snyk · mcombuechen · May 2, 2024 · Apr 1, 2024
@@ -93,7 +93,7 @@ What about with SPDX? Let's take an SBOM containing a list of packages like so:
       "referenceLocator": "pkg:npm/[email protected]"
     }
   ]
-} 
+}
 ```
 
 Running `parlay ecosystems enrich <sbom.spdx.json>` will add additional information:
@@ -114,7 +114,7 @@ Running `parlay ecosystems enrich <sbom.spdx.json>` will add additional informat
       "referenceType": "purl",
       "referenceLocator": "pkg:npm/[email protected]"
     }
-  ] 
+  ]
 ```
 
 There are a few other utility commands for ecosyste.ms as well. The first returns raw JSON information about a specific package from ecosyste.ms:
@@ -138,6 +138,8 @@ It's important to note vulnerability data is moment-in-time information. By addi
 
 Note the Snyk commands require you to be a Snyk customer, and require passing a valid Snyk API token in the `SNYK_TOKEN` environment variable.
 
+The API base url can be set using the `SNYK_API` environment variable, and if missing it will default to `https://api.snyk.io/rest`.
+
 ```
 parlay snyk enrich testing/sbom.cyclonedx.json
 ```
@@ -248,9 +250,9 @@ There are lots of other sources of package data, and it would be great to add su
 
 ## Pipes!
 
-`parlay` is a fan of stdin and stdout. You can pipe SBOMs from other tools into `parlay`, and pipe between the separate `enrich` commands too. 
+`parlay` is a fan of stdin and stdout. You can pipe SBOMs from other tools into `parlay`, and pipe between the separate `enrich` commands too.
 
-Maybe you want to enrich an SBOM with both ecosyste.ms and Snyk data: 
+Maybe you want to enrich an SBOM with both ecosyste.ms and Snyk data:
 
 ```
 cat testing/sbom.cyclonedx.json | ./parlay e enrich - | ./parlay s enrich - | jq
@@ -324,7 +326,7 @@ The various services used to enrich the SBOM data have data for a subset of purl
 * `npm`
 * `nuget`
 * `pypi`
-* `rpm` 
+* `rpm`
 * `swift`
 
 ### OpenSSF Scorecard

@@ -27,7 +27,6 @@ import (
 )
 
 const (
-	snykServer        = "https://api.snyk.io/rest"
 	version           = "2023-04-28"
 	snykAdvisorServer = "https://snyk.io/advisor"
 	snykVulnDBServer  = "https://security.snyk.io/package"
@@ -86,7 +85,7 @@ func SnykVulnURL(purl *packageurl.PackageURL) string {
 }
 
 func GetPackageVulnerabilities(purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID) (*issues.FetchIssuesPerPurlResponse, error) {
-	client, err := issues.NewClientWithResponses(snykServer, issues.WithRequestEditorFn(auth.Intercept))
+	client, err := issues.NewClientWithResponses(APIBaseURL(), issues.WithRequestEditorFn(auth.Intercept))
 	if err != nil {
 		return nil, err
 	}

@@ -39,7 +39,7 @@ type selfDocument struct {
 }
 
 func SnykOrgID(auth *securityprovider.SecurityProviderApiKey) (*uuid.UUID, error) {
-	experimental, err := users.NewClientWithResponses(snykServer, users.WithRequestEditorFn(auth.Intercept))
+	experimental, err := users.NewClientWithResponses(APIBaseURL(), users.WithRequestEditorFn(auth.Intercept))
 	if err != nil {
 		return nil, err
 	}
@@ -82,3 +82,11 @@ func AuthFromToken(token string) (*securityprovider.SecurityProviderApiKey, erro
 func APIToken() string {
 	return os.Getenv("SNYK_TOKEN")
 }
+
+func APIBaseURL() string {
+	snykApiEnv := os.Getenv("SNYK_API")
+	if snykApiEnv != "" {
+		return snykApiEnv
+	}
+	return "https://api.snyk.io/rest"
+}