Snyk Documentation

Enable permissions for Snyk from your repo/Jira

In order to enable Snyk to find, monitor, fix and prevent, Snyk needs credentials to communicate with and send information to your repo.

Modern Gits grant various access rights by scoped authorization (auth) tokens to ensure that access to repo data and actions are managed. The various scopes associated to tokens grant specific ranges of action on repos.

snyk.io access rights to the Git repos are regulated by such Git access mechanisms and scopes. Therefore, you need to generate auth tokens or credentials for Snyk to perform tasks such as submitting fix pull requests or merge requests. Because tokens are generated by and associated to users (or accounts) that are then added as members of that given repo, the credentials must be generated from a user or service account that also has enough privileges to create the necessary webhooks and pull requests (usually admin-level).

Once you have generated a token, you set it only in the Broker configuration file during installation. Since the client runs from your private network, the credentials are never shared or sent to Snyk. Credentials (or tokens) never leave your network!

Snyk requires:

  • read access on a repo to perform an initial test (Find) and recurring tests (Monitor).
    Note that while *not* recommended, Snyk can function in read-only mode, but would then not able to offer Prevent and Fix functionality.
  • write access on repo including webhooks to also perform pull request checks (Prevent—checking code whenever one of your developers submits a new pull request) and Pull Request creation (Fix and AutoFix—creating a pull request in order to apply a security fix). Snyk never writes directly to your repositories, but rather opens Pull Requests with suggested changes. Explicit approval of the Pull Request is always required before said suggestions are taken.

Assign permissions based on your integration as follows:

To generate credentials for Snyk:

  1. Create the token or user account with the permissions for the specific integration, as described above.
  2. Copy and paste the credentials/token in a file on the desktop to use in the environment variables of the command line argument when you install the client: Install and configure the client.