Snyk Documentation

Snyk GitHub integrations—required permissions and roles

There are two ways to integrate Snyk with GitHub, either via our Broker, or directly. Our Broker enables organizations to integrate from within their private network. This article describes the permissions needed for direct integration (when Broker is not implemented).

Permissions for configuring the integration

The first user in a Snyk organization (a Snyk admin account user) is asked to authenticate with GitHub and to authorize Snyk as an Authorized OAuth App before they and the other users in their organization add any projects to Snyk. Once the initial admin user authenticates, the Github integration is configured automatically.

Permissions for authenticating users when they join the Snyk organization

When a second user logs into the same organization in Snyk, they can see the projects that were added by the first user (monitoring). They can also trigger a retest to view the most up-to-date results and to enable monitoring from that new user’s account, as this uses the credentials of any user that is related to the project that has the correct permissions.

Permissions for ongoing use of Snyk with GitHub

In addition to monitoring, all users can also open fix pull requests with the Snyk automated features. To enable this, they should authenticate their integration with Snyk when prompted and they should have write permissions on the repository with which they are working.

Summary of permissions needed for integration with GitHub

Action Minimum permissions required in GitHub per repo Minimum Snyk role
Initial configuration for integration with the Snyk organization and authentication Read Admin
Daily / weekly test - monitoring configuration Read Admin
Prevent: Snyk test on pull requests - configuration Admin in order to add the webhook Admin
Automatic fix and automatic upgrade pull requests - configuration Write Admin
Authentication and integration for any regular user in the Snyk organization Read Any member of the organization
Manually trigger Snyk to create a fix pull request Write Any
Daily / weekly test - monitoring; Snyk test on pull requests  Read Any - works automatically in the background once configured by the admin
Re-test - manually triggered Read Any