Snyk SCM Integrations

You can integrate Snyk with your Git repository to quickly and easily gain visibility across all the Snyk Projects that you add to your Projects list.

Snyk Source Control Manager (SCM) integrations allow you to:

Continuously perform security scanning across all integrated repositories
Detect vulnerabilities in your open-source components
Provide automated fixes

Snyk can integrate with the following SCMs to help you track, monitor, and fix the issues and vulnerabilities in your code:

Snyk Git repository cloning

This feature is in Early Access for GitHub, GitHub Enterprise, GitLab, Bitbucket Server, Bitbucket Cloud App, Bitbucket Cloud (Legacy), and Azure Repos integrations.

Git repository cloning enables Snyk to ingest a temporary snapshot of repository contents, and all commit metadata through your configured SCM integrations.

For detailed information on this feature, including enablement steps, see Git repository cloning for SCM integrations.

Deployment order recommendations

If you try to implement all the SCM integration features at the same time, you risk causing friction in your software development life cycle (SDLC), which in turn leads to a poor developer experience.

To ensure a smooth rollout of Snyk across your organization, Snyk provides a suggested deployment timeline consisting of deployment stages, configuration steps, and the desired outcome for each stage.

For detailed steps, see Deployment recommendations for SCM integrations.

User permissions and access scope requirements

Snyk SCM integrations may require different permission requirements based on the connection method.

See the following for detailed permission requirements:

GitHub and GitHub Enterprise permission requirements

For information about token permissions in a brokered integration, see GitHub - prerequisites and steps to install and configure Broker.

The Snyk GitHub Enterprise integration is bound to a single user, preferably a GitHub service account. The level of access for the integration is defined by the combination of the user's permissions in GitHub and the access defined for the Personal Access Token (PAT) on that user's account. If the PAT is defined with more permission than the user's GitHub account, the integration will not be able to use that permission.

The following table details the access scopes required in GitHub for Personal Access Tokens (PAT) and the scopes required for Snyk to perform the required operations on monitored repositories, such as reading manifest files on a frequent basis and opening fix or upgrade PRs. GitHub custom roles are not supported.

Action and purpose

PAT scopes

Repository scopes

A fine-grained PAT requires additional repository access scopes:

Administration: Read-only
Commit Status: Read and write
Content: Read and write
Metadata: Read-only
Pull requests: Read and write
Webhooks: Read and write
Members access: Read-only (Organization access scope)

Snyk uses PRs to tell GitHub Enterprise that a merge is to occur. To do this, change content is pushed into a branch, which requires the content: write scope. A separate call is then made to create the fix PR, which requires the pull request: write scope. GitHub Enterprise is then instructed to create a PR, merging the change branch into the default branch.

Snyk uses SCM webhooks to:

Track the state of Snyk pull requests when PRs are created, updated triggered, merged, and so on.
Send push events to trigger PR checks.

GitHub Cloud App permission requirements

The Snyk GitHub Cloud App integration uses role-based access control, meaning access control is not dependent on individual users or their role, it is instead tied to the app entity.

To set up the GitHub Cloud app integration you must be a:

Snyk Organization Admin.
GitHub Organization Admin.
GitHub Repository Admin (if installing through the GitHub UI).

GitHub Server App permission requirements

To utilize the Snyk GitHub Server App you must be using a self-hosted instance of GitHub.

The Snyk GitHub Server App uses role-based access control, meaning access control is not dependent on individual users or their role, it is instead tied to the app entity.

To set up the GitHub Server app integration you must be a:

Snyk Organization Admin.
GitHub Organization Admin.
GitHub Repository Admin (if installing through the GitHub UI).

GitLab permission requirements

The Snyk GitLab integration uses either a personal access token (PAT) or group access token (GAT), depending on the GitLab account tier you are on.

To set up the Snyk GitLab integration you must be a:

Snyk Group or Organization Admin.
GitLab Owner or Maintainer

A PAT is used for managing personal GitLab projects and requires the api scope.

A GAT is used for managing multiple GitLab projects in a GitLab group and requires the api scope and maintainer role selected from the dropdown. You must be a GitLab Premium or Ultimate account tier holder to create a GAT.

Bitbucket permission requirements

The Snyk Bitbucket integrations use different access control mechanisms to connect with Snyk:

Snyk Bitbucket Cloud requires the creation of an app password.
Snyk Bitbucket Cloud App requires Bitbucket workspace authorization and related permissions.
Snyk Bitbucket Data Center/Server requires a dedicated username and password or a personal access token (PAT).

To set up any Snyk Bitbucket integration, you must be a Bitbucket Workspace Admin.

Bitbucket Cloud and Bitbucket Data Center/Server scopes

The following table details the required permission scopes in Bitbucket Cloud and Bitbucket Data Center/Server:

Action and purpose

App password requirements

Bitbucket permissions

Snyk uses SCM webhooks in Bitbucket to:

Track the state of pull requests when PRs are created, updated triggered, merged, and so on.
Send push events to trigger PR checks.

Bitbucket Cloud App scopes

The following table details the permissions required for the Bitbucket Cloud App:

Action

Purpose

Required Scope

Azure Repositories (TFS) permission requirements

The Snyk Azure Repositories (TFS) integration uses an Azure DevOps personal access token (PAT). This token is configured with the specific permissions Snyk needs to access your Azure repositories.

To set up the Snyk Azure Repositories (TFS) integration you must be:

A Snyk Organization Admin.
A member of the Project Administrators group in Azure. This ensures the PAT has the edit subscriptions permissions required to enable webhooks.

In Azure, the PAT requires the following permissions for Snyk access:

Expiry: Custom defined. Snyk recommends choosing a token expiration date that is far in the future.
Scopes: Custom defined. Read & write permissions are needed for the Code scope.

PreviousSCM, IDE, and CI/CD workflow and integrations NextIntroduction to Git repositories integrations

Last updated 2 hours ago