ||
-		decodedToken.email !== email
-	) {
+
+	if (decodedToken.email !== email) {
 		throw new Error("Invalid authentication credentials.")
 	}
-}
+}
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -4,18 +4,20 @@ import {
  decryptAsymmetric,
  decryptSymmetric128BitHexKeyUTF8,
  encryptSymmetric128BitHexKeyUTF8,
-  generateKeyPair,
+  generateKeyPair
 } from "../utils/crypto";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_BASE64,
  ENCODING_SCHEME_UTF8,
-  SECRET_SHARED,
+  SECRET_SHARED
 } from "../variables";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
 import { InternalServerError } from "../utils/errors";
 import Folder from "../models/folder";
 import { getFolderByPath } from "../services/FolderService";
+import { getAllImportedSecrets } from "../services/SecretImportService";
+import { expandSecrets } from "./secrets";

 /**
 * Create an inactive bot with name [name] for workspace with id [workspaceId]
@ -25,7 +27,7 @@ import { getFolderByPath } from "../services/FolderService";
 */
 export const createBot = async ({
  name,
-  workspaceId,
+  workspaceId
 }: {
  name: string;
  workspaceId: Types.ObjectId;
@ -36,10 +38,7 @@ export const createBot = async ({
  const { publicKey, privateKey } = generateKeyPair();

  if (rootEncryptionKey) {
-    const { ciphertext, iv, tag } = client.encryptSymmetric(
-      privateKey,
-      rootEncryptionKey
-    );
+    const { ciphertext, iv, tag } = client.encryptSymmetric(privateKey, rootEncryptionKey);

    return await new Bot({
      name,
@ -50,12 +49,12 @@ export const createBot = async ({
      iv,
      tag,
      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_BASE64,
+      keyEncoding: ENCODING_SCHEME_BASE64
    }).save();
  } else if (encryptionKey) {
    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
      plaintext: privateKey,
-      key: await getEncryptionKey(),
+      key: await getEncryptionKey()
    });

    return await new Bot({
@ -67,12 +66,12 @@ export const createBot = async ({
      iv,
      tag,
      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8,
+      keyEncoding: ENCODING_SCHEME_UTF8
    }).save();
  }

  throw InternalServerError({
-    message: "Failed to create new bot due to missing encryption key",
+    message: "Failed to create new bot due to missing encryption key"
  });
 };

@ -82,7 +81,7 @@ export const createBot = async ({
 */
 export const getIsWorkspaceE2EEHelper = async (workspaceId: Types.ObjectId) => {
  const botKey = await BotKey.exists({
-    workspace: workspaceId,
+    workspace: workspaceId
  });

  return botKey ? false : true;
@ -98,19 +97,19 @@ export const getIsWorkspaceE2EEHelper = async (workspaceId: Types.ObjectId) => {
 export const getSecretsBotHelper = async ({
  workspaceId,
  environment,
-  secretPath,
+  secretPath
 }: {
  workspaceId: Types.ObjectId;
  environment: string;
  secretPath: string;
 }) => {
-  const content = {} as any;
+  const content: Record<string, { value: string; comment?: string }> = {};
  const key = await getKey({ workspaceId: workspaceId });

  let folderId = "root";
  const folders = await Folder.findOne({
    workspace: workspaceId,
-    environment,
+    environment
  });

  if (!folders && secretPath !== "/") {
@ -129,7 +128,43 @@ export const getSecretsBotHelper = async ({
    workspace: workspaceId,
    environment,
    type: SECRET_SHARED,
-    folder: folderId,
+    folder: folderId
+  });
+
+  const importedSecrets = await getAllImportedSecrets(
+    workspaceId.toString(),
+    environment,
+    folderId
+  );
+
+  importedSecrets.forEach(({ secrets }) => {
+    secrets.forEach((secret) => {
+      const secretKey = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretKeyCiphertext,
+        iv: secret.secretKeyIV,
+        tag: secret.secretKeyTag,
+        key
+      });
+
+      const secretValue = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretValueCiphertext,
+        iv: secret.secretValueIV,
+        tag: secret.secretValueTag,
+        key
+      });
+
+      content[secretKey] = { value: secretValue };
+
+      if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
+        const commentValue = decryptSymmetric128BitHexKeyUTF8({
+          ciphertext: secret.secretCommentCiphertext,
+          iv: secret.secretCommentIV,
+          tag: secret.secretCommentTag,
+          key
+        });
+        content[secretKey].comment = commentValue;
+      }
+    });
  });

  secrets.forEach((secret: ISecret) => {
@ -137,19 +172,31 @@ export const getSecretsBotHelper = async ({
      ciphertext: secret.secretKeyCiphertext,
      iv: secret.secretKeyIV,
      tag: secret.secretKeyTag,
-      key,
+      key
    });

    const secretValue = decryptSymmetric128BitHexKeyUTF8({
      ciphertext: secret.secretValueCiphertext,
      iv: secret.secretValueIV,
      tag: secret.secretValueTag,
-      key,
+      key
    });

-    content[secretKey] = secretValue;
+    content[secretKey] = { value: secretValue };
+
+    if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
+      const commentValue = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretCommentCiphertext,
+        iv: secret.secretCommentIV,
+        tag: secret.secretCommentTag,
+        key
+      });
+      content[secretKey].comment = commentValue;
+    }
  });

+  await expandSecrets(workspaceId.toString(), key, content);
+
  return content;
 };

@ -160,22 +207,18 @@ export const getSecretsBotHelper = async ({
 * @param {String} obj.workspaceId - id of workspace
 * @returns {String} key - decrypted workspace key
 */
-export const getKey = async ({
-  workspaceId,
-}: {
-  workspaceId: Types.ObjectId;
-}) => {
+export const getKey = async ({ workspaceId }: { workspaceId: Types.ObjectId }) => {
  const encryptionKey = await getEncryptionKey();
  const rootEncryptionKey = await getRootEncryptionKey();

  const botKey = await BotKey.findOne({
-    workspace: workspaceId,
+    workspace: workspaceId
  }).populate<{ sender: IUser }>("sender", "publicKey");

  if (!botKey) throw new Error("Failed to find bot key");

  const bot = await Bot.findOne({
-    workspace: workspaceId,
+    workspace: workspaceId
  }).select("+encryptedPrivateKey +iv +tag +algorithm +keyEncoding");

  if (!bot) throw new Error("Failed to find bot");
@ -194,7 +237,7 @@ export const getKey = async ({
      ciphertext: botKey.encryptedKey,
      nonce: botKey.nonce,
      publicKey: botKey.sender.publicKey as string,
-      privateKey: privateKeyBot,
+      privateKey: privateKeyBot
    });
  } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
    // case: encoding scheme is utf8
@ -202,20 +245,19 @@ export const getKey = async ({
      ciphertext: bot.encryptedPrivateKey,
      iv: bot.iv,
      tag: bot.tag,
-      key: encryptionKey,
+      key: encryptionKey
    });

    return decryptAsymmetric({
      ciphertext: botKey.encryptedKey,
      nonce: botKey.nonce,
      publicKey: botKey.sender.publicKey as string,
-      privateKey: privateKeyBot,
+      privateKey: privateKeyBot
    });
  }

  throw InternalServerError({
-    message:
-      "Failed to obtain bot's copy of workspace key needed for bot operations",
+    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
  });
 };

@ -228,7 +270,7 @@ export const getKey = async ({
 */
 export const encryptSymmetricHelper = async ({
  workspaceId,
-  plaintext,
+  plaintext
 }: {
  workspaceId: Types.ObjectId;
  plaintext: string;
@ -236,13 +278,13 @@ export const encryptSymmetricHelper = async ({
  const key = await getKey({ workspaceId: workspaceId });
  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
    plaintext,
-    key,
+    key
  });

  return {
    ciphertext,
    iv,
-    tag,
+    tag
  };
 };
 /**
@ -258,7 +300,7 @@ export const decryptSymmetricHelper = async ({
  workspaceId,
  ciphertext,
  iv,
-  tag,
+  tag
 }: {
  workspaceId: Types.ObjectId;
  ciphertext: string;
@ -270,8 +312,75 @@ export const decryptSymmetricHelper = async ({
    ciphertext,
    iv,
    tag,
-    key,
+    key
  });

