Detecting Kubernetes configuration files using a broker
If you are using a privately hosted Git repository, Snyk Broker can connect it with Snyk products. See the broker documentation for details.
This document describes the additional configuration required for Infrastructure as Code files.

Writing the configuration

You will need to grant the broker access to particular files in the repository. This requires specific API permissions. These API permissions are slightly different depending on which source control system you are using. The configuration below is for the file extensions “.yaml”, “.yml”, and “.json”, which will allow the broker to access potential Kubernetes and CloudFormation files, but adapt it as necessary. For example, you may wish to add configurations for “.tf” files, in order to scan Terraform HCL files.
  1. 1.
    Find and download the appropriate accept.json sample file for your source control system from the Broker repository.
  2. 2.
    Rename it to accept.json and add the below rules, appropriate to your SCM, to the private array in the JSON file.
  3. 3.
    Follow the Configuring the broker instructions.

GitHub & GitHub Enterprise rules

1
{
2
"//": "used to determine Infrastructure as Code issues",
3
"method": "GET",
4
"path": "/repos/:name/:repo/contents/:path*/*.yaml",
5
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
6
},
7
{
8
"//": "used to determine Infrastructure as Code issues",
9
"method": "GET",
10
"path": "/repos/:name/:repo/contents/:path*%2F*.yaml",
11
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
12
},
13
{
14
"//": "used to determine Infrastructure as Code issues",
15
"method": "GET",
16
"path": "/repos/:name/:repo/contents/:path*/*.yml",
17
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
18
},
19
{
20
"//": "used to determine Infrastructure as Code issues",
21
"method": "GET",
22
"path": "/repos/:name/:repo/contents/:path*%2F*.yml",
23
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
24
},
25
{
26
"//": "used to determine Infrastructure as Code issues",
27
"method": "GET",
28
"path": "/repos/:name/:repo/contents/:path*/*.json",
29
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
30
},
31
{
32
"//": "used to determine Infrastructure as Code issues",
33
"method": "GET",
34
"path": "/repos/:name/:repo/contents/:path*%2F*.json",
35
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
36
},
37
{
38
"//": "used to determine Infrastructure as Code issues",
39
"method": "GET",
40
"path": "/repos/:name/:repo/contents/:path*/*.tpl",
41
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
42
},
43
{
44
"//": "used to determine Infrastructure as Code issues",
45
"method": "GET",
46
"path": "/repos/:name/:repo/contents/:path*%2F*.tpl",
47
"origin": "https://${GITHUB_TOKEN}@${GITHUB_API}"
48
},
Copied!

