SCM integrations and Snyk Broker

If your SCM instance is not publicly accessible, you need Snyk Broker. You can install and configure your Snyk Broker using Docker or Helm. For more information about Snyk Broker, see the Snyk Broker documentation, including Using Snyk Essentials wtih Snyk Broker.

Enable the Snyk Essentials flag in your Snyk Broker deployment environment before running the commands.

You can find on GitHub all the updated .json files that include the allowed list of accessible endpoints for the integrations.

Integrated SCM tokens for classic Broker

An integrated SCM token is required for Broker client setup. It is used in the -e <SCM>_TOKEN parameter, for example, -e GITHUB_TOKEN=xxx…, to enable access to the SCM. These meet certain permissions needed for the operation of Broker and Snyk Code.

An integrated SCM token can be generated for the following SCM integrations:

GitHub and GitHub Enterprise SCM token

Format: GITHUB_TOKEN= - a GitHub personal access token.
Scopes: repo, read:org and admin:repo_hook.

GitLab SCM token

Format: GITLAB_TOKEN= - a GitLab personal access token.
Scopes: api.

GitLab account with Maintainer permission.

Azure Repositories (TFS) SCM token

Format: AZURE_REPOS_TOKEN= - an Azure Repos personal access token.
Scopes: Custom defined, Code: Read & write.

Bitbucket Server/Data Center SCM token

Format: BITBUCKET_USERNAME=, BITBUCKET_PASSWORD= – the Bitbucket Server username and password or a Bitbucket Server personal access token.
Scope: Repository admin.

GitHub Cloud App for Universal Broker

If your GitHub Cloud server is not publicly available, you can provide access to it through the Universal Broker, a proxy deployed in your internal network to facilitate outbound connections and communication with Snyk.

The setup process for Universal Broker involves:

Create a GitHub App for Universal Broker

To use the GitHub Cloud App with Universal Broker, you must create your own GitHub App on your GitHub Cloud instance.

Copy the following URL and paste it into a text editor.

https://github.com/settings/apps/new?name=Snyk&description=Snyk%20helps%20you%20develop%20fast%20while%20staying%20secure%20by%20finding%20and%20automatically%20fixing%20security%20issues%20in%20your%20code%2C%20open%20source%20dependencies%2C%20containers%2C%20and%20infrastructure%20as%20code%20-%20all%20powered%20by%20Snyk%E2%80%99s%20security%20intelligence.&url=https%3A%2F%2Fgithub.com%2Fapps%2Fsnyk-io&public=false&webhook_active=true&webhook_url={{SNYK-ENV}}%2Fapi%2Fhidden%2Fscm-apps%2Fapi%2Fgithub-app%2Fwebhook&checks=write&statuses=write&contents=write&metadata=read&repository_projects=write&pull_requests=write&repository_hooks=write&members=read&events[]=repository

Replace {{SNYK-ENV}} in the URL with the region for your Snyk account. This value needs to be URL encoded; the most common are listed below:

Snyk US-01: https%3A%2F%2Fapp.snyk.io
Snyk US-02: https%3A%2F%2Fapp.us.snyk.io
Snyk EU: https%3A%2F%2Fapp.eu.snyk.io
Snyk AU: https%3A%2F%2Fapp.au.snyk.io

After the value is replaced, navigate to that URL in your browser. This will take you to the app creation screen in your GitHub Cloud instance with all the required details pre-filled.
Scroll to the end of the page. Ensure that Any account is selected, and then click Create GitHub App.
Make a note of the ClientId and AppId. Store these safely and treat them as secrets. You must enter these credentials when you create the Universal Broker connection to your GitHub Cloud app.
Click the generate a private key link. This initiates the download of a .pem file. Store this file safely and treat it as a secret. You must enter the path to this file when you create the Universal Broker connection to your GitHub Cloud app. Your GitHub Cloud App is now ready to be installed in repositories in your Snyk Organization.
Scroll to the top of the page and click Install App on the navigation panel. Click the Install button for your app.
Choose where you want to install the app in your GitHub organization. It can be installed in specific repositories or all of them.

If you choose to install the app only in specific repositories, the app works only in those repositories. You can return to this screen and edit where the app is installed if you want to add it to additional repositories.

Copy the InstallationID. These are the numbers at the end of the page URL. You must enter it when you create the Universal Broker connection to your GitHub Cloud app. For example, if the page URL is https://github.com/settings/installations/12345678, the InstallationID is 12345678.

Create the Universal Broker connection for your GitHub Cloud App

Before the GitHub Cloud App can be used with the Universal Broker, you must create a connection of the github-cloud-app type using the snyk-broker-config tool. For more details, see the Universal Broker documentation. After the connection is created, it can be integrated with one or more Organizations of your choice.

Prerequisites

Tenant Admin role
Your Tenant ID
The base API address for your Snyk region. Refer to the list of API URLs for Snyk regional hosting.
A valid Snyk API token
snyk-broker-config tool installed
The ClientId, AppId, InstallationID and .pem file for your app
The Organization ID for the Organization you want to integrate the connection with

Create the connection and integrate it with your Organizations

Run the snyk-broker-config workflows connections create command. Choose the github-cloud-app option and provide the information you are prompted for in the workflow.
Run snyk-broker-config workflows connections integrate to integrate the newly created connection to the Organization of your choice. Enter the Organization ID when you are prompted.