  return plaintext;
 };
+
+/**
+ * Return decrypted comments for workspace secrets with id [workspaceId]
+ * and [envionment] using bot
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace
+ * @param {String} obj.environment - environment
+ */
+export const getSecretsCommentBotHelper = async ({
+  workspaceId,
+  environment,
+  secretPath
+}: {
+  workspaceId: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+}) => {
+  const content = {} as any;
+  const key = await getKey({ workspaceId: workspaceId });
+
+  let folderId = "root";
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  });
+
+  if (!folders && secretPath !== "/") {
+    throw InternalServerError({ message: "Folder not found" });
+  }
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw InternalServerError({ message: "Folder not found" });
+    }
+    folderId = folder.id;
+  }
+
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    type: SECRET_SHARED,
+    folder: folderId
+  });
+
+  secrets.forEach((secret: ISecret) => {
+    if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
+      const secretKey = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretKeyCiphertext,
+        iv: secret.secretKeyIV,
+        tag: secret.secretKeyTag,
+        key
+      });
+
+      const commentValue = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretCommentCiphertext,
+        iv: secret.secretCommentIV,
+        tag: secret.secretCommentTag,
+        key
+      });
+
+      content[secretKey] = commentValue;
+    }
+  });
+
+  return content;
+};
--- a/backend/src/helpers/botOrg.ts
+++ b/backend/src/helpers/botOrg.ts
@ -0,0 +1,134 @@
+import { Types } from "mongoose";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
+import { BotOrg } from "../models";
+import { decryptSymmetric128BitHexKeyUTF8 } from "../utils/crypto";
+import {
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_BASE64,
+    ENCODING_SCHEME_UTF8
+} from "../variables";
+import { InternalServerError } from "../utils/errors";
+import { encryptSymmetric128BitHexKeyUTF8, generateKeyPair } from "../utils/crypto";
+
+/**
+ * Create a bot with name [name] for organization with id [organizationId]
+ * @param {Object} obj
+ * @param {String} obj.name - name of bot
+ * @param {String} obj.organizationId - id of organization that bot belongs to
+ */
+export const createBotOrg = async ({
+  name,
+  organizationId,
+}: {
+  name: string;
+  organizationId: Types.ObjectId;
+}) => {
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+
+    const { publicKey, privateKey } = generateKeyPair();
+    const key = client.createSymmetricKey();
+
+    if (rootEncryptionKey) {
+        const { 
+            ciphertext: encryptedPrivateKey,
+            iv: privateKeyIV,
+            tag: privateKeyTag
+        } = client.encryptSymmetric(privateKey, rootEncryptionKey);
+
+        const {
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag
+        } = client.encryptSymmetric(key, rootEncryptionKey);
+
+        return await new BotOrg({
+            name,
+            organization: organizationId,
+            publicKey,
+            encryptedSymmetricKey,
+            symmetricKeyIV,
+            symmetricKeyTag,
+            symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            symmetricKeyKeyEncoding: ENCODING_SCHEME_BASE64,
+            encryptedPrivateKey,
+            privateKeyIV,
+            privateKeyTag,
+            privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            privateKeyKeyEncoding: ENCODING_SCHEME_BASE64
+        }).save();
+    } else if (encryptionKey) {
+        const {
+            ciphertext: encryptedPrivateKey,
+            iv: privateKeyIV,
+            tag: privateKeyTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+            plaintext: privateKey,
+            key: encryptionKey
+        });
+            
+        const {
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+            plaintext: key,
+            key: encryptionKey
+        });
+
+        return await new BotOrg({
+            name,
+            organization: organizationId,
+            publicKey,
+            encryptedSymmetricKey,
+            symmetricKeyIV,
+            symmetricKeyTag,
+            symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            symmetricKeyKeyEncoding: ENCODING_SCHEME_UTF8,
+            encryptedPrivateKey,
+            privateKeyIV,
+            privateKeyTag,
+            privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            privateKeyKeyEncoding: ENCODING_SCHEME_UTF8
+        }).save();
+    }
+
+  throw InternalServerError({
+    message: "Failed to create new organization bot due to missing encryption key",
+  });
+};
+
+export const getSymmetricKeyHelper = async (organizationId: Types.ObjectId) => {
+    const rootEncryptionKey = await getRootEncryptionKey();
+    const encryptionKey = await getEncryptionKey();
+
+    const botOrg = await BotOrg.findOne({
+        organization: organizationId
+    });
+    
+    if (!botOrg) throw new Error("Failed to find organization bot");
+
+    if (rootEncryptionKey && botOrg.symmetricKeyKeyEncoding == ENCODING_SCHEME_BASE64) {
+        const key = client.decryptSymmetric(
+            botOrg.encryptedSymmetricKey, 
+            rootEncryptionKey, 
+            botOrg.symmetricKeyIV, 
+            botOrg.symmetricKeyTag
+        );
+
+        return key;
+    } else if (encryptionKey && botOrg.symmetricKeyKeyEncoding === ENCODING_SCHEME_UTF8) {
+       const key = decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: botOrg.encryptedSymmetricKey,
+            iv: botOrg.symmetricKeyIV,
+            tag: botOrg.symmetricKeyTag,
+            key: encryptionKey
+        });
+        
+        return key;
+    }
+
+    throw InternalServerError({
+        message: "Failed to match encryption key with organization bot symmetric key encoding"
+    });
+}
--- a/backend/src/helpers/event.ts
+++ b/backend/src/helpers/event.ts
@ -1,12 +1,14 @@
 import { Types } from "mongoose";
 import { Bot } from "../models";
-import { EVENT_PUSH_SECRETS } from "../variables";
+import { EVENT_PUSH_SECRETS, EVENT_START_INTEGRATION } from "../variables";
 import { IntegrationService } from "../services";
+import { triggerWebhook } from "../services/WebhookService";

 interface Event {
  name: string;
  workspaceId: Types.ObjectId;
  environment?: string;
+  secretPath?: string;
  payload: any;
 }

@ -19,22 +21,31 @@ interface Event {
 * @param {Object} obj.event.payload - payload of event (depends on event)
 */
 export const handleEventHelper = async ({ event }: { event: Event }) => {
-  const { workspaceId, environment } = event;
+  const { workspaceId, environment, secretPath } = event;

  // TODO: moduralize bot check into separate function
  const bot = await Bot.findOne({
    workspace: workspaceId,
-    isActive: true,
+    isActive: true
  });

-  if (!bot) return;
-
  switch (event.name) {
    case EVENT_PUSH_SECRETS:
-      IntegrationService.syncIntegrations({
-        workspaceId,
-        environment,
-      });
+      if (bot) {
+        IntegrationService.syncIntegrations({
+          workspaceId,
+          environment
+        });
+      }
+      triggerWebhook(workspaceId.toString(), environment || "", secretPath || "");
+      break;
+    case EVENT_START_INTEGRATION:
+      if (bot) {
+        IntegrationService.syncIntegrations({
+          workspaceId,
+          environment
+        });
+      }
      break;
  }
-};
+};
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -1,14 +1,15 @@
 import { Types } from "mongoose";
-import { Bot, Integration, IntegrationAuth } from "../models";
-import { exchangeCode, exchangeRefresh, syncSecrets } from "../integrations";
+import { Bot, IntegrationAuth } from "../models";
+import { exchangeCode, exchangeRefresh } from "../integrations";
 import { BotService } from "../services";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  INTEGRATION_NETLIFY,
-  INTEGRATION_VERCEL,
+  INTEGRATION_VERCEL
 } from "../variables";
 import { UnauthorizedRequestError } from "../utils/errors";
+import { syncSecretsToActiveIntegrationsQueue } from "../queues/integrations/syncSecretsToThirdPartyServices"

 interface Update {
  workspace: string;
@ -33,7 +34,7 @@ export const handleOAuthExchangeHelper = async ({
  workspaceId,
  integration,
  code,
-  environment,
+  environment
 }: {
  workspaceId: string;
  integration: string;
@ -42,21 +43,20 @@ export const handleOAuthExchangeHelper = async ({
 }) => {
  const bot = await Bot.findOne({
    workspace: workspaceId,
-    isActive: true,
+    isActive: true
  });

-  if (!bot)
-    throw new Error("Bot must be enabled for OAuth2 code-token exchange");
+  if (!bot) throw new Error("Bot must be enabled for OAuth2 code-token exchange");

  // exchange code for access and refresh tokens
  const res = await exchangeCode({
    integration,
-    code,
+    code
  });

  const update: Update = {
    workspace: workspaceId,
-    integration,
+    integration
  };

  switch (integration) {
@ -71,12 +71,12 @@ export const handleOAuthExchangeHelper = async ({
  const integrationAuth = await IntegrationAuth.findOneAndUpdate(
    {
      workspace: workspaceId,
-      integration,
+      integration
    },
    update,
    {
      new: true,
-      upsert: true,
+      upsert: true
    }
  );

@ -85,7 +85,7 @@ export const handleOAuthExchangeHelper = async ({
    // set integration auth refresh token
    await setIntegrationAuthRefreshHelper({
      integrationAuthId: integrationAuth._id.toString(),
-      refreshToken: res.refreshToken,
+      refreshToken: res.refreshToken
    });
  }

