GitHub Server App
When you want to add new integrations to your Snyk account, you must first decide the level at which you want to install the integration.
Group level - Add integrations to your Snyk application that will be available for your Snyk Essentials. If you want to set up integrations for Snyk Essentials, use the Integrations menu at the Group level.
Organization level - Add integrations for your Snyk application that will be available for all Snyk products, except Snyk Essentials or Snyk AppRisk.
Organization level - Snyk integration
Feature availability
The GitHub Server App is available only for Enterprise plans.
This feature supports self-hosted instances of GitHub and Snyk Universal Broker.
Prerequisites for the GitHub Server App
A self-hosted instance of GitHub
Snyk Organization Admin user role
GitHub organization Admin user role
A public or private GitHub repository
GitHub Server App benefits
The Snyk GitHub Server App improves on many features compared to the Snyk GitHub Enterprise integration, including role-based granular access control, increased API rate limits, and the creation of an entry point for expanded and enhanced developer experiences.
RBAC (Role-Based Access Control) Compliance:
With the GitHub Server App, the access control mechanism is decoupled from individual user accounts. Instead, it is associated with the app entity itself. This separation allows for better management and enforcement of RBAC policies, as access control is handled at the application level rather than being tied to individual user accounts.
Granular access control:
The GitHub Server App allows for fine-grained control over access permissions at the repository level.
Increased API rate limit:
The GitHub Server App provides higher rate limits, allowing Snyk to make a larger number of API requests. This increased limit will assist in handling large-scale use cases, such as monorepos with a large number of Projects, GitHub organizations with a large number of repositories, and more.
Enabler for an enhanced developer experience:
Pull request checks: The Checks tab experience in GitHub is exclusively accessible through the GitHub Cloud App, enabling an SCM native experience as part of potential future PR check workflow improvements.
Fix and upgrade pull requests: Pull requests initiated by Snyk are performed directly by the GitHub App rather than a service account.
Set up the GitHub Server App
When setting up the GitHub Server App, you can implement only one of the following scenarios:
One GitHub organization connected to one Snyk Organization
One GitHub organization connected to multiple Snyk Organizations
In the Snyk UI navigate to the integrations page and select the GitHub Server App tile.
Clicking on the tile opens a modal that allows you to enter the URL of your GitHub Server. Entering the URL of your GitHub Server instance will redirect you to your GitHub instance, where you will be able to create the app.
You are then asked to authorize the app to act on your users' behalf. The app uses this information to check which GitHub organizations you are authorized to install the app in.
When the install screen in GitHub opens, you can select the GitHub organization where you wish to install the app.
If the GitHub Server App is already installed in a GitHub organization on your GitHub instance, you can select that same GitHub organization during the integration process for a different Snyk Organization.
Specify whether you wish to install the app in all or a select number of the repositories belonging to the selected GitHub organization, then click Install & Authorize.
The GitHub Server App will lose access to Snyk if it is uninstalled from the GitHub organization. If this happens, you can create a fresh integration in Snyk to regain access.
Migrate from an existing GitHub Enterprise integration
If you are an Enterprise plan customer, you can migrate Snyk Targets to the GitHub Server App using the snyk-migrate-to-github-app tool in the tool repository.
Set up the GitHub Server App for Universal Broker
If your GithHub server is not publicly available, you can provide access to it through the Universal Broker, a proxy deployed in your internal network to facilitate outbound connections and communication with Snyk.
The setup process for Universal Broker involves:
Create a GitHub App for Universal Broker
To use the GitHub Server App with Universal Broker you must create your own GitHub App on your GitHub Server instance. You can do this by using the predefined GITHUB-SERVER-URL that follows and includes all the required permissions for Snyk services:
Replace the following in the URL above:
{{GITHUB-SERVER-URL}}: Replace this with the base URL of your GitHub Server instance.{{SNYK-ENV}}: Replace this with the tenacy of your Snyk account. This value needs to be URL encoded; the most common are listed below:Snyk US-01: https%3A%2F%2Fapp.snyk.io
Snyk EU: https%3A%2F%2Fapp.eu.snyk.io
Snyk AU: https%3A%2F%2Fapp.au.snyk.io
Snyk US-02: https%3A%2F%2Fapp.us.snyk.io
After the values are replaced, navigate to that URL. This will take you to the app creation screen in your GitHub Server instance with all the required details pre-filled. Afterward, scroll to the end of the page and click on the Create GitHub App button, ensuring that the Any account radio button is selected.
On creation of your GitHub Server App you will see aClientId and AppId - store these safely as these are your app's credentials and should be treated as secrets.
After creating your GitHub Server App you will see a banner at the top of the page prompting you to create a private key. Click on it and create a private key for your app.
Generating a private key will initiate a download of a .pem file; this should be treated as a secret and kept safe.
Your GitHub Server App is now ready to be installed against repositories in your Snyk Organization. You can scroll to the top of the same page and select Install App from the left-hand panel. Choose the newly created app and click on the Install button to the right.
Choose where you want to install the app in your GitHub organization. It can be installed against specific repositories, or all of them in your GitHub organization.
If you select to install the app on a subset of repositories in your GitHub organization, the app will work only in those repositories. You can edit where the app is installed by returning to this screen at a later date if you want to add it to additional repositories
On installation of the app you will be assigned an InstallationID. These are the final numbers in the URL of the page. Make a note of that number, as you will need it to set up a Universal Broker connection.
Create the Universal Broker connection for your GitHub Server App
Before the GitHub Server App can be used with the Universal Broker, you must create a connection of the github-server-app type using the snyk-broker-config tool. For more details, see the Universal Broker documentation. After the connection is created, it can be integrated with one or more Organization(s) of your choice.
To set up the integration you will need the following:
The base API address for your Snyk region; refer to the list of API URLs for Snyk regional hosting.
The Snyk Organization ID you want to set up the integration in.
A valid Snyk API token.
snyk-broker-configtool installedTenant Admin role
When you have these prerequisites, use the following commands
snyk-broker-config workflows connections create,choosing thegithub-server-appoption and providing the information you are prompted for in the workflow.snyk-broker-config workflows connections integrateto integrate the newly created connection to the Organization of your choice, pasting the org ID when you are prompted.
Visit the integrations page in Snyk to see that the integration has been configured.
See the Universal Broker documentation for more details.
How to disconnect a non-brokered GitHub Server App integration
Disconnecting the Snyk GitHub Server App integration halts all scans for imported repositories. PR checks cannot be executed and Projects are deactivated in the Snyk Web UI.
Note that the GitHub App will remain listed on your GitHub organization until removed manually.
Navigate to the Snyk GitHub Server App integration Settings.
At the bottom of the page, select Remove GitHub Server App.
When the confirmation modal opens, select Disconnect GitHub Server App.
After the integration is disconnected, imported Snyk Projects will be set to inactive, and you will no longer get alerts, pull requests, or Snyk tests on pull requests.
You can re-connect anytime; however, re-initiating the Snyk Projects for monitoring requires setting up the integration again.
How to disconnect a brokered GitHub Server App integration
Disconnecting the Snyk GitHub Server App integration halts all scans for imported repositories. PR checks cannot be executed and Projects are deactivated in the Snyk Web UI.
Note that the GitHub App will remain listed on your GitHub organization until the app is removed manually.
Run snyk-broker-config workflows connections disconnectand select the connection you want to disconnect.
After the integration is disconnected, imported Snyk Projects will be set to inactive, and you will no longer get alerts, pull requests, or Snyk tests on pull requests.
You can re-connect anytime; however, re-initiating the Snyk Projects for monitoring requires setting up the integration again.
Last updated
Was this helpful?
