TL;DR
GitHub paywalls what GitLab includes. Half the category has no SCIM at all.
DevOps tools hold your crown jewels - source code, CI/CD secrets, deployment credentials. You'd expect security fundamentals to be table stakes. They're not.
Same security need, wildly different economics. If you're evaluating, compare before you sign.
DevOps tools should know better
DevOps tools hold your most sensitive assets: source code, infrastructure configs, CI/CD secrets, deployment credentials. You'd expect security fundamentals like automated provisioning to be table stakes.
They're not.
In this category, one vendor's enterprise upsell is another's standard feature. Some vendors haven't built SCIM at all - including tools that literally scan your code for security vulnerabilities.
The result: when an engineer leaves, you're manually revoking access across GitHub, CircleCI, Terraform Cloud, Datadog, and PagerDuty. One by one. Hoping you don't miss anything before they clone something sensitive.
This inconsistency is part of a broader pattern. We analyzed 721 SaaS apps: 57% have no SCIM at any price, 42% lock it behind enterprise pricing. Only 9 apps (1.2%) include SCIM on their base tier. DevOps tools are worse than average - straddling all three categories with no consistency.
GitHub vs GitLab: Same feature, different economics
The starkest example is source code repositories - where the security stakes are highest.
| Tool | SCIM Status | What That Means |
|---|---|---|
| GitHub | Paywalled | Requires Enterprise Cloud with EMU - complex migration if you're already on standard Enterprise |
| GitLab | Included | Available on Premium tier |
| Bitbucket | Add-on | Requires Atlassian Guard (+$4/user/mo), and even then no group sync |
| Azure DevOps | None | Locked to Microsoft Entra ID - no standard SCIM at all |
GitHub and GitLab compete head-to-head for the same customers. One paywalls SCIM behind a complex enterprise migration. ("EMU required for true SCIM - complex migration from standard Enterprise," as one IT admin put it.) The other includes it on a standard paid tier.
This isn't a recommendation to switch - switching costs are real. But if you're evaluating today, ask about SCIM before you sign. You might be surprised what's included and what's not.
Half the category has nothing
Beyond source code repos, it gets worse. Most CI/CD and infrastructure tools haven't built SCIM at all.
| Tool | SCIM Status | What You're Left With |
|---|---|---|
| CircleCI | None | Limited Okta connector, no native SCIM |
| Jenkins | None | Open source, relies on SAML plugins |
| Terraform Cloud | None | SAML assertions only, no user lifecycle management |
| Datadog | Paywalled | Requires Pro or Enterprise |
| PagerDuty | Paywalled | Requires Business or Enterprise |
| Snyk | None | A security scanning tool with no automated user provisioning |
The Snyk situation is particularly absurd. A tool that scans your code for vulnerabilities can't automate its own user access. ("No SCIM despite being enterprise security tool," one IT admin noted.)
Your CI/CD pipeline has access to production. You can't automate who has access to your pipeline.
The cost of living with inconsistency
For a 500-person company with a typical 6-tool DevOps stack, manual provisioning costs ~$70K/year. Here's where that number comes from - per tool, per year:
| Cost Driver | Annual Cost |
|---|---|
| Orphaned accounts (7 ex-employees with lingering access) | — |
| Unused licenses (12 seats no one's using) | $3,925 |
| IT hours on manual provisioning (101 hours @ $60/hr) | $6,088 |
| Compliance gaps and audit exposure | $1,741 |
| Total per tool | ~$11,750 |
Multiply by 6 tools and you're at ~$70K/year - just to manage users manually.
Enterprise upgrades won't fully solve it either. Even if you upgrade GitHub, Datadog, and PagerDuty to enterprise tiers, that's ~$80K/year in upgrade premiums for 200 engineers - and you still have no SCIM for CircleCI, Jenkins, or Terraform Cloud. You're paying ~$80K for half your tools and still eating ~$35K in manual costs for the rest.
| Path | Annual Cost | Reality |
|---|---|---|
| Enterprise upgrades | ~$115K | ~$80K for upgrades + ~$35K manual for the tools without SCIM |
| Stay manual | ~$70K + risk | Orphaned accounts, compliance gaps, security exposure |
| Stitchflow | <$30K | Automation for all tools, including those without native SCIM |
Stitchflow provides SCIM-level automation for DevOps tools - including the ones that don't support it natively. Works with Okta or Entra.
If you're evaluating: compare before you commit.
If you're already committed: there's still a path to automation.
Frequently asked questions
Yes, but only on Enterprise Cloud with Enterprise Managed Users (EMU). Standard Enterprise organizations have limited SCIM. Migrating to EMU is complex if you're already on standard Enterprise.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
