Custom approved-listing filter with Docker

The default approved-listing filter supports the bare minimum to operate on all repositories supported by Snyk. In order to customize the approved-listing filter, create the default filter locally by installing snyk-broker and running broker init [Git type]. The created accept.json is the default filter for the chosen Git type. Place the file in a separate folder such as ./private/accept.json, and provide it to the Docker container by mounting the folder and using the ACCEPT environment variable:

docker run --restart=always \
           -p 8000:8000 \
           -e BROKER_TOKEN=secret-broker-token \
           -e GITHUB_TOKEN=secret-github-token \
           -e PORT=8000 \
           -e BROKER_CLIENT_URL=https://my.broker.client:8000 \
           -e ACCEPT=/private/accept.json
           -v /local/path/to/private:/private \
       snyk/broker:github-com

To filter by header, add a validation block with the following key and values:

Key

Value

Value Type

Example

header

The name of the header you wish to filter on. If this is defined then the named header must explicitly exist on the request; otherwise it will be blocked

String

accept

values

The header value must match one of the defined strings

Array<String>

["application/vnd.github.v4.sha"]

Example: To only allow the SHA Media Type accept header for requests to the GitHub Commits API, you would add the following:

{
    "method": "GET",
    "path": "/repos/:name/:repo/commits/:ref",
    "origin": "https://${GITHUB_TOKEN}@${GITHUB_API}",
    "valid": [
        {
            "header": "accept",
            "values": ["application/vnd.github.v4.sha"]
        }
    ]
}

For examples of custom approved-listing filters for each SCM see Snyk Broker integration setups and Adding custom accept.json for Docker installation.

PreviousAdding custom allowlist for Docker installation NextMounting secrets with Docker

Last updated 2 years ago

Was this helpful?