@ -96,67 +96,12 @@ export const handleOAuthExchangeHelper = async ({
      integrationAuthId: integrationAuth._id.toString(),
      accessId: null,
      accessToken: res.accessToken,
-      accessExpiresAt: res.accessExpiresAt,
+      accessExpiresAt: res.accessExpiresAt
    });
  }

  return integrationAuth;
 };
-/**
- * Sync/push environment variables in workspace with id [workspaceId] to
- * all active integrations for that workspace
- * @param {Object} obj
- * @param {Object} obj.workspaceId - id of workspace
- */
-export const syncIntegrationsHelper = async ({
-  workspaceId,
-  environment,
-}: {
-  workspaceId: Types.ObjectId;
-  environment?: string;
-}) => {
-  const integrations = await Integration.find({
-    workspace: workspaceId,
-    ...(environment
-      ? {
-          environment,
-        }
-      : {}),
-    isActive: true,
-    app: { $ne: null },
-  });
-
-  // for each workspace integration, sync/push secrets
-  // to that integration
-  for await (const integration of integrations) {
-    // get workspace, environment (shared) secrets
-    const secrets = await BotService.getSecrets({
-      // issue here?
-      workspaceId: integration.workspace,
-      environment: integration.environment,
-      secretPath: integration.secretPath,
-    });
-
-    const integrationAuth = await IntegrationAuth.findById(
-      integration.integrationAuth
-    );
-    if (!integrationAuth) throw new Error("Failed to find integration auth");
-
-    // get integration auth access token
-    const access = await getIntegrationAuthAccessHelper({
-      integrationAuthId: integration.integrationAuth,
-    });
-
-    // sync secrets to integration
-    await syncSecrets({
-      integration,
-      integrationAuth,
-      secrets,
-      accessId: access.accessId === undefined ? null : access.accessId,
-      accessToken: access.accessToken,
-    });
-  }
-};

 /**
 * Return decrypted refresh token using the bot's copy
@ -167,24 +112,24 @@ export const syncIntegrationsHelper = async ({
 * @param {String} refreshToken - decrypted refresh token
 */
 export const getIntegrationAuthRefreshHelper = async ({
-  integrationAuthId,
+  integrationAuthId
 }: {
  integrationAuthId: Types.ObjectId;
 }) => {
-  const integrationAuth = await IntegrationAuth.findById(
-    integrationAuthId
-  ).select("+refreshCiphertext +refreshIV +refreshTag");
+  const integrationAuth = await IntegrationAuth.findById(integrationAuthId).select(
+    "+refreshCiphertext +refreshIV +refreshTag"
+  );

  if (!integrationAuth)
    throw UnauthorizedRequestError({
-      message: "Failed to locate Integration Authentication credentials",
+      message: "Failed to locate Integration Authentication credentials"
    });

  const refreshToken = await BotService.decryptSymmetric({
    workspaceId: integrationAuth.workspace,
    ciphertext: integrationAuth.refreshCiphertext as string,
    iv: integrationAuth.refreshIV as string,
-    tag: integrationAuth.refreshTag as string,
+    tag: integrationAuth.refreshTag as string
  });

  return refreshToken;
@ -199,28 +144,26 @@ export const getIntegrationAuthRefreshHelper = async ({
 * @returns {String} accessToken - decrypted access token
 */
 export const getIntegrationAuthAccessHelper = async ({
-  integrationAuthId,
+  integrationAuthId
 }: {
  integrationAuthId: Types.ObjectId;
 }) => {
  let accessId;
  let accessToken;
-  const integrationAuth = await IntegrationAuth.findById(
-    integrationAuthId
-  ).select(
+  const integrationAuth = await IntegrationAuth.findById(integrationAuthId).select(
    "workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag"
  );

  if (!integrationAuth)
    throw UnauthorizedRequestError({
-      message: "Failed to locate Integration Authentication credentials",
+      message: "Failed to locate Integration Authentication credentials"
    });

  accessToken = await BotService.decryptSymmetric({
    workspaceId: integrationAuth.workspace,
    ciphertext: integrationAuth.accessCiphertext as string,
    iv: integrationAuth.accessIV as string,
-    tag: integrationAuth.accessTag as string,
+    tag: integrationAuth.accessTag as string
  });

  if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
@ -230,11 +173,11 @@ export const getIntegrationAuthAccessHelper = async ({
    if (integrationAuth.accessExpiresAt < new Date()) {
      // access token is expired
      const refreshToken = await getIntegrationAuthRefreshHelper({
-        integrationAuthId,
+        integrationAuthId
      });
      accessToken = await exchangeRefresh({
        integrationAuth,
-        refreshToken,
+        refreshToken
      });
    }
  }
@ -248,13 +191,13 @@ export const getIntegrationAuthAccessHelper = async ({
      workspaceId: integrationAuth.workspace,
      ciphertext: integrationAuth.accessIdCiphertext as string,
      iv: integrationAuth.accessIdIV as string,
-      tag: integrationAuth.accessIdTag as string,
+      tag: integrationAuth.accessIdTag as string
    });
  }

  return {
    accessId,
-    accessToken,
+    accessToken
  };
 };

@ -268,7 +211,7 @@ export const getIntegrationAuthAccessHelper = async ({
 */
 export const setIntegrationAuthRefreshHelper = async ({
  integrationAuthId,
-  refreshToken,
+  refreshToken
 }: {
  integrationAuthId: string;
  refreshToken: string;
@ -279,22 +222,22 @@ export const setIntegrationAuthRefreshHelper = async ({

  const obj = await BotService.encryptSymmetric({
    workspaceId: integrationAuth.workspace,
-    plaintext: refreshToken,
+    plaintext: refreshToken
  });

  integrationAuth = await IntegrationAuth.findOneAndUpdate(
    {
-      _id: integrationAuthId,
+      _id: integrationAuthId
    },
    {
      refreshCiphertext: obj.ciphertext,
      refreshIV: obj.iv,
      refreshTag: obj.tag,
      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8,
+      keyEncoding: ENCODING_SCHEME_UTF8
    },
    {
-      new: true,
+      new: true
    }
  );

@ -314,7 +257,7 @@ export const setIntegrationAuthAccessHelper = async ({
  integrationAuthId,
  accessId,
  accessToken,
-  accessExpiresAt,
+  accessExpiresAt
 }: {
  integrationAuthId: string;
  accessId: string | null;
@ -327,20 +270,20 @@ export const setIntegrationAuthAccessHelper = async ({

  const encryptedAccessTokenObj = await BotService.encryptSymmetric({
    workspaceId: integrationAuth.workspace,
-    plaintext: accessToken,
+    plaintext: accessToken
  });

  let encryptedAccessIdObj;
  if (accessId) {
    encryptedAccessIdObj = await BotService.encryptSymmetric({
      workspaceId: integrationAuth.workspace,
-      plaintext: accessId,
+      plaintext: accessId
    });
  }

  integrationAuth = await IntegrationAuth.findOneAndUpdate(
    {
-      _id: integrationAuthId,
+      _id: integrationAuthId
    },
    {
      accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
@ -351,10 +294,10 @@ export const setIntegrationAuthAccessHelper = async ({
      accessTag: encryptedAccessTokenObj.tag,
      accessExpiresAt,
      algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8,
+      keyEncoding: ENCODING_SCHEME_UTF8
    },
    {
-      new: true,
+      new: true
    }
  );

--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -14,6 +14,9 @@ import {
  licenseKeyRequest,
  licenseServerKeyRequest,
 } from "../config/request";
+import {
+  createBotOrg
+} from "./botOrg";

 /**
 * Create an organization with name [name]
@ -29,6 +32,7 @@ export const createOrganization = async ({
  name: string;
  email: string;
 }) => {
+  
  const licenseServerKey = await getLicenseServerKey();
  let organization;
  
@ -52,6 +56,12 @@ export const createOrganization = async ({
    }).save();
  }

+  // initialize bot for organization
+  await createBotOrg({
+    name,
+    organizationId: organization._id
+  });
+
  return organization;
 };

@ -105,5 +115,5 @@ export const updateSubscriptionOrgQuantity = async ({
    );
  }

