The Pro and Enterprise plans include a private instance of the Buf Schema Registry (BSR), SSO/SCIM for user provisioning, and several other features to address security, compliance, and automation requirements specific to larger organizations. The pages in this section describe the setup and usage of your private BSR instance and point to relevant sections of the general documentation where there are differences from the public BSR at https://buf.build.
Private BSR and SSO/SCIM
Setting up your private BSR instance is a shared process with Buf engineers. We currently support all OIDC or SAML providers for SSO/SCIM, and have specific setup guides for these:
- SSO: GitHub/OAuth2, Google/SAML, Okta/OIDC, Okta/SAML
- SCIM: Azure/SAML, Okta/SAML
Teams, Pro, and Enterprise plans include the ability to upload custom plugins for logic specific to your business needs. See the custom plugins documentation for policy and implementation information.
Breaking change policy enforcement
This feature is only available to organizations on the Enterprise plan.
On your private BSR, you can enforce a set of breaking change rules across all repositories. Once enabled, any commits with breaking changes are put into a review flow, where they can be accepted or rejected by the BSR repository owners or admins. This protects downstream consumers from breaking changes, while enabling those closest to the code to approve them when appropriate. See the overview and review commits documentation for more information.
In addition to the GitHub Actions integration for the public BSR, Pro and Enterprise plans offer access to Buf’s GitHub App. The app synchronizes your Protobuf source control with your private BSR instance, and automatically performs breaking change detection, linting, and formatting.
Pro and Enterprise plans also allow you to create bot users that can call the BSR from CI workflows without tying the actions to a specific person.
You can enable webhooks to trigger actions in other backend services, such as CI/CD or notification workflows. They are disabled by default.