Bitbucket rules

1
{
2
"//": "used to determine Infrastructure as Code issues",
3
"method": "GET",
4
"path": "/projects/:project/repos/:repo/browse*/*.yaml",
5
"origin": "https://${BITBUCKET_API}",
6
"auth": {
7
"scheme": "basic",
8
"username": "${BITBUCKET_USERNAME}",
9
"password": "${BITBUCKET_PASSWORD}"
10
}
11
},
12
{
13
"//": "used to determine Infrastructure as Code issues",
14
"method": "GET",
15
"path": "/projects/:project/repos/:repo/browse*%2F*.yaml",
16
"origin": "https://${BITBUCKET_API}",
17
"auth": {
18
"scheme": "basic",
19
"username": "${BITBUCKET_USERNAME}",
20
"password": "${BITBUCKET_PASSWORD}"
21
}
22
},
23
{
24
"//": "used to determine Infrastructure as Code issues",
25
"method": "GET",
26
"path": "/projects/:project/repos/:repo/browse*/*.yml",
27
"origin": "https://${BITBUCKET_API}",
28
"auth": {
29
"scheme": "basic",
30
"username": "${BITBUCKET_USERNAME}",
31
"password": "${BITBUCKET_PASSWORD}"
32
}
33
},
34
{
35
"//": "used to determine Infrastructure as Code issues",
36
"method": "GET",
37
"path": "/projects/:project/repos/:repo/browse*%2F*.yml",
38
"origin": "https://${BITBUCKET_API}",
39
"auth": {
40
"scheme": "basic",
41
"username": "${BITBUCKET_USERNAME}",
42
"password": "${BITBUCKET_PASSWORD}"
43
}
44
},
45
{
46
"//": "used to determine Infrastructure as Code issues",
47
"method": "GET",
48
"path": "/projects/:project/repos/:repo/browse*/*.json",
49
"origin": "https://${BITBUCKET_API}",
50
"auth": {
51
"scheme": "basic",
52
"username": "${BITBUCKET_USERNAME}",
53
"password": "${BITBUCKET_PASSWORD}"
54
}
55
},
56
{
57
"//": "used to determine Infrastructure as Code issues",
58
"method": "GET",
59
"path": "/projects/:project/repos/:repo/browse*%2F*.json",
60
"origin": "https://${BITBUCKET_API}",
61
"auth": {
62
"scheme": "basic",
63
"username": "${BITBUCKET_USERNAME}",
64
"password": "${BITBUCKET_PASSWORD}"
65
}
66
},
67
{
68
"//": "used to determine Infrastructure as Code issues",
69
"method": "GET",
70
"path": "/projects/:project/repos/:repo/browse*/*.tpl",
71
"origin": "https://${BITBUCKET_API}",
72
"auth": {
73
"scheme": "basic",
74
"username": "${BITBUCKET_USERNAME}",
75
"password": "${BITBUCKET_PASSWORD}"
76
}
77
},
78
{
79
"//": "used to determine Infrastructure as Code issues",
80
"method": "GET",
81
"path": "/projects/:project/repos/:repo/browse*%2F*.tpl",
82
"origin": "https://${BITBUCKET_API}",
83
"auth": {
84
"scheme": "basic",
85
"username": "${BITBUCKET_USERNAME}",
86
"password": "${BITBUCKET_PASSWORD}"
87
}
88
},
Copied!

GitLab rules

1
{
2
"//": "used to determine Infrastructure as Code issues",
3
"method": "GET",
4
"path": "/api/v4/projects/:project/repository/files*/*.yaml",
5
"origin": "https://${GITLAB}"
6
},
7
{
8
"//": "used to determine Infrastructure as Code issues",
9
"method": "GET",
10
"path": "/api/v4/projects/:project/repository/files*%2F*.yaml",
11
"origin": "https://${GITLAB}"
12
},
13
{
14
"//": "used to determine Infrastructure as Code issues",
15
"method": "GET",
16
"path": "/api/v4/projects/:project/repository/files*/*.yml",
17
"origin": "https://${GITLAB}"
18
},
19
{
20
"//": "used to determine Infrastructure as Code issues",
21
"method": "GET",
22
"path": "/api/v4/projects/:project/repository/files*%2F*.yml",
23
"origin": "https://${GITLAB}"
24
},
25
{
26
"//": "used to determine Infrastructure as Code issues",
27
"method": "GET",
28
"path": "/api/v4/projects/:project/repository/files*/*.json",
29
"origin": "https://${GITLAB}"
30
},
31
{
32
"//": "used to determine Infrastructure as Code issues",
33
"method": "GET",
34
"path": "/api/v4/projects/:project/repository/files*%2F*.json",
35
"origin": "https://${GITLAB}"
36
},
37
{
38
"//": "used to determine Infrastructure as Code issues",
39
"method": "GET",
40
"path": "/api/v4/projects/:project/repository/files*/*.tpl",
41
"origin": "https://${GITLAB}"
42
},
43
{
44
"//": "used to determine Infrastructure as Code issues",
45
"method": "GET",
46
"path": "/api/v4/projects/:project/repository/files*%2F*.tpl",
47
"origin": "https://${GITLAB}"
48
},
Copied!

Azure Repo rules

1
{
2
"public": [
3
{
4
"//": "used for pushing up webhooks from Azure",
5
"method": "POST",
6
"path": "/webhook/azure-repos/:webhookId"
7
}
8
],
9
"private": [
10
{
11
"//": "get list of projects for given organization",
12
"method": "GET",
13
"path": "/_apis/projects",
14
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
15
"auth": {
16
"scheme": "basic",
17
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
18
}
19
},
20
{
21
"//": "get specific repository for given organization",
22
"method": "GET",
23
"path": "/:owner/_apis/git/repositories/:repo",
24
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
25
"auth": {
26
"scheme": "basic",
27
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
28
}
29
},
30
{
31
"//": "get list of repositories for given organization",
32
"method": "GET",
33
"path": "/:owner/_apis/git/repositories",
34
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
35
"auth": {
36
"scheme": "basic",
37
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
38
}
39
},
40
{
41
"//": "get list of refs",
42
"method": "GET",
43
"path": "/:owner/_apis/git/repositories/:repo/refs",
44
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
45
"auth": {
46
"scheme": "basic",
47
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
48
}
49
},
50
{
51
"//": "search through repositories of given organization",
52
"method": "GET",
53
"path": "_apis/git/repositories",
54
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
55
"auth": {
56
"scheme": "basic",
57
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
58
}
59
},
60
{
61
"//": "create hook",
62
"method": "POST",
63
"path": "/_apis/hooks/subscriptions",
64
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
65
"auth": {
66
"scheme": "basic",
67
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
68
}
69
},
70
{
71
"//": "delete hook",
72
"method": "DELETE",
73
"path": "/_apis/hooks/subscriptions/:subscriptionId",
74
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
75
"auth": {
76
"scheme": "basic",
77
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
78
}
79
},
80
{
81
"//": "get file content. restrict by file types",
82
"method": "GET",
83
"path": "/:owner/_apis/git/repositories/:repo/items",
84
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
85
"valid": [
86
{
87
"queryParam": "path",
88
"values": [
89
"**/package.json",
90
"**%2Fpackage.json",
91
"**/yarn.lock",
92
"**%2Fyarn.lock",
93
"**/package-lock.json",
94
"**%2Fpackage-lock.json",
95
"**/Gemfile",
96
"**%2FGemfile",
97
"**/Gemfile.lock",
98
"**%2FGemfile.lock",
99
"**/pom.xml",
100
"**%2Fpom.xml",
101
"**/*req*.txt",
102
"**%2F*req*.txt",
103
"**/requirements/*.txt",
104
"**%2Frequirements%2F*.txt",
105
"**/build.gradle",
106
"**%2Fbuild.gradle",
107
"**/gradle.lockfile",
108
"**%2Fgradle.lockfile",
109
"**/build.sbt",
110
"**%2Fbuild.sbt",
111
"**/.snyk",
112
"**%2F.snyk",
113
"**/packages.config",
114
"**%2Fpackages.config",
115
"**/*.csproj",
116
"**%2F*.csproj",
117
"**/*.vbproj",
118
"**%2F*.vbproj",
119
"**/*.fsproj",
120
"**%2F*.fsproj",
121
"**/project.json",
122
"**%2Fproject.json",
123
"**/Gopkg.toml",
124
"**%2FGopkg.toml",
125
"**/Gopkg.lock",
126
"**%2FGopkg.lock",
127
"**/vendor.json",
128
"**%2Fvendor.json",
129
"**/composer.lock",
130
"**%2Fcomposer.lock",
131
"**/composer.json",
132
"**%2Fcomposer.json",
133
"**/project.assets.json",
134
"**%2Fproject.assets.json",
135
"**/Podfile",
136
"**%2FPodfile",
137
"**/Podfile.lock",
138
"**%2FPodfile.lock",
139
"**/go.mod",
140
"**%2Fgo.mod",
141
"**/go.sum",
142
"**%2Fgo.sum",
143
"**/Dockerfile",
144
"**%2FDockerfile"
145
]
146
},
147
{
148
"queryParam": "recursionLevel",
149
"values": ["none"]
150
},
151
{
152
"queryParam": "download",
153
"values": ["true"]
154
},
155
{
156