-  await EELicenseService.refreshPlan(organizationId);
+  await EELicenseService.refreshPlan(new Types.ObjectId(organizationId));
 };
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
@ -109,9 +109,9 @@ export const v1PushSecrets = async ({
    if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
      if (
        s.secretValueHash !==
-          newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue ||
+        newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue ||
        s.secretCommentHash !==
-          newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment
+        newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment
      ) {
        // case: filter secrets where value or comment changed
        return true;
@ -371,9 +371,9 @@ export const v2PushSecrets = async ({
    if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
      if (
        s.secretValueHash !==
-          newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash ||
+        newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash ||
        s.secretCommentHash !==
-          newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash
+        newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash
      ) {
        // case: filter secrets where value or comment changed
        return true;
@ -484,7 +484,7 @@ export const v2PushSecrets = async ({

    // (EE) add secret versions for new secrets
    EESecretService.addSecretVersions({
-      secretVersions: newSecrets.map((secretDocument: ISecret) => {
+      secretVersions: newSecrets.map((secretDocument) => {
        return new SecretVersion({
          ...secretDocument,
          secret: secretDocument._id,
--- a/backend/src/helpers/secrets.ts
+++ b/backend/src/helpers/secrets.ts
@ -13,7 +13,7 @@ import {
  SecretBlindIndexData,
  ServiceTokenData
 } from "../models";
-import { SecretVersion } from "../ee/models";
+import { EventType, SecretVersion } from "../ee/models";
 import {
  BadRequestError,
  InternalServerError,
@ -29,6 +29,7 @@ import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_BASE64,
  ENCODING_SCHEME_UTF8,
+  K8_USER_AGENT_NAME,
  SECRET_PERSONAL,
  SECRET_SHARED
 } from "../variables";
@ -40,10 +41,12 @@ import {
 } from "../utils/crypto";
 import { TelemetryService } from "../services";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
-import { EELogService, EESecretService } from "../ee/services";
+import { EEAuditLogService, EELogService, EESecretService } from "../ee/services";
 import { getAuthDataPayloadIdObj, getAuthDataPayloadUserObj } from "../utils/auth";
-import { getFolderIdFromServiceToken } from "../services/FolderService";
+import { getFolderByPath, getFolderIdFromServiceToken } from "../services/FolderService";
 import picomatch from "picomatch";
+import path from "path";
+import Folder, { TFolderRootSchema } from "../models/folder";

 export const isValidScope = (
  authPayload: IServiceTokenData,
@ -60,6 +63,12 @@ export const isValidScope = (
  return Boolean(validScope);
 };

+export function containsGlobPatterns(secretPath: string) {
+  const globChars = ["*", "?", "[", "]", "{", "}", "**"];
+  const normalizedPath = path.normalize(secretPath);
+  return globChars.some((char) => normalizedPath.includes(char));
+}
+
 /**
 * Returns an object containing secret [secret] but with its value, key, comment decrypted.
 *
@ -318,7 +327,8 @@ export const createSecretHelper = async ({
  secretCommentCiphertext,
  secretCommentIV,
  secretCommentTag,
-  secretPath = "/"
+  secretPath = "/",
+  metadata
 }: CreateSecretParams) => {
  const secretBlindIndex = await generateSecretBlindIndexHelper({
    secretName,
@ -338,6 +348,7 @@ export const createSecretHelper = async ({
    workspace: new Types.ObjectId(workspaceId),
    folder: folderId,
    type,
+    environment,
    ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
  });

@ -354,6 +365,7 @@ export const createSecretHelper = async ({
      secretBlindIndex,
      folder: folderId,
      workspace: new Types.ObjectId(workspaceId),
+      environment,
      type: SECRET_SHARED
    });

@ -382,7 +394,8 @@ export const createSecretHelper = async ({
    secretCommentTag,
    folder: folderId,
    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_UTF8
+    keyEncoding: ENCODING_SCHEME_UTF8,
+    metadata
  }).save();

  const secretVersion = new SecretVersion({
@ -423,10 +436,27 @@ export const createSecretHelper = async ({
      ...getAuthDataPayloadIdObj(authData),
      workspaceId,
      actions: [action],
-      channel: authData.authChannel,
-      ipAddress: authData.authIP
+      channel: authData.userAgentType,
+      ipAddress: authData.ipAddress
    }));

+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.CREATE_SECRET,
+      metadata: {
+        environment,
+        secretPath,
+        secretId: secret._id.toString(),
+        secretKey: secretName,
+        secretVersion: secret.version
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId,
@ -436,7 +466,7 @@ export const createSecretHelper = async ({

  const postHogClient = await TelemetryService.getPostHogClient();

-  if (postHogClient) {
+  if (postHogClient && metadata?.source !== "signup") {
    postHogClient.capture({
      event: "secrets added",
      distinctId: await TelemetryService.getDistinctId({
@ -447,8 +477,8 @@ export const createSecretHelper = async ({
        environment,
        workspaceId,
        folderId,
-        channel: authData.authChannel,
-        userAgent: authData.authUserAgent
+        channel: authData.userAgentType,
+        userAgent: authData.userAgent
      }
    });
  }
@ -518,27 +548,54 @@ export const getSecretsHelper = async ({
      ...getAuthDataPayloadIdObj(authData),
      workspaceId,
      actions: [action],
-      channel: authData.authChannel,
-      ipAddress: authData.authIP
+      channel: authData.userAgentType,
+      ipAddress: authData.ipAddress
    }));

+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.GET_SECRETS,
+      metadata: {
+        environment,
+        secretPath,
+        numberOfSecrets: secrets.length
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
  const postHogClient = await TelemetryService.getPostHogClient();

+  // reduce the number of events captured
+  let shouldRecordK8Event = false
+  if (authData instanceof ServiceTokenData && authData.userAgent == K8_USER_AGENT_NAME) {
+    const randomNumber = Math.random();
+    if (randomNumber > 0.9) {
+      shouldRecordK8Event = true
+    }
+  }
+
  if (postHogClient) {
-    postHogClient.capture({
-      event: "secrets pulled",
-      distinctId: await TelemetryService.getDistinctId({
-        authData
-      }),
-      properties: {
-        numberOfSecrets: secrets.length,
-        environment,
-        workspaceId,
-        folderId,
-        channel: authData.authChannel,
-        userAgent: authData.authUserAgent
-      }
-    });
+    const shouldCapture = authData.userAgent !== K8_USER_AGENT_NAME || shouldRecordK8Event;
+    const approximateForNoneCapturedEvents = secrets.length * 10
+
+    if (shouldCapture) {
+      postHogClient.capture({
+        event: "secrets pulled",
+        distinctId: await TelemetryService.getDistinctId({ authData }),
+        properties: {
+          numberOfSecrets: shouldRecordK8Event ? approximateForNoneCapturedEvents : secrets.length,
+          environment,
+          workspaceId,
+          folderId,
+          channel: authData.userAgentType,
+          userAgent: authData.userAgent
+        }
+      });
+    }
  }

  return secrets;
@ -612,10 +669,27 @@ export const getSecretHelper = async ({
      ...getAuthDataPayloadIdObj(authData),
      workspaceId,
      actions: [action],
-      channel: authData.authChannel,
-      ipAddress: authData.authIP
+      channel: authData.userAgentType,
+      ipAddress: authData.ipAddress
    }));

+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.GET_SECRET,
+      metadata: {
+        environment,
+        secretPath,
+        secretId: secret._id.toString(),
+        secretKey: secretName,
+        secretVersion: secret.version
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
  const postHogClient = await TelemetryService.getPostHogClient();

  if (postHogClient) {
@ -629,8 +703,8 @@ export const getSecretHelper = async ({
        environment,
        workspaceId,
        folderId,
-        channel: authData.authChannel,
-        userAgent: authData.authUserAgent
+        channel: authData.userAgentType,
+        userAgent: authData.userAgent
      }
    });
  }
@ -761,10 +835,27 @@ export const updateSecretHelper = async ({
      ...getAuthDataPayloadIdObj(authData),
      workspaceId,
      actions: [action],
-      channel: authData.authChannel,
-      ipAddress: authData.authIP
+      channel: authData.userAgentType,
+      ipAddress: authData.ipAddress
    }));

