chore: add security scanning and dev dependencies configuration

Author: kishore7snehil

.github/workflows/semgrep.yml

@@ -0,0 +1,40 @@
+name: Semgrep
+
+on:
+  merge_group:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "30 0 1,15 * *"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  run:
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

.github/workflows/snyk.yml

@@ -0,0 +1,40 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+
+  check:
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

packages/auth0_api_python/.snyk

@@ -0,0 +1,20 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.12.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-PYTHON-REQUESTS-72435:
+    - '*':
+        reason: 'unaffected, only affects https->http authorization header redirection.'
+        expires: 2019-11-05T00:00:00.000Z
+  SNYK-PYTHON-REQUESTS-40470:
+    - '*':
+        reason: 'patched in latest python versions: https://bugs.python.org/issue27568'
+  "snyk:lic:pip:certifi:MPL-2.0":
+    - '*':
+        reason: "Accepting certifi’s MPL-2.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
+  "snyk:lic:pip:jwcrypto:LGPL-3.0":
+    - '*':
+        reason: "Accepting jwcrypto’s LGPL-3.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
+patch: {}

packages/auth0_api_python/requirements-dev.txt

@@ -0,0 +1,7 @@
+pytest>=8.0,<9.0
+pytest-cov>=4.0,<5.0
+pytest-asyncio>=0.20.3,<1.0
+pytest-mock>=3.14.0,<4.0
+pytest-httpx>=0.35.0,<1.0
+ruff>=0.1.0,<1.0
+twine>=6.1.0,<7.0

packages/auth0_api_python/requirements.txt

@@ -0,0 +1,16 @@
+authlib>=1.0,<2.0
+requests>=2.31.0,<3.0
+httpx>=0.28.1,<1.0
+ada-url>=1.25.0,<2.0
+certifi>=2025.1.31
+cryptography>=43.0.3
+idna>=3.10
+sniffio>=1.3.1
+h11>=0.14.0
+httpcore>=1.0.7
+anyio>=4.9.0
+charset-normalizer>=3.4.1
+urllib3>=2.3.0
+rfc3986>=2.0.0
+cffi>=1.17.1
+pycparser>=2.220