From 95d1a06d96a0cdf8cbb408fcc6c51e2328a1a1e2 Mon Sep 17 00:00:00 2001
From: Steve McGrath <smcgrath@tenable.com>
Date: Thu, 12 Dec 2024 17:46:47 -0600
Subject: [PATCH] Re-enabled Snyk with uv

---
 .github/workflows/deploy.yml  | 24 ++++++++++++++++--------
 .github/workflows/testing.yml | 33 +++++++++++++++++++--------------
 2 files changed, 35 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index faa7b3018..543cabafa 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,20 +8,28 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Pull package data
-        uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.12
-
-      - name: Setup up uv
-        run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh
+      - uses: astral-sh/setup-uv@v4
+      - uses: snyk/actions/setup@master
 
       - name: Build package
         run: uv build
 
+      - name: Export requirements for Snyk
+        run: |
+          uv pip compile pyproject.toml -o requirements.txt
+          pip3 install -r requirements.txt
+
+      - name: Snyk Scan
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor --command=python3 --skip-unresolved=true
+
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@v1.4.1
         with:
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index b50128ee9..be18d055d 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -20,15 +20,10 @@ jobs:
         - "3.12"
 
     steps:
-      - name: Pull package data
-        uses: actions/checkout@v4
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Setup up uv
-        run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh
 
       - name: Install dependencies
         run: uv sync --all-extras --dev
@@ -49,17 +44,27 @@ jobs:
   security_tests:
     runs-on: ubuntu-latest
     steps:
-      - name: Pull package data
-        uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.8"
-      - name: Setup up uv
-        run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh
+      - uses: astral-sh/setup-up@v4
+
       - name: Run pip-audit
         run: |
           uv export --format requirements-txt | uv tool run pip-audit
+
       - name: Run Bandit code auditor
         run: uv tool run --with "bandit[toml,baseline,sarif]" bandit -c pyproject.toml -r . -ll
+      
+      - name: Export & Install requirements to run Snyk
+        run: |
+          uv pip compile pyproject.toml -o requirements.txt
+          pip3 install -r requirements.txt
+
+      - name: Snyk Scan
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test --command=python3 --skip-unresolved=true