+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.UPDATE_SECRET,
+      metadata: {
+        environment,
+        secretPath,
+        secretId: secret._id.toString(),
+        secretKey: secretName,
+        secretVersion: secret.version
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId,
@ -785,8 +876,8 @@ export const updateSecretHelper = async ({
        environment,
        workspaceId,
        folderId,
-        channel: authData.authChannel,
-        userAgent: authData.authUserAgent
+        channel: authData.userAgentType,
+        userAgent: authData.userAgent
      }
    });
  }
@ -831,14 +922,14 @@ export const deleteSecretHelper = async ({
  if (type === SECRET_SHARED) {
    secrets = await Secret.find({
      secretBlindIndex,
-      workspaceId: new Types.ObjectId(workspaceId),
+      workspace: new Types.ObjectId(workspaceId),
      environment,
      folder: folderId
    }).lean();

    secret = await Secret.findOneAndDelete({
      secretBlindIndex,
-      workspaceId: new Types.ObjectId(workspaceId),
+      workspace: new Types.ObjectId(workspaceId),
      environment,
      type,
      folder: folderId
@ -854,7 +945,7 @@ export const deleteSecretHelper = async ({
    secret = await Secret.findOneAndDelete({
      secretBlindIndex,
      folder: folderId,
-      workspaceId: new Types.ObjectId(workspaceId),
+      workspace: new Types.ObjectId(workspaceId),
      environment,
      type,
      ...getAuthDataPayloadUserObj(authData)
@ -884,10 +975,27 @@ export const deleteSecretHelper = async ({
      ...getAuthDataPayloadIdObj(authData),
      workspaceId,
      actions: [action],
-      channel: authData.authChannel,
-      ipAddress: authData.authIP
+      channel: authData.userAgentType,
+      ipAddress: authData.ipAddress
    }));

+  await EEAuditLogService.createAuditLog(
+    authData,
+    {
+      type: EventType.DELETE_SECRET,
+      metadata: {
+        environment,
+        secretPath,
+        secretId: secret._id.toString(),
+        secretKey: secretName,
+        secretVersion: secret.version
+      }
+    },
+    {
+      workspaceId
+    }
+  );
+
  // (EE) take a secret snapshot
  await EESecretService.takeSecretSnapshot({
    workspaceId,
@ -908,8 +1016,8 @@ export const deleteSecretHelper = async ({
        environment,
        workspaceId,
        folderId,
-        channel: authData.authChannel,
-        userAgent: authData.authUserAgent
+        channel: authData.userAgentType,
+        userAgent: authData.userAgent
      }
    });
  }
@ -919,3 +1027,165 @@ export const deleteSecretHelper = async ({
    secret
  };
 };
+
+const fetchSecretsCrossEnv = (workspaceId: string, folders: TFolderRootSchema[], key: string) => {
+  const fetchCache: Record<string, Record<string, string>> = {};
+
+  return async (secRefEnv: string, secRefPath: string[], secRefKey: string) => {
+    const secRefPathUrl = path.join("/", ...secRefPath);
+    const uniqKey = `${secRefEnv}-${secRefPathUrl}`;
+
+    if (fetchCache?.[uniqKey]) {
+      return fetchCache[uniqKey][secRefKey];
+    }
+
+    let folderId = "root";
+    const folder = folders.find(({ environment }) => environment === secRefEnv);
+    if (!folder && secRefPathUrl !== "/") {
+      throw BadRequestError({ message: "Folder not found" });
+    }
+
+    if (folder) {
+      const selectedFolder = getFolderByPath(folder.nodes, secRefPathUrl);
+      if (!selectedFolder) {
+        throw BadRequestError({ message: "Folder not found" });
+      }
+      folderId = selectedFolder.id;
+    }
+
+    const secrets = await Secret.find({
+      workspace: workspaceId,
+      environment: secRefEnv,
+      type: SECRET_SHARED,
+      folder: folderId
+    });
+
+    const decryptedSec = secrets.reduce<Record<string, string>>((prev, secret) => {
+      const secretKey = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretKeyCiphertext,
+        iv: secret.secretKeyIV,
+        tag: secret.secretKeyTag,
+        key
+      });
+      const secretValue = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secret.secretValueCiphertext,
+        iv: secret.secretValueIV,
+        tag: secret.secretValueTag,
+        key
+      });
+
+      prev[secretKey] = secretValue;
+      return prev;
+    }, {});
+
+    fetchCache[uniqKey] = decryptedSec;
+
+    return fetchCache[uniqKey][secRefKey];
+  };
+};
+
+const INTERPOLATION_SYNTAX_REG = new RegExp(/\${([^}]+)}/g);
+const recursivelyExpandSecret = async (
+  expandedSec: Record<string, string>,
+  interpolatedSec: Record<string, string>,
+  fetchCrossEnv: (env: string, secPath: string[], secKey: string) => Promise<string>,
+  recursionChainBreaker: Record<string, boolean>,
+  key: string
+) => {
+  if (expandedSec?.[key]) {
+    return expandedSec[key];
+  }
+  if (recursionChainBreaker?.[key]) {
+    return "";
+  }
+  recursionChainBreaker[key] = true;
+
+  let interpolatedValue = interpolatedSec[key];
+  if (!interpolatedValue) {
+    console.error(`Couldn't find referenced value - ${key}`);
+    return "";
+  }
+
+  const refs = interpolatedValue.match(INTERPOLATION_SYNTAX_REG);
+  if (refs) {
+    for (const interpolationSyntax of refs) {
+      const interpolationKey = interpolationSyntax.slice(2, interpolationSyntax.length - 1);
+      const entities = interpolationKey.trim().split(".");
+
+      if (entities.length === 1) {
+        const val = await recursivelyExpandSecret(
+          expandedSec,
+          interpolatedSec,
+          fetchCrossEnv,
+          recursionChainBreaker,
+          interpolationKey
+        );
+        if (val) {
+          interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+        }
+        continue;
+      }
+
+      if (entities.length > 1) {
+        const secRefEnv = entities[0];
+        const secRefPath = entities.slice(1, entities.length - 1);
+        const secRefKey = entities[entities.length - 1];
+
+        const val = await fetchCrossEnv(secRefEnv, secRefPath, secRefKey);
+        interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
+      }
+    }
+  }
+
+  expandedSec[key] = interpolatedValue;
+  return interpolatedValue;
+};
+
+// used to convert multi line ones to quotes ones with \n
+const formatMultiValueEnv = (val?: string) => {
+  if (!val) return "";
+  if (!val.match("\n")) return val;
+  return `"${val.replace(/\n/g, "\\n")}"`;
+};
+
+export const expandSecrets = async (
+  workspaceId: string,
+  rootEncKey: string,
+  secrets: Record<string, { value: string; comment?: string }>
+) => {
+  const expandedSec: Record<string, string> = {};
+  const interpolatedSec: Record<string, string> = {};
+
+  const folders = await Folder.find({ workspace: workspaceId });
+  const crossSecEnvFetch = fetchSecretsCrossEnv(workspaceId, folders, rootEncKey);
+
+  Object.keys(secrets).forEach((key) => {
+    if (secrets[key].value.match(INTERPOLATION_SYNTAX_REG)) {
+      interpolatedSec[key] = secrets[key].value;
+    } else {
+      expandedSec[key] = secrets[key].value;
+    }
+  });
+
+  for (const key of Object.keys(secrets)) {
+    if (expandedSec?.[key]) {
+      secrets[key].value = formatMultiValueEnv(expandedSec[key]);
+      continue;
+    }
+
+    // this is to avoid recursion loop. So the graph should be direct graph rather than cyclic
+    // so for any recursion building if there is an entity two times same key meaning it will be looped
+    const recursionChainBreaker: Record<string, boolean> = {};
+    const expandedVal = await recursivelyExpandSecret(
+      expandedSec,
+      interpolatedSec,
+      crossSecEnvFetch,
+      recursionChainBreaker,
+      key
+    );
+
+    secrets[key].value = formatMultiValueEnv(expandedVal);
+  }
+
+  return secrets;
+};
--- a/backend/src/helpers/workspace.ts
+++ b/backend/src/helpers/workspace.ts
@ -1,3 +1,4 @@
+import { Types } from "mongoose";
 import {
 	Bot,
 	Key,
@ -5,6 +6,10 @@ import {
 	Secret,
 	Workspace,
 } from "../models";
+import {
+	IPType,
+	TrustedIP
+} from "../ee/models";
 import { createBot } from "../helpers/bot";
 import { EELicenseService } from "../ee/services";
 import { SecretService } from "../services";
@ -21,7 +26,7 @@ export const createWorkspace = async ({
 	organizationId,
 }: {
 	name: string;
-	organizationId: string;
+	organizationId: Types.ObjectId;
 }) => {
 	// create workspace
 	const workspace = await new Workspace({
@ -40,6 +45,26 @@ export const createWorkspace = async ({
 	await SecretService.createSecretBlindIndexData({
 		workspaceId: workspace._id,
 	});
+	
+	// initialize default trusted IPv4 CIDR - 0.0.0.0/0
+	await new TrustedIP({
+		workspace: workspace._id,
+		ipAddress: "0.0.0.0",
+		type: IPType.IPV4,
+		prefix: 0,
+		isActive: true,
+		comment: ""
+	}).save()
+	
+	// initialize default trusted IPv6 CIDR - ::/0
+	await new TrustedIP({
+		workspace: workspace._id,
+		ipAddress: "::",
+		type: IPType.IPV6,
+		prefix: 0,
+		isActive: true,
+		comment: ""
+	});

 	await EELicenseService.refreshPlan(organizationId);

