Set up Snyk Broker with GitLab

Follow the instructions on this page to set up GitLab with Snyk Broker. This integration is useful to ensure a secure connection with your on-premise or cloud GitLab deployment.

Configure Broker to be used for GitLab

Ask your Snyk account team to provide you with a Broker token.
You need Docker or a way to run Docker Linux containers.
Some Docker deployments for Windows run only Windows containers. Ensure that your deployment is capable of running Linux containers.
To use the Broker client with or an on-prem GitLab deployment, run docker pull snyk/broker:gitlab. The following environment variables are required to configure the Broker client:
  • BROKER_TOKEN - the Snyk Broker token, obtained from your GitLab integration settings view (
  • GITLAB_TOKEN - a GitLab personal access token with api scope
  • GITLAB - the hostname of your GitLab deployment, such as or
  • PORT - the local port at which the Broker Client accepts connections. Default is 8000.
  • BROKER_CLIENT_URL - the full URL of the Broker Client as needed to be reachable by either or on-prem GitLab deployment in order to establish webhook connectivity. This must be a full URL like http://broker.url.example:8000
  • ACCEPT_IAC - by default, some file types used by Infrastructure-as-Code (IaC) are not enabled. To grant the Broker access to IaC files in your repository, such as Terraform for example, you can simply add an environment variable ACCEPT_IAC with any combination of tf,yaml,yml,json,tpl
  • ACCEPT_CODE - by default, when using the Snyk Broker - Code Agent, Snyk Code will not load code snippets. To enable code snippets you can simply add an environment variable ACCEPT_CODE=true
Use the following command to set up a fully configured Broker Client to analyze Open Source, IaC, Container, and Code files (with the Code Agent).
docker run --restart=always \
-p 8000:8000 \
-e BROKER_TOKEN=<secret-broker-token> \
-e GITLAB_TOKEN=<secret-gitlab-token> \
-e GITLAB=< (no http/s)> \
-e PORT=8000 \
-e BROKER_CLIENT_URL=<http://broker.url.example:8000 (dns/IP:port)> \
-e ACCEPT_IAC=tf,yaml,yml,json,tpl \
-e ACCEPT_CODE=true \
If necessary, go to the Advanced Configuration section of Install and configure the Snyk Broker client and make any configuration changes needed, such as providing the CA (Certificate Authority to the Broker Client configuration if the GitlLab instance is using a private certificate, or setting up proxy support.
As an alternative to using the Docker run command, you can use a derived Docker image to set up the Broker Client integration. See Derived Docker images for the environment variables to override for the GitLab integration.

Custom allowlist through ACCEPT parameter

In addition, a fully configured accept.json for Snyk IaC, Code, Open Source and Container for GitLab is attached to use if you want to configure a custom allowlist. You cannot run the ACCEPT_IAC and ACCEPT_CODE arguments at the same time as the ACCEPT argument:

Start the Broker Client container

Paste the Broker Client configuration to start the Broker Client container.
Once the container is up, the GitLab Integrations page shows the connection to GitLab and you can Add Projects.

Basic troubleshooting for Broker with GitLab

  • Run docker logs <container id> to look for any errors, where container id is the GitLab Broker container ID.
  • Ensure relevant ports are exposed to GitLab.
© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.