move snyk stuff to snyk file (#895)

Co-authored-by: burnettk <burnettk@users.noreply.github.com>

.github/workflows/snyk-security.yml

@@ -1,3 +1,5 @@
+# burnettk created an account at https://app.snyk.io/org/kevin-jfx
+# and added his SNYK_TOKEN secret under the spiff-arena repo.
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
@@ -29,7 +31,7 @@ name: Snyk Security
 on:
   workflow_dispatch: # allow running on demand
   schedule:
-    - cron: "0 14 * * 2"  # Every Tuesday at 1PM UTC (9AM/10AM eastern)
+    - cron: "0 14 * * 2" # Every Tuesday at 1PM UTC (9AM/10AM eastern)
 
 permissions:
   contents: read
@@ -73,6 +75,10 @@ jobs:
       - name: Snyk Code test
         run: snyk code test --sarif > snyk-code.sarif || true
 
+      # checks library dependencies
+      - name: Snyk test
+        run: snyk test
+
         # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
       - name: Snyk Open Source monitor
         run: snyk monitor --all-projects

.github/workflows/tests.yml

@@ -77,7 +77,7 @@ jobs:
       PRE_COMMIT_COLOR: "always"
       SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD: password
       SPIFFWORKFLOW_BACKEND_DATABASE_TYPE: ${{ matrix.database }}
-      SPIFFWORKFLOW_BACKEND_RUNNING_IN_CI: 'true'
+      SPIFFWORKFLOW_BACKEND_RUNNING_IN_CI: "true"
 
     steps:
       - name: Check out the repository
@@ -133,7 +133,7 @@ jobs:
           mysql version: "8.0"
           mysql database: "spiffworkflow_backend_unit_testing"
           mysql root password: password
-          collation server: 'utf8mb4_0900_as_cs'
+          collation server: "utf8mb4_0900_as_cs"
         if: matrix.database == 'mysql'
 
       - name: Setup Postgres
@@ -172,19 +172,6 @@ jobs:
           name: logs-${{matrix.python}}-${{matrix.os}}-${{matrix.database}}
           path: "./spiffworkflow-backend/log/*.log"
 
-  # burnettk created an account at https://app.snyk.io/org/kevin-jfx
-  # and added his SNYK_TOKEN secret under the spiff-arena repo.
-  snyk:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/python@master
-        with:
-          args: spiffworkflow-backend
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
   run_pre_commit_checks:
     runs-on: ubuntu-latest
     defaults:
@@ -295,7 +282,6 @@ jobs:
           name: pr_number
           path: pr/
 
-
   tests-frontend:
     runs-on: ubuntu-latest
     needs: [tests-backend, run_pre_commit_checks, check_docker_start_script]

spiffworkflow-backend/pyproject.toml

@@ -51,7 +51,7 @@ marshmallow-enum = "^1.5.1"
 PyJWT = "^2.6.0"
 gunicorn = "^20.1.0"
 APScheduler = "*"
-Jinja2 = "^3.1.2"
+Jinja2 = "^3.1.3"
 RestrictedPython = "^7.0"
 Flask-SQLAlchemy = "^3"