Enable permissions for Snyk from your repo/Jira
In order to enable Snyk to find, monitor, fix and prevent, Snyk needs credentials to communicate with and send information to your repo.
Modern Gits grant various access rights by scoped authorization (auth) tokens to ensure that access to repo data and actions are managed. The various scopes associated to tokens grant specific ranges of action on repos.
snyk.io access rights to the Git repos are regulated by such Git access mechanisms and scopes. Therefore, you need to generate auth tokens or credentials for Snyk to perform tasks such as submitting fix pull requests or merge requests. Because tokens are generated by and associated to users (or accounts) that are then added as members of that given repo, the credentials must be generated from a user or service account that also has enough privileges to create the necessary webhooks and pull requests (usually admin-level).
Once you have generated a token, you set it only in the Broker configuration file during installation. Since the client runs from your private network, the credentials are never shared or sent to Snyk. Credentials (or tokens) never leave your network!
- read access on a repo to perform an initial test (Find) and recurring tests (Monitor).
Note that while *not* recommended, Snyk can function in read-only mode, but would then not able to offer Prevent and Fix functionality.
- write access on repo including webhooks to also perform pull request checks (Prevent—checking code whenever one of your developers submits a new pull request) and Pull Request creation (Fix and AutoFix—creating a pull request in order to apply a security fix). Snyk never writes directly to your repositories, but rather opens Pull Requests with suggested changes. Explicit approval of the Pull Request is always required before said suggestions are taken.
Assign permissions based on your integration as follows:
- GitHub/GitHub Enterprise—See GitHub documentation for assistance in creating the necessary token: https://github.com/settings/tokens
- Bitbucket server—Snyk needs to use the username and password credentials of a Bitbucket user in your organization. See Bitbucket documentation for assistance in creating a user with the necessary credentials: https://confluence.atlassian.com/bitbucket/grant-repository-access-to-users-and-groups-221449716.html
- GitLab—Snyk needs to use an access token with API scope. See GitLab documentation for assistance in creating an access token with the necessary credentials: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
- Jira—Snyk needs user credentials with API access. When installing the client, if you wish to authenticate with an API token, then provide the username (usually an email address) as the JIRA_USERNAME and the API token as the JIRA_PASSWORD in the command line arguments. See Jira documentation for assistance in creating a user with the necessary credentials: https://confluence.atlassian.com/cloud/api-tokens-938839638.html
To generate credentials for Snyk:
- Create the token or user account with the permissions for the specific integration, as described above.
- Copy and paste the credentials/token in a file on the desktop to use in the environment variables of the command line argument when you install the client: Install and configure the client.