The Broker, an open-source tool composed of a client and a server-side, acts as a proxy between Snyk and your on-premise hosted Git repositories (e.g. GitHub Enterprise or BitBucket Server, Azure Repos) and with your on-premise Jira installation when installed behind a firewall.
The Broker client is a service to be installed and hosted on your private infrastructure. Together with the Broker server, hosted on the Snyk backend, it establishes a secure and moderated tunnel with Snyk servers.
With this secure connection, the Broker client:
keeps sensitive data such as your access tokens, within the perimeter of your private network—never sharing that information with Snyk.
limits access to your network by Snyk to the bare minimum required in order to scan and monitor vulnerabilities and offer automated remediation.
Installed within your organization’s private network, the Broker client maintains an explicit approved data list, for inbound and outbound data requests, in order to provide maximum protection for your network.
The default approved list provided by Snyk limits bi-directional communication as follows:
Inbound—Snyk.io is only allowed to fetch and view dependency manifest files and the Snyk policy file. No other source code is viewed, extracted, or modified under any circumstances. Additional files (.snyk files) might be checked in to support our patch mechanism and for any ignore instructions included in your vulnerability policy. For more information about these, see Manifest files.
Outbound—Git repo webhooks are set when you initially configure your Broker setup and are necessary to enable automatic Snyk scans that are triggered when new pull requests or merge events are submitted by your developers. Webhook notifications are delivered to Snyk via the Broker client for only events relevant to Snyk actions (push to branch, pull request opened), AND only when the event data also includes a dependency manifest file or a Snyk policy file.
All data, both in transit and at rest, is encrypted. Communication between the Broker client and the Broker server takes place over a secure WebSocket connection.
All requests and webhooks not included in this approved list are dropped.
Broker can also be used as a proxy between Snyk and your publically-accessible Git repos themselves. When implemented for public repos, every interaction between the Broker client and your Git repos is logged, thereby increasing your visibility and control over Snyk activity in those repositories and increasing data security.
The communication between Snyk, the Broker and your repo, as well as the data shared with Snyk, are further described step-by-step in How it works.