--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -6,10 +6,11 @@ require("express-async-errors");
 import helmet from "helmet";
 import cors from "cors";
 import { DatabaseService } from "./services";
-import { EELicenseService } from "./ee/services";
+import { EELicenseService, GithubSecretScanningService } from "./ee/services";
 import { setUpHealthEndpoint } from "./services/health";
 import cookieParser from "cookie-parser";
 import swaggerUi = require("swagger-ui-express");
+import { Probot, createNodeMiddleware } from "probot";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const swaggerFile = require("../spec.json");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@ -18,9 +19,12 @@ import {
  action as eeActionRouter,
  cloudProducts as eeCloudProductsRouter,
  organizations as eeOrganizationsRouter,
+  sso as eeSSORouter,
  secret as eeSecretRouter,
  secretSnapshot as eeSecretSnapshotRouter,
+  users as eeUsersRouter,
  workspace as eeWorkspaceRouter,
+  secretScanning as v1SecretScanningRouter,
 } from "./ee/routes/v1";
 import {
  auth as v1AuthRouter,
@ -33,41 +37,47 @@ import {
  membership as v1MembershipRouter,
  organization as v1OrganizationRouter,
  password as v1PasswordRouter,
+  secretImport as v1SecretImportRouter,
  secret as v1SecretRouter,
  secretsFolder as v1SecretsFolder,
  serviceToken as v1ServiceTokenRouter,
  signup as v1SignupRouter,
  userAction as v1UserActionRouter,
  user as v1UserRouter,
-  workspace as v1WorkspaceRouter,
+  webhooks as v1WebhooksRouter,
+  workspace as v1WorkspaceRouter
 } from "./routes/v1";
 import {
-  signup as v2SignupRouter,
  auth as v2AuthRouter,
-  users as v2UsersRouter,
+  environment as v2EnvironmentRouter,
  organizations as v2OrganizationsRouter,
-  workspace as v2WorkspaceRouter,
  secret as v2SecretRouter, // begin to phase out
  secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
  serviceAccounts as v2ServiceAccountsRouter,
-  environment as v2EnvironmentRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  signup as v2SignupRouter,
  tags as v2TagsRouter,
+  users as v2UsersRouter,
+  workspace as v2WorkspaceRouter,
 } from "./routes/v2";
 import {
  auth as v3AuthRouter,
  secrets as v3SecretsRouter,
  signup as v3SignupRouter,
-  workspaces as v3WorkspacesRouter,
+  workspaces as v3WorkspacesRouter
 } from "./routes/v3";
 import { healthCheck } from "./routes/status";
 import { getLogger } from "./utils/logger";
 import { RouteNotFoundError } from "./utils/errors";
 import { requestErrorHandler } from "./middleware/requestErrorHandler";
-import { getNodeEnv, getPort, getSiteURL } from "./config";
+import { getNodeEnv, getPort, getSecretScanningGitAppId, getSecretScanningPrivateKey, getSecretScanningWebhookProxy, getSecretScanningWebhookSecret, getSiteURL } from "./config";
 import { setup } from "./utils/setup";
+import { syncSecretsToThirdPartyServices } from "./queues/integrations/syncSecretsToThirdPartyServices";
+import { githubPushEventSecretScan } from "./queues/secret-scanning/githubScanPushEvent";
+const SmeeClient = require('smee-client') // eslint-disable-line

 const main = async () => {
+
  await setup();

  await EELicenseService.initGlobalFeatureSet();
@ -75,14 +85,35 @@ const main = async () => {
  const app = express();
  app.enable("trust proxy");
  app.use(express.json());
+  app.use(express.urlencoded({ extended: false }));
  app.use(cookieParser());
  app.use(
    cors({
      credentials: true,
-      origin: await getSiteURL(),
+      origin: await getSiteURL()
    })
  );

+  if (await getSecretScanningGitAppId() && await getSecretScanningWebhookSecret() && await getSecretScanningPrivateKey()) {
+    const probot = new Probot({
+      appId: await getSecretScanningGitAppId(),
+      privateKey: await getSecretScanningPrivateKey(),
+      secret: await getSecretScanningWebhookSecret(),
+    });
+
+    if ((await getNodeEnv()) != "production") {
+      const smee = new SmeeClient({
+        source: await getSecretScanningWebhookProxy(),
+        target: "http://backend:4000/ss-webhook",
+        logger: console
+      })
+
+      smee.start()
+    }
+
+    app.use(createNodeMiddleware(GithubSecretScanningService, { probot, webhooksPath: "/ss-webhook" })); // secret scanning webhook
+  }
+
  if ((await getNodeEnv()) === "production") {
    // enable app-wide rate-limiting + helmet security
    // in production
@ -101,9 +132,11 @@ const main = async () => {
  // (EE) routes
  app.use("/api/v1/secret", eeSecretRouter);
  app.use("/api/v1/secret-snapshot", eeSecretSnapshotRouter);
+  app.use("/api/v1/users", eeUsersRouter);
  app.use("/api/v1/workspace", eeWorkspaceRouter);
  app.use("/api/v1/action", eeActionRouter);
  app.use("/api/v1/organizations", eeOrganizationsRouter);
+  app.use("/api/v1/sso", eeSSORouter);
  app.use("/api/v1/cloud-products", eeCloudProductsRouter);

  // v1 routes (default)
@ -124,6 +157,9 @@ const main = async () => {
  app.use("/api/v1/integration", v1IntegrationRouter);
  app.use("/api/v1/integration-auth", v1IntegrationAuthRouter);
  app.use("/api/v1/folders", v1SecretsFolder);
+  app.use("/api/v1/secret-scanning", v1SecretScanningRouter);
+  app.use("/api/v1/webhooks", v1WebhooksRouter);
+  app.use("/api/v1/secret-imports", v1SecretImportRouter);

  // v2 routes (improvements)
  app.use("/api/v2/signup", v2SignupRouter);
@ -155,7 +191,7 @@ const main = async () => {
    if (res.headersSent) return next();
    next(
      RouteNotFoundError({
-        message: `The requested source '(${req.method})${req.url}' was not found`,
+        message: `The requested source '(${req.method})${req.url}' was not found`
      })
    );
  });
@ -163,9 +199,7 @@ const main = async () => {
  app.use(requestErrorHandler);

  const server = app.listen(await getPort(), async () => {
-    (await getLogger("backend-main")).info(
-      `Server started listening at port ${await getPort()}`
-    );
+    (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`);
  });

  // await createTestUserForDevelopment();
@ -173,6 +207,8 @@ const main = async () => {

  server.on("close", async () => {
    await DatabaseService.closeDatabase();
+    syncSecretsToThirdPartyServices.close()
+    githubPushEventSecretScan.close()
  });

  return server;
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -1,16 +1,21 @@
-import { Octokit } from "@octokit/rest";
-import { IIntegrationAuth } from "../models";
-import { standardRequest } from "../config/request";
 import {
  INTEGRATION_AWS_PARAMETER_STORE,
  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_API_URL,
  INTEGRATION_CHECKLY,
  INTEGRATION_CHECKLY_API_URL,
  INTEGRATION_CIRCLECI,
  INTEGRATION_CIRCLECI_API_URL,
  INTEGRATION_CLOUDFLARE_PAGES,
  INTEGRATION_CLOUDFLARE_PAGES_API_URL,
+  INTEGRATION_CLOUD_66,
+  INTEGRATION_CLOUD_66_API_URL,
+  INTEGRATION_CODEFRESH,
+  INTEGRATION_CODEFRESH_API_URL,
+  INTEGRATION_DIGITAL_OCEAN_API_URL,
+  INTEGRATION_DIGITAL_OCEAN_APP_PLATFORM,
  INTEGRATION_FLYIO,
  INTEGRATION_FLYIO_API_URL,
  INTEGRATION_GITHUB,
@ -22,17 +27,27 @@ import {
  INTEGRATION_LARAVELFORGE_API_URL,
  INTEGRATION_NETLIFY,
  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_NORTHFLANK,
+  INTEGRATION_NORTHFLANK_API_URL,
  INTEGRATION_RAILWAY,
  INTEGRATION_RAILWAY_API_URL,
  INTEGRATION_RENDER,
  INTEGRATION_RENDER_API_URL,
  INTEGRATION_SUPABASE,
  INTEGRATION_SUPABASE_API_URL,
+  INTEGRATION_TEAMCITY,
+  INTEGRATION_TERRAFORM_CLOUD,
+  INTEGRATION_TERRAFORM_CLOUD_API_URL,
  INTEGRATION_TRAVISCI,
  INTEGRATION_TRAVISCI_API_URL,
  INTEGRATION_VERCEL,
  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_WINDMILL,
+  INTEGRATION_WINDMILL_API_URL,
 } from "../variables";
+import { IIntegrationAuth } from "../models";
+import { Octokit } from "@octokit/rest";
+import { standardRequest } from "../config/request";

