Snyk GitHub integrations—required permissions and roles
There are two ways to integrate Snyk with GitHub, either via our Broker, or directly. Our Broker enables organizations to integrate from within their private network. This article describes the permissions needed for direct integration (when Broker is not implemented).
Permissions for configuring the integration
The first user in a Snyk organization (a Snyk admin account user) is asked to authenticate with GitHub and to authorize Snyk as an Authorized OAuth App before they and the other users in their organization add any projects to Snyk. Once the initial admin user authenticates, the Github integration is configured automatically.
Permissions for authenticating users when they join the Snyk organization
When a second user logs into the same organization in Snyk, they can see the projects that were added by the first user (monitoring). They can also trigger a retest to view the most up-to-date results and to enable monitoring from that new user’s account, as this uses the credentials of any user that is related to the project that has the correct permissions.
Permissions for ongoing use of Snyk with GitHub
In addition to monitoring, all users can also open fix pull requests with the Snyk automated features. To enable this, they should authenticate their integration with Snyk when prompted and they should have write permissions on the repository with which they are working.
Summary of permissions needed for integration with GitHub
|Action||Minimum permissions required in GitHub per repo||Minimum Snyk role|
|Initial configuration for integration with the Snyk organization and authentication||Read||Admin|
|Daily / weekly test - monitoring configuration||Read||Admin|
|Prevent: Snyk test on pull requests - configuration||Admin in order to add the webhook||Admin|
|Automatic fix and automatic upgrade pull requests - configuration||Write||Admin|
|Authentication and integration for any regular user in the Snyk organization||Read||Any member of the organization|
|Manually trigger Snyk to create a fix pull request||Write||Any|
|Daily / weekly test - monitoring; Snyk test on pull requests||Read||Any - works automatically in the background once configured by the admin|
|Re-test - manually triggered||Read||Any|