From 01c63a485b44dcf879c636634a4f701402ae5dc9 Mon Sep 17 00:00:00 2001
From: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Thu, 21 Nov 2024 10:48:40 -0500
Subject: [PATCH] Fix Snyk Workflow to Find Project Deps (#1708)

### Feature or Bugfix
<!-- please choose -->
- Bugfix

### Detail
- Add args `--all-projects --detection-depth=5` for Snyk to find project
Dep
- Add MakeFile command to install all Python Deps before running `snyk
test`
- Noted as a requirement in [Snyk
Docs](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ci-cd-integrations/github-actions-for-snyk-setup-and-checking-for-vulnerabilities/snyk-python-action)

### Relates
- <URL or Ticket>

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
---
 .github/workflows/snyk.yaml | 11 ++++++++++-
 Makefile                    |  8 +++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 4372775ee..30e2c041b 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -12,12 +12,21 @@ permissions:
 
 jobs:
   security:
+    strategy:
+      matrix:
+        python-version: [3.9]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install All Requirements
+        run: make install
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/python-3.9@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --severity-threshold=high
\ No newline at end of file
+          args: --all-projects --detection-depth=5 --severity-threshold=high
diff --git a/Makefile b/Makefile
index 888927042..8fd5e85cd 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,7 @@ venv:
 	@python3 -m venv "venv"
 	@/bin/bash -c "source venv/bin/activate"
 
-install: upgrade-pip install-deploy install-backend install-cdkproxy install-tests
+install: upgrade-pip install-deploy install-backend install-cdkproxy install-tests install-integration-tests install-custom-auth install-userguide
 
 upgrade-pip:
 	pip install --upgrade pip setuptools
@@ -36,6 +36,12 @@ install-tests:
 install-integration-tests:
 	pip install -r tests_new/integration_tests/requirements.txt
 
+install-custom-auth:
+	pip install -r deploy/custom_resources/custom_authorizer/requirements.txt
+
+install-userguide:
+	pip install -r documentation/userguide/requirements.txt
+
 lint:
 	pip install ruff
 	ruff check --fix