"queryParam": "includeContent",
157
"values": ["true"]
158
}
159
],
160
"auth": {
161
"scheme": "basic",
162
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
163
}
164
},
165
{
166
"//": "get list of files for given repository",
167
"method": "GET",
168
"path": "/:owner/_apis/git/repositories/:repo/items",
169
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
170
"valid": [
171
{
172
"queryParam": "recursionLevel",
173
"values": ["full"]
174
},
175
{
176
"queryParam": "download",
177
"values": ["false"]
178
},
179
{
180
"queryParam": "includeContent",
181
"values": ["false"]
182
}
183
],
184
"auth": {
185
"scheme": "basic",
186
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
187
}
188
},
189
{
190
"//": "get list of commits for given repository",
191
"method": "GET",
192
"path": "/:owner/_apis/git/repositories/:repo/commits",
193
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
194
"auth": {
195
"scheme": "basic",
196
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
197
}
198
},
199
{
200
"//": "update status of given commit",
201
"method": "POST",
202
"path": "/:owner/_apis/git/repositories/:repo/commits/:commitId/statuses",
203
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
204
"auth": {
205
"scheme": "basic",
206
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
207
}
208
},
209
{
210
"//": "update status of given pull request",
211
"method": "POST",
212
"path": "/:owner/_apis/git/repositories/:repo/pullRequests/:pullRef/statuses",
213
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
214
"auth": {
215
"scheme": "basic",
216
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
217
}
218
},
219
{
220
"//": "find PR for given repository",
221
"method": "GET",
222
"path": "/:owner/_apis/git/repositories/:repo/pullrequests",
223
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
224
"auth": {
225
"scheme": "basic",
226
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
227
}
228
},
229
{
230
"//": "create new PR in given repository",
231
"method": "POST",
232
"path": "/:owner/_apis/git/repositories/:repo/pullrequests",
233
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
234
"auth": {
235
"scheme": "basic",
236
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
237
}
238
},
239
{
240
"//": "update existing PR in given repository",
241
"method": "PATCH",
242
"path": "/:owner/_apis/git/repositories/:repo/pullrequests/:pullRef",
243
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
244
"auth": {
245
"scheme": "basic",
246
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
247
}
248
},
249
{
250
"//": "push new commit in given repository",
251
"method": "POST",
252
"path": "/:owner/_apis/git/repositories/:repo/pushes",
253
"origin": "https://${AZURE_REPOS_HOST}/${AZURE_REPOS_ORG}",
254
"auth": {
255
"scheme": "basic",
256
"token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
257
}
258
},
259
{
260
"//": "used to redirect requests to snyk git client",
261
"method": "any",
262
"path": "/snykgit/*",
263
"origin": "${GIT_CLIENT_URL}"
264
}
265
]
266
}
Copied!

Configuring the broker

The broker takes the path to the accept.json file (with the rules above added) in the ACCEPT environment variable. You can see an example of passing that to the GitHub broker below.
1
docker run --restart=always \
2
-p 8000:8000 \
3
-e BROKER_TOKEN=secret-broker-token \
4
-e GITHUB_TOKEN=secret-github-token \
5
-e PORT=8000 \
6
-e BROKER_CLIENT_URL=https://my.broker.client:8000 \
7
-e ACCEPT=/private/accept.json
8
-v /local/path/to/private:/private \
9
snyk/broker:github-com
Copied!
Note that this gives Snyk the ability to query for any .yaml, .yml or .json files. If you would prefer to be stricter you can alter the paths in the examples above to be more restrictive to certain projects or file layouts.