 interface App {
  name: string;
@ -54,11 +69,13 @@ const getApps = async ({
  accessToken,
  accessId,
  teamId,
+  workspaceSlug,
 }: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
  accessId?: string;
  teamId?: string;
+  workspaceSlug?: string;
 }) => {
  let apps: App[] = [];
  switch (integrationAuth.integration) {
@ -124,11 +141,23 @@ const getApps = async ({
        serverId: accessId
      });
      break;
+    case INTEGRATION_TERRAFORM_CLOUD:
+      apps = await getAppsTerraformCloud({
+        accessToken,
+        workspacesId: accessId,
+      });
+      break;
    case INTEGRATION_TRAVISCI:
      apps = await getAppsTravisCI({
        accessToken,
      });
      break;
+    case INTEGRATION_TEAMCITY:
+      apps = await getAppsTeamCity({
+        integrationAuth,
+        accessToken,
+      });
+      break;
    case INTEGRATION_SUPABASE:
      apps = await getAppsSupabase({
        accessToken,
@ -143,7 +172,38 @@ const getApps = async ({
      apps = await getAppsCloudflarePages({
        accessToken,
        accountId: accessId
-      })
+      });
+      break;
+    case INTEGRATION_NORTHFLANK:
+      apps = await getAppsNorthflank({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_BITBUCKET:
+      apps = await getAppsBitBucket({
+        accessToken,
+        workspaceSlug
+      });
+      break;
+    case INTEGRATION_CODEFRESH:
+      apps = await getAppsCodefresh({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_WINDMILL:
+      apps = await getAppsWindmill({
+        accessToken
+      });
+      break;
+    case INTEGRATION_DIGITAL_OCEAN_APP_PLATFORM:
+      apps = await getAppsDigitalOceanAppPlatform({ 
+        accessToken 
+      });
+      break;
+    case INTEGRATION_CLOUD_66:
+      apps = await getAppsCloud66({
+        accessToken,
+      });
      break;
  }

@ -196,10 +256,10 @@ const getAppsVercel = async ({
      },
      ...(integrationAuth?.teamId
        ? {
-            params: {
-              teamId: integrationAuth.teamId,
-            },
-          }
+          params: {
+            teamId: integrationAuth.teamId,
+          },
+        }
        : {}),
    })
  ).data;
@ -532,6 +592,43 @@ const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
  return apps;
 };

+/**
+ * Return list of projects for Terraform Cloud integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Terraform Cloud API
+ * @param {String} obj.workspacesId - workspace id of Terraform Cloud projects
+ * @returns {Object[]} apps - names and ids of Terraform Cloud projects
+ * @returns {String} apps.name - name of Terraform Cloud projects
+ */
+const getAppsTerraformCloud = async ({ 
+  accessToken,
+  workspacesId
+}: {
+  accessToken: string;
+  workspacesId?: string;
+}) => {
+  const res = (
+    await standardRequest.get(`${INTEGRATION_TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${workspacesId}`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+      },
+    })
+  ).data.data;
+
+  const apps = []
+
+  const appsObj = {
+      name: res?.attributes.name,
+      appId: res?.id,
+  };
+
+  apps.push(appsObj)
+
+  return apps;
+};
+
+
 /**
 * Return list of repositories for GitLab integration
 * @param {Object} obj
@ -632,6 +729,39 @@ const getAppsGitlab = async ({
  return apps;
 };

+/**
+ * Return list of projects for TeamCity integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for TeamCity API
+ * @returns {Object[]} apps - names and ids of TeamCity projects
+ * @returns {String} apps.name - name of TeamCity projects
+ */
+const getAppsTeamCity = async ({ 
+  integrationAuth,
+  accessToken,
+}: {
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
+  const res = (
+    await standardRequest.get(`${integrationAuth.url}/app/rest/projects`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+      },
+    })
+  ).data.project.slice(1);
+
+  const apps = res.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+
+  return apps;
+};
+
 /**
 * Return list of projects for Supabase integration
 * @param {Object} obj
@ -695,15 +825,76 @@ const getAppsCheckly = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - Cloudflare Pages projects
 * @returns {String} apps.name - name of Cloudflare Pages project
 */
-const getAppsCloudflarePages = async ({ 
-    accessToken,
-    accountId
+const getAppsCloudflarePages = async ({
+  accessToken,
+  accountId
 }: {
-    accessToken: string;
-    accountId?: string;
+  accessToken: string;
+  accountId?: string;
 }) => {
-    const { data } = await standardRequest.get(
-        `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
+  );
+
+  const apps = data.result.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+  return apps;
+}
+
+/**
+ * Return list of repositories for the BitBucket integration based on provided BitBucket workspace
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for BitBucket API
+ * @param {String} obj.workspaceSlug - Workspace identifier for fetching BitBucket repositories
+ * @returns {Object[]} apps - BitBucket repositories
+ * @returns {String} apps.name - name of BitBucket repository
+ */
+const getAppsBitBucket = async ({ 
+  accessToken,
+  workspaceSlug,
+}: {
+  accessToken: string;
+  workspaceSlug?: string;
+}) => {
+  interface RepositoriesResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Repository>;
+  }
+
+  interface Repository {
+    type: string;
+    uuid: string;
+    name: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  if (!workspaceSlug) {
+    return []
+  }
+  
+  const repositories: Repository[] = [];
+  let hasNextPage = true;
+  let repositoriesUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/repositories/${workspaceSlug}`
+
+  while (hasNextPage) {
+    const { data }: { data: RepositoriesResponse } = await standardRequest.get(
+        repositoriesUrl,
        {
            headers: {
                Authorization: `Bearer ${accessToken}`,
@ -712,13 +903,290 @@ const getAppsCloudflarePages = async ({
        }
    );

-    const apps = data.result.map((a: any) => {
-        return {
-            name: a.name,
-            appId: a.id,
-        };
-    });
-    return apps;
+    if (data?.values.length > 0) {
+      data.values.forEach((repository) => {
+        repositories.push(repository)
+      })
+    }
+
+    if (data.next) {
+      repositoriesUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  const apps = repositories.map((repository) => {
+      return {
+          name: repository.name,
+          appId: repository.uuid,
+      };
+  });
+  return apps;
 }

