GitHub Enterprise source control
Feature availability
Scanning of self-managed source code, like GitHub Enterprise, is available with the Enterprise plan. See the Snyk plans and pricing page for more information.
Snyk's GitHub Enterprise integration lets you:
- Continuously perform security scanning across all the integrated repositories
- Detect vulnerabilities in your open source components
- Provide automated fixes and upgrades
Snyk recommends GitHub Enterprise integration for most customers with access to the feature, because this integration allows use of a single Personal Access Token (PAT) across an Organization, rather than a PAT tied to an individual user account. If you have access and have used GItHub integration, you can migrate to GitHub Enterprise integration. See Using GItHub or GItHub Enterprise integration for details.
The process to connect Snyk with your GitHub Enterprise repositories includes the following steps:
- 1.Create a dedicated service account in GitHub Enterprise, with write level or higher permissions for the repos you want to monitor with Snyk permissions. See Required permissions scope for the GitHub integration for details.
- 2.Generate a personal access token for that account, with repo (all), admin:read:org, and admin:repo_hooks (read & write) permissions scope. See GitHub Enterprise documentation for details.
- 3.Authorize your personal access token and Enable SSO:
- 1.In Snyk, go to the Integrations page and click the GitHub Enterprise card.
- 2.Enter your Github Enterprise URL, the personal access token (PAT) for the service account you created, and Save your changes. Snyk connects to your GitHub Enterprise instance. When the connection succeeds, the list of available repositories is displayed. Note: To use this integration to integrate with your GitHub Enterprise Cloud, provide the following URL: https://api.github.com.
- 3.If your Github Enterprise organization enforces SAML/SSO, select Configure SSO next to the PAT in GitHub once the PAT has been created. Note: Occasionally SSO is enforced in your GitHub Enterprise organizations after a PAT and Integration are configured. If this happens, any Projects that have already been imported show in Snyk but retests, PR Checks, and so on will not be performed. If this happens, check the Configure SSO settings here to ensure that the Github Enterprise organization is Authorized. On occasion, an organization shows as Authorized, but the retests and PR checks do not work. If this happens, de-authorizing the organization and then re-authorizing it may help.
- 4.Select the repositories you want to import to Snyk and click Add selected repositories.
Snyk starts scanning the selected repositories for dependency files (such as package.json) in the entire directory tree and imports them to Snyk as Projects.
The imported Projects appear on your Projects page and are continuously checked for vulnerabilities.
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(16).jpeg?alt=media)
Add selected repositories
docker run --restart=always \
-p 8000:8000 \
-e BROKER_TOKEN=secret-broker-token \
-e GITHUB_TOKEN=secret-github-token \
-e GITHUB=your.ghe.domain.com \
-e GITHUB_API=your.ghe.domain.com/api/v3 \
-e GITHUB_GRAPHQL=your.ghe.domain.com/api \
-e PORT=8000 \
-e BROKER_CLIENT_URL=http://my.broker.client:8000 \
snyk/broker:github-enterprise
After the integration is set up, you can use the following capabilities:
Snyk produces advanced security reports, allowing you to explore the vulnerabilities found in your repositories and fix them by opening a fix pull request directly to your repository, with the required upgrades or patches.
The example that follows shows a project-level security report.

Project-level security report
Snyk scans your projects on either a daily or a weekly basis. When new vulnerabilities are found, Snyk notifies you by email and opens an automated pull request with fixes for your repositories.
The example that follows shows a fix pull request opened by Snyk:

Fix pull request created by Snyk
To review and update the automatic fix pull request settings:
- 1.In Snyk, go toSettings > Integrations > Source control > GitHub Enterprise, and select Edit Settings.
- 2.Scroll to the Automatic fix pull requests section, Enable automatic fix pull requests for all projects in this organization, choose Include patches to vulnerable dependencies if you wish, and Update settings.
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(39).png?alt=media)
Automatic pull requests settings
Snyk tests any newly created pull requests in your repositories for security vulnerabilities and sends a status check to GitHub Enterprise. This allows you to see, directly from GitHub Enterprise, whether the pull request introduces new security issues.
The example that follows shows how Snyk pull request checks appear on the GitHub Enterprise Pull Request page.

Pull request checks shown in GitHub Enterprise
To review and adjust the pull request tests settings:
- 1.In Snyk, go toOrganization Settings > Integrations > Source control > GitHub Enterprise, and select Edit Settings.
- 2.Scroll to Default Snyk test for pull requests.

Default Snyk test for pull requests setting enabled
All the operations, triggered manually or automatically, are performed for a GitHub service account that has its token configured in the integrations settings page. This shows the required access scopes for the configured token:
Action | Purpose | Required permissions in GitHub |
Daily / weekly tests | Used to read manifest files in private repos | repo (all) |
Manual fix pull requests (triggered by the user) | Used to create fix PRs in the monitored repos | repo (all) |
Automatic fix and upgrade pull requests | Used to create fix or upgrade PRs in the monitored repos | repo (all) |
Snyk tests on pull requests | Used to send pull request status checks whenever a new PR is created or an existing PR is updated | repo (all) |
Importing new Projects to Snyk | Used to present a list of all the available repos in the GitHub org in the Add Projects screen (import popup) | admin:read:org, repo (all) |
Snyk tests on pull requests - initial configuration | Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:
| admin:repo_hooks (read & write) |
Last modified 1d ago