Snyk Broker introduction
Snyk Broker is designed to connect Snyk products to self-hosted integrations that are not publicly accessible from the internet. Snyk Broker also allows you to do the following:
- Control Snyk access to your network, by limiting the files to which Snyk has access and the actions that Snyk can perform.
- Manage a fixed private IP for your integration, targeting the Broker.
Snyk Broker has a Server and a Client, components that are the same across all base integrations:
Snyk Broker WebSocket initiated by Client over HTTPS
All data, both in transit and at rest, is encrypted. Communication between the Client and the Server takes place over a secure WebSocket connection. There is no need to open incoming ports since the communication is initiated outbound. Once the connection is initiated, the WebSocket connection is bi-directional.
- There is no direct inbound connection from Snyk to the Broker Client. The Broker Client makes an outbound connection to https://broker.snyk.io, which establishes a WebSocket connection to allow communication with the Broker Server. Thus there is no need to allowlist a Snyk IP address; instead you can allow the Broker Client IP/port.
- The Broker Client initiates the outbound connection to establish the WebSocket. After the WebSocket connection initiated by the Broker Client is established, Snyk can send inbound requests to the Broker Client via the WebSocket. Thus you do not need to allow inbound connections to the Broker Client from Snyk-specific IP addresses or other external IP addresses.
The Broker Client maintains an approved data list for inbound and outbound data requests. Only requests included in this approved list are allowed.
The default approved list limits requests as follows:
- Inbound: For Snyk Open Source, Snyk.io is allowed to fetch and view only dependency manifest files and the
.snykpolicy file. No other source code is viewed, extracted, or modified. Additional
.snykfiles may be checked in to support the Snyk patch mechanism and for any ignore instructions included in your vulnerability policy. Snyk Code and Snyk IaC need access to the entire repository. For more information see How Snyk handles your data.
- Outbound: Git repo webhooks are set when you configure your Broker Client setup, to enable automatic Snyk scans triggered when new pull requests or merge events are submitted by your developers. Webhook notifications are delivered to Snyk via the Broker Client only for events relevant to Snyk actions--push to branch, pull request opened, and only when the event data also includes a dependency manifest file or a .
Because of the limitations of the default approved list, if you are interested in scanning Infrastructure as Code files with the Snyk Broker, you must add and configure an
accept.jsonfile in your Broker deployment.
To use Snyk Open Source with Snyk Broker, you need only the Broker Server and the Broker Client components.
To use other Snyk products with Snyk Broker, you need to add an additional component or configurations, and to add parameters to the Broker Client setup:
Snyk Broker currently integrates with these Git repository systems:
- How often is Snyk Broker updated? Snyk Broker is updated any time there are new features available and when there are fixes.
- How often is Snyk Broker checked for vulnerabilities? The Snyk Broker application and images are being tested on a daily basis for vulnerabilities.
- What is the SLA to fix vulnerabilities? There is a 14-day SLA for fixing high vulnerabilities and five-day SLA for fixing critical vulnerabilities in public images.