Visit the integrations page in Snyk to verify that the integration has been configured.

See the Universal Broker documentation for more details.

GitHub Server App for Universal Broker

If your GitHub server is not publicly available, you can provide access to it through the Universal Broker, a proxy deployed in your internal network to facilitate outbound connections and communication with Snyk.

The setup process for Universal Broker involves:

Create a GitHub App for Universal Broker

To use the GitHub Server App with Universal Broker you must create your own GitHub App on your GitHub Server instance.

Copy the following URL and paste it into a text editor.

{{GITHUB-SERVER-URL}}/settings/apps/new?name=Snyk&description=Snyk%20helps%20you%20develop%20fast%20while%20staying%20secure%20by%20finding%20and%20automatically%20fixing%20security%20issues%20in%20your%20code%2C%20open%20source%20dependencies%2C%20containers%2C%20and%20infrastructure%20as%20code%20-%20all%20powered%20by%20Snyk%E2%80%99s%20security%20intelligence.&url=https%3A%2F%2Fgithub.com%2Fapps%2Fsnyk-io&public=false&webhook_active=true&webhook_url={{SNYK-ENV}}%2Fapi%2Fhidden%2Fscm-apps%2Fapi%2Fgithub-app%2Fwebhook&checks=write&statuses=write&contents=write&metadata=read&pull_requests=write&repository_hooks=write&members=read&events[]=repository

Replace the following in the URL:

{{GITHUB-SERVER-URL}}: Replace this with the base URL of your GitHub Server instance.
{{SNYK-ENV}}: Replace this with the region for your Snyk account. This value needs to be URL encoded; the most common are listed below:
- Snyk US-01: https%3A%2F%2Fapp.snyk.io
- Snyk EU: https%3A%2F%2Fapp.eu.snyk.io
- Snyk AU: https%3A%2F%2Fapp.au.snyk.io
- Snyk US-02: https%3A%2F%2Fapp.us.snyk.io

After these values are replaced, navigate to that URL in your browser. This will take you to the app creation screen in your GitHub Server instance with all the required details pre-filled.
Scroll to the end of the page. Ensure that Any account is selected, and then click Create GitHub App.
Make a note of the ClientId and AppId. Store these safely and treat them as secrets. You must enter these credentials when you create the Universal Broker connection to your GitHub Server app.
Click the generate a private key link. This initiates the download of a .pem file. Store this file safely and treat it as a secret. You must enter the path to this file when you create the Universal Broker connection to your GitHub Server app. Your GitHub Server App is now ready to be installed in repositories in your Snyk Organization.
Scroll to the top of the page and click Install App on the navigation panel. Click the Install button for your app.
Choose where you want to install the app in your GitHub organization. It can be installed in specific repositories or all of them.

Copy the InstallationID. These are the numbers at the end of the page URL. You must enter it when you create the Universal Broker connection to your GitHub Server app. For example, if the page URL is https://github.com/settings/installations/12345678, the InstallationID is 12345678.

Create the Universal Broker connection for your GitHub Server App

Before the GitHub Server App can be used with the Universal Broker, you must create a connection of the github-server-app type using the snyk-broker-config tool. For more details, see the Universal Broker documentation. After the connection is created, it can be integrated with one or more Organization(s) of your choice.

Prerequisites

The base API address for your Snyk region; refer to the list of API URLs for Snyk regional hosting.
A valid Snyk API token
snyk-broker-config tool installed
Tenant Admin role
The ClientId, AppId, InstallationID and .pem file for your app
The Organization ID for the Organization you want to integrate the connection with

Create the connection and integrate it with your Organizations

Run the snyk-broker-config workflows connections create command. Choose the github-server-app option and provide the information you are prompted for in the workflow.
Run snyk-broker-config workflows connections integrate to integrate the newly created connection to the Organization of your choice. Enter the Organization ID when you are prompted.

Visit the integrations page in Snyk to see that the integration has been configured.

See the Universal Broker documentation for more details.

PreviousBackstage file in Asset Inventory - use case NextSnyk CLI

Last updated 14 days ago

Was this helpful?

hashtagIntegrated SCM tokens for classic Broker

hashtagGitHub and GitHub Enterprise SCM token

hashtagGitLab SCM token

hashtagAzure Repositories (TFS) SCM token

hashtagBitbucket Server/Data Center SCM token

hashtagGitHub Cloud App for Universal Broker

hashtagCreate a GitHub App for Universal Broker

hashtagCreate the Universal Broker connection for your GitHub Cloud App

hashtagPrerequisites

hashtagCreate the connection and integrate it with your Organizations

hashtagGitHub Server App for Universal Broker

hashtagCreate a GitHub App for Universal Broker

hashtagCreate the Universal Broker connection for your GitHub Server App

hashtagPrerequisites

hashtagCreate the connection and integrate it with your Organizations

Integrated SCM tokens for classic Broker

GitHub and GitHub Enterprise SCM token

GitLab SCM token

Azure Repositories (TFS) SCM token

Bitbucket Server/Data Center SCM token

GitHub Cloud App for Universal Broker

Create a GitHub App for Universal Broker

Create the Universal Broker connection for your GitHub Cloud App

Prerequisites

Create the connection and integrate it with your Organizations

GitHub Server App for Universal Broker

Create a GitHub App for Universal Broker

Create the Universal Broker connection for your GitHub Server App

Prerequisites

Create the connection and integrate it with your Organizations