GitHub - install and configure using Docker
Follow the instructions on this page to set up GitHub with Snyk Broker. This integration is useful to ensure a secure connection with your on-premise or cloud GitHub deployment.
Prerequisites
Ask your Snyk account team to provide you with a Broker token.
You must configure a GitHub service account token with the required permissions. All the operations, both those that are triggered via the Snyk Web UI and the automatic operations, are performed for a GitHub service account that has its token configured with the Broker.
You need Docker or a way to run Docker Linux containers. Some Docker deployments for Windows run only Windows containers. Ensure that your deployment is capable of running Linux containers.
To use the Snyk Broker Client with GitHub, run
docker pull snyk/broker:github-com
. Refer to GitHub - environment variables for Snyk Broker for definitions of the environment variables.If necessary, go to the Advanced configuration page and make any configuration changes needed such as providing the CA (Certificate Authority) to the Broker Client configuration if the GitHub instance is using a private certificate, and setting up proxy support. See also Adding custom accept.json for Docker installation.
Copy the following command to set up a fully configured Broker Client to analyze Open Source, IaC, Container, and Code files (with the Code Agent).
docker run --restart=always \
-p 8000:8000 \
-e BROKER_TOKEN=<secret-broker-token> \
-e GITHUB_TOKEN=<secret-github-token> \
-e PORT=8000 \
-e BROKER_CLIENT_URL=<http://broker.url.example:8000 (dns/IP:port)> \
-e ACCEPT_IAC=tf,yaml,yml,json,tpl \
-e ACCEPT_CODE=true \
snyk/broker:github-com
As an alternative using to the Docker run command, you can use a derived Docker image to set up the Broker Client integration. See Derived Docker images for the environment variables to override for the GitHub integration.
Paste the Broker Client configuration to start the Broker Client container.
Once the container is up, the GitHub Integrations page shows the connection to GitHub and you can
Add Projects
.One reason that open Fix/Upgrade PRs or PR/recurring tests fail may be fetching big manifest files (> 1Mb). To address this issue, whitelist an additional Blob API endpoint in
accept.json
. This should be in a private array:{
"//": "used to get given manifest file",
"method": "GET",
"path": "/repos/:owner/:repo/git/blobs/:sha",
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
}
To ensure the maximum possible security, Snyk does not enable this rule by default, as use of this endpoint means that the Snyk platform can theoretically access all files in this repository, because the path does not include specific allowed file names.
- Run
docker logs <container id>
to look for any errors, wherecontainer id
is the GitHub Broker container ID. - Ensure relevant ports are exposed to GitHub.