+/** Return list of projects for Northflank integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Northflank API
+ * @returns {Object[]} apps - names of Northflank apps
+ * @returns {String} apps.name - name of Northflank app
+ */
+const getAppsNorthflank = async ({ accessToken }: { accessToken: string }) => {
+  const {
+    data: {
+      data: {
+        projects
+      }
+    }
+  } = await standardRequest.get(
+    `${INTEGRATION_NORTHFLANK_API_URL}/v1/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  const apps = projects.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id
+    };
+  });
+
+  return apps;
+};
+
+/**
+ * Return list of projects for Supabase integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Supabase API
+ * @returns {Object[]} apps - names of Supabase apps
+ * @returns {String} apps.name - name of Supabase app
+ */
+const getAppsCodefresh = async ({
+  accessToken,
+}: {
+  accessToken: string;
+}) => {
+  const res = (
+    await standardRequest.get(`${INTEGRATION_CODEFRESH_API_URL}/projects`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res.projects.map((a: any) => ({
+    name: a.projectName,
+    appId: a.id,
+  }));
+
+  return apps;
+
+};
+
+/**
+ * Return list of projects for Windmill integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Windmill API
+ * @returns {Object[]} apps - names of Windmill workspaces
+ * @returns {String} apps.name - name of Windmill workspace
+ */
+const getAppsWindmill = async ({ accessToken }: { accessToken: string }) => {
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_WINDMILL_API_URL}/workspaces/list`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+  
+  // check for write access of secrets in windmill workspaces
+  const writeAccessCheck = data.map(async (app: any) => {
+    try {
+      const userPath = "u/user/variable";
+      const folderPath = "f/folder/variable";
+
+      const { data: writeUser } = await standardRequest.post(
+        `${INTEGRATION_WINDMILL_API_URL}/w/${app.id}/variables/create`,
+        {
+          path: userPath,
+          value: "variable",
+          is_secret: true,
+          description: "variable description"
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      );
+
+      const { data: writeFolder } = await standardRequest.post(
+        `${INTEGRATION_WINDMILL_API_URL}/w/${app.id}/variables/create`,
+        {
+          path: folderPath,
+          value: "variable",
+          is_secret: true,
+          description: "variable description"
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      );
+      
+      // is write access is allowed then delete the created secrets from workspace
+      if (writeUser && writeFolder) {
+        await standardRequest.delete(
+        `${INTEGRATION_WINDMILL_API_URL}/w/${app.id}/variables/delete/${userPath}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+
+        await standardRequest.delete(
+        `${INTEGRATION_WINDMILL_API_URL}/w/${app.id}/variables/delete/${folderPath}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json",
+            },
+          }
+        );
+
+        return app;
+      } else {
+        return { error: "cannot write secret" };
+      }
+    } catch (err: any) {
+      return { error: err.message };
+    }
+  });
+
+  const appsWriteResponses = await Promise.all(writeAccessCheck);
+  const appsWithWriteAccess = appsWriteResponses.filter((appRes: any) => !appRes.error);
+  
+  const apps = appsWithWriteAccess.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+  
+  return apps;
+}
+
+/**
+ * Return list of applications for DigitalOcean App Platform integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - personal access token for DigitalOcean
+ * @returns {Object[]} apps - names of DigitalOcean apps
+ * @returns {String} apps.name - name of DigitalOcean app
+ * @returns {String} apps.appId - id of DigitalOcean app
+ */
+const getAppsDigitalOceanAppPlatform = async ({ accessToken }: { accessToken: string }) => {
+  interface DigitalOceanApp {
+    id: string;
+    owner_uuid: string;
+    spec: Spec;
+  }
+
+  interface Spec {
+    name: string;
+    region: string;
+    envs: Env[];
+  }
+
+  interface Env {
+    key: string;
+    value: string;
+    scope: string;
+  }
+  
+  const res = (
+    await standardRequest.get(`${INTEGRATION_DIGITAL_OCEAN_API_URL}/v2/apps`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
+    })
+  ).data;
+
+  return (res.apps ?? []).map((a: DigitalOceanApp) => ({
+    name: a.spec.name,
+    appId: a.id
+  }));
+}
+  
+/**
+ * Return list of applications for Cloud66 integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - personal access token for Cloud66 API
+ * @returns {Object[]} apps - Cloud66 apps
+ * @returns {String} apps.name - name of Cloud66 app
+ * @returns {String} apps.appId - uid of Cloud66 app
+ */
+const getAppsCloud66 = async ({ accessToken }: { accessToken: string }) => {
+  interface Cloud66Apps {
+    uid: string;
+    name: string;
+    account_id: number;
+    git: string;
+    git_branch: string;
+    environment: string;
+    cloud: string;
+    fqdn: string;
+    language: string;
+    framework: string;
+    status: number;
+    health: number;
+    last_activity: string;
+    last_activity_iso: string;
+    maintenance_mode: boolean;
+    has_loadbalancer: boolean;
+    created_at: string;
+    updated_at: string;
+    deploy_directory: string;
+    cloud_status: string;
+    backend: string;
+    version: string;
+    revision: string;
+    is_busy: boolean;
+    account_name: string;
+    is_cluster: boolean;
+    is_inside_cluster: boolean;
+    cluster_name: any;
+    application_address: string;
+    configstore_namespace: string;
+  }
+
+  const stacks = (
+    await standardRequest.get(`${INTEGRATION_CLOUD_66_API_URL}/3/stacks`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
+    })
+  ).data.response as Cloud66Apps[]
+
+  const apps = stacks.map((app) => ({
+    name: app.name,
+    appId: app.uid
+  }));
+
+  return apps;
+};
+
 export { getApps };
--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -2,6 +2,8 @@ import { standardRequest } from "../config/request";
 import {
  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_TOKEN_URL,
  INTEGRATION_GITHUB,
  INTEGRATION_GITHUB_TOKEN_URL,
  INTEGRATION_GITLAB,
@ -15,11 +17,13 @@ import {
 } from "../variables";
 import {
  getClientIdAzure,
+  getClientIdBitBucket,
  getClientIdGitHub,
  getClientIdGitLab,
  getClientIdNetlify,
  getClientIdVercel,
  getClientSecretAzure,
+  getClientSecretBitBucket,
  getClientSecretGitHub,
  getClientSecretGitLab,
  getClientSecretHeroku,
@ -78,6 +82,15 @@ interface ExchangeCodeGitlabResponse {
  created_at: number;
 }

+interface ExchangeCodeBitBucketResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scopes: string;
+  state: string;
+}
+
 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
 * code-token exchange for integration named [integration]
@ -129,6 +142,12 @@ const exchangeCode = async ({
      obj = await exchangeCodeGitlab({
        code,
      });
+      break;
+    case INTEGRATION_BITBUCKET:
+      obj = await exchangeCodeBitBucket({
+        code,
+      });
+      break;
  }

  return obj;
@ -347,4 +366,43 @@ const exchangeCodeGitlab = async ({ code }: { code: string }) => {
  };
 };

+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for BitBucket
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for BitBucket API
+ * @returns {String} obj2.refreshToken - refresh token for BitBucket API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeBitBucket = async ({ code }: { code: string }) => {
+  const accessExpiresAt = new Date();
+  const res: ExchangeCodeBitBucketResponse = (
+    await standardRequest.post(
+      INTEGRATION_BITBUCKET_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdBitBucket(),
+        client_secret: await getClientSecretBitBucket(),
+        redirect_uri: `${await getSiteURL()}/integrations/bitbucket/oauth2/callback`,
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data;
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt,
+  };
+};
+
 export { exchangeCode };
--- a/backend/src/integrations/index.ts
+++ b/backend/src/integrations/index.ts
@ -2,7 +2,6 @@ import { exchangeCode } from "./exchange";
 import { exchangeRefresh } from "./refresh";
 import { getApps } from "./apps";
 import { getTeams } from "./teams";
-import { syncSecrets } from "./sync";
 import { revokeAccess } from "./revoke";

 export {
@ -10,6 +9,5 @@ export {
    exchangeRefresh,
    getApps,
    getTeams,
-    syncSecrets,
    revokeAccess,
 }
--- a/backend/src/integrations/refresh.ts
+++ b/backend/src/integrations/refresh.ts
@ -2,6 +2,8 @@ import { standardRequest } from "../config/request";
 import { IIntegrationAuth } from "../models";
 import {
  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_TOKEN_URL,
  INTEGRATION_GITLAB,
  INTEGRATION_HEROKU,
 } from "../variables";
@ -13,8 +15,10 @@ import {
 import { IntegrationService } from "../services";
 import {
  getClientIdAzure,
+  getClientIdBitBucket,
  getClientIdGitLab,
  getClientSecretAzure,
+  getClientSecretBitBucket,
  getClientSecretGitLab,
  getClientSecretHeroku,
  getSiteURL,
@ -46,6 +50,15 @@ interface RefreshTokenGitLabResponse {
  created_at: number;
 }

+interface RefreshTokenBitBucketResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scopes: string;
+  state: string;
+}
+
 /**
 * Return new access token by exchanging refresh token [refreshToken] for integration
 * named [integration]
@ -83,6 +96,11 @@ const exchangeRefresh = async ({
        refreshToken,
      });
      break;
+    case INTEGRATION_BITBUCKET:
+      tokenDetails = await exchangeRefreshBitBucket({
+        refreshToken,
+      });
+      break;
    default:
      throw new Error("Failed to exchange token for incompatible integration");
  }
@ -218,4 +236,46 @@ const exchangeRefreshGitLab = async ({
  };
 };

+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * BitBucket integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for BitBucket
+ * @returns
+ */
+const exchangeRefreshBitBucket = async ({
+  refreshToken,
+}: {
+  refreshToken: string;
+}) => {
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenBitBucketResponse;
+  } = await standardRequest.post(
+    INTEGRATION_BITBUCKET_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: await getClientIdBitBucket(),
+      client_secret: await getClientSecretBitBucket(),
+      redirect_uri: `${await getSiteURL()}/integrations/bitbucket/oauth2/callback`,
+    } as any),
+    {
+      headers: {
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
+};
+
 export { exchangeRefresh };
--- a/backend/src/integrations/revoke.ts
+++ b/backend/src/integrations/revoke.ts
@ -18,7 +18,6 @@ const revokeAccess = async ({
  integrationAuth: IIntegrationAuth;
  accessToken: string;
 }) => {
-  let deletedIntegrationAuth;
  // add any integration-specific revocation logic
  switch (integrationAuth.integration) {
    case INTEGRATION_HEROKU:
@ -33,7 +32,7 @@ const revokeAccess = async ({
      break;
  }

-  deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+  const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
    _id: integrationAuth._id,
  });

--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
--- a/Show More
+++ b/Show More