From b5f1131f16e7b1f2e3e662fc7cf6655eb1c97409 Mon Sep 17 00:00:00 2001
From: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Tue, 26 Nov 2024 09:26:12 -0500
Subject: [PATCH] Change Snyk Actions (#1713)

### Feature or Bugfix
<!-- please choose -->

### Detail
- Change GitHub Action step from using `snyk/actions/python-3.9@master`
to `snyk/actions/setup@master`
- `snyk/actions/setup@master` will just install Snyk CLI and we add step
to explicitly call `snyk test ...` with our arguments
- Changed because `snyk/actions/python-3.9@master` was setting up some
virtual env and not finding the installed dependencies from `make
install` (leading to Snyk skipping over the checks on
`requirements.txt`)


- Alternatives Explored
- Specifying `package-manager` to pip rather than poetry (Poetry shell
was being created that did not carry over installed deps from before
using `snyk/actions/python-3.9@master`)
        - But not supported with `all-projects` flag
- Adding configuration to `pyproject.toml` to prevent venv creation
(could not find a working solution)
- Using venvs and exporting PATH env variable to be used later by Snyk
action step (could not find a working solution)


### Relates
- https://github.com/data-dot-all/dataall/pull/1708

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
---
 .github/workflows/snyk.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 30e2c041b..41986f7df 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -25,7 +25,7 @@ jobs:
       - name: Install All Requirements
         run: make install
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/python-3.9@master
+        run: snyk test --all-projects --detection-depth=5 --severity-threshold=high
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with: