On Prem Solution
Snyk can be used with private source code management systems (SCMs) such as GitHub Enterprise installations via an applicative tunnel, referred to as the Snyk “broker”. A Snyk broker allows moderated access to a private SCM deployment, securly connecting Snyk to your locally managed code repositories. It keeps sensitive data such as your access tokens within the perimeter of your private network, while narrowing down SCM access to the bare minimum required for Snyk.
These instructions will get you up and running with a Snyk broker, allowing your private SCM to connect to Snyk.io.
Snyk broker currently supports the following SCMs:
- GitHub Enterprise
- Bitbucket Server
- On-premise Gitlab deployment
How it works
The Snyk broker is made up of two web servers that proxy requests over a secure web socket connection. The broker client runs within your network, in a location with connectivity to your private SCM. On start-up it establishes a secure web socket connection to a broker server running at https://broker.snyk.io. Requests from Snyk to your private SCM and web-hook initiated requests from your private SCM to Snyk are sent over this tunnel.
The broker client has a white list of allowed requests (expressed as a JSON file), ensuring that only requests which are required for Snyk to function are proxied. All other requests are dropped. Requests are filtered on both request path, and JSON body.
The default provided white list allows only the following requests:
- Snyk.io is only allowed to fetch dependency manifest files and the Snyk policy file. All other requests are dropped.
- SCM web-hooks are only allowed if they notify of a relevant event (push to branch, pull request opened), AND the event data includes a dependency manifest file or a Snyk policy file. All other web-hooks are dropped.
In order to use Snyk with your SCM, Snyk will first need to enable broker support for one of your Snyk organisations.
To request broker support, contact firstname.lastname@example.org with the name of the organisation that you’d like to connect to your SCM.
Each broker is identified by a UUID token. Once broker support has been enabled for your organisation, you can access your unique broker token on the organisation’s settings page. This token is private, and must not be shared.
In order to interact with your GitHub.com or GitHub Enterprise repositories, Snyk needs to use a personal access token with “repo” and “admin:repo_hook” scopes.
To create a GitHub personal access token:
- log in to your GitHub.com or GitHub Enterprise account
- navigate to “/settings/tokens” in your web browser. e.g. for GitHub.com, go to https://github.com/settings/tokens
- click on the “Generate new token” button
- enter a description for the token, and select the “repo” and “admin:repo_hook” scope
- click on the “Generate token” button
- securely save the token so that you can configure your broker client with it
This GitHub token must be provided to the broker client, which then identifies with it on requests as they are proxied from Snyk to your GitHub.com or GitHub Enterprise.
The GitHub token never leaves your network!
In order to interact with your Bitbucket Server repositories, Snyk needs to use the credentials of a Bitbucket user. The username and password must be provided to the broker client, which then identifies with these credentials on requests as they are proxied from Snyk to your Bitbucket Server deployment.
The Bitbucket Server credentials never leave your network!
In order to interact with your Gitlab projects, Snyk needs to use an access token with an
api scope. The access token must be provided to the broker client, which then identifies with these credentials on requests as they are proxied from Snyk to your Gitlab deployment.
The Gitlab access token never leaves your network!
The broker client is a web server which securely relays requests between Snyk’s servers and your repositories hosted on supported SCMs. It needs to run on a network which has both outbound internet access and access to your SCM.
The broker client is best installed as a docker image. See the Dockerhub page for further details on installing and configuring your broker client.
The broker is an open source project hosted at GitHub.
Once your broker client is up and running, you can connect you Snyk account to your SCM in a secure manner.
- Important: log out of https://snyk.io
- log back in to https://snyk.io
- select the organisation that you’re using with your broker
- navigate to the “Projects” page
- click on “Add Projects”
- you will be prompted to select the type of SCM - GitHub (for both GitHub.com or GitHub Enterprise) or Bitbucket Server, depending on your organisation’s settings
- if you choose GitHub, you will be prompted for GitHub.com permissions, which must be provided. This is required while the broker is in early-access, but this access is not used
- you should see repositories from your brokered SCM
If you do not see any repositories, you may need to click the “Refresh results” link.
If you see your GitHub.com repositories then log out, then log back in and try again.