feat: add SCA workflow and remove legacy snyk workflow

.github/workflows/codeql.yml

@@ -39,15 +39,15 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/sca_scan.yml

@@ -0,0 +1,16 @@
+name: SCA
+
+on:
+  push:
+    branches: ["master", "main", "**"]
+
+jobs:
+  snyk-cli:
+    uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main
+    with:
+      additional-arguments: "--exclude=README.md,.jfrog --skip-unresolved"
+      python-version: "3.10"
+      pre-scan-commands: |
+        python3 -m venv venv --upgrade-deps
+        ./venv/bin/pip3 install -r requirements.txt
+    secrets: inherit

examples/example-fastmcp-mcp/src/auth0/middleware.py

@@ -2,13 +2,14 @@
 from collections.abc import Callable
 from typing import Any
 
-from auth0_api_python import ApiClient, ApiClientOptions
-from auth0_api_python.errors import VerifyAccessTokenError
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
 from starlette.responses import Response
 from starlette.types import ASGIApp
 
+from auth0_api_python import ApiClient, ApiClientOptions
+from auth0_api_python.errors import VerifyAccessTokenError
+
 from .errors import AuthenticationRequired, MalformedAuthorizationRequest
 
 logger = logging.getLogger(__name__)

pyproject.toml

@@ -15,15 +15,15 @@ python = "^3.9"
 authlib = "^1.0"      # For JWT/OIDC features
 requests = "^2.31.0"  # If you use requests for HTTP calls (e.g., discovery)
 httpx = "^0.28.1"
-ada-url = "^1.25.0"
+ada-url = "^1.27.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^8.0"
 pytest-cov = "^4.0"
-pytest-asyncio = "^0.20.3"
-pytest-mock = "^3.14.0"
+pytest-asyncio = "^0.25.3"
+pytest-mock = "^3.15.1"
 pytest-httpx = "^0.35.0"
-ruff = "^0.1.0"
+ruff = ">=0.1,<0.15"
 
 [tool.pytest.ini_options]
 addopts = "--cov=src --cov-report=term-missing:skip-covered --cov-report=xml"

requirements.txt

@@ -1,12 +1,9 @@
-# Core runtime dependencies
-authlib>=1.6.3
+authlib>=1.6.5
 httpx>=0.28.1
-ada-url>=1.26.0
-
-# Development and testing dependencies
+ada-url>=1.27.0
 pytest>=8.0
 pytest-cov>=4.0
-pytest-asyncio>=0.20.3
-pytest-mock>=3.14.1
+pytest-asyncio>=0.25.3
+pytest-mock>=3.15.1
 pytest-httpx>=0.35.0
 

tests/test_api_client.py

@@ -5,6 +5,8 @@
 
 import httpx
 import pytest
+from pytest_httpx import HTTPXMock
+
 from auth0_api_python.api_client import ApiClient
 from auth0_api_python.config import ApiClientOptions
 from auth0_api_python.errors import (
@@ -24,7 +26,6 @@
     generate_token_with_cnf,
     sha256_base64url,
 )
-from pytest_httpx import HTTPXMock
 
 # Create public RSA JWK by selecting only public key components
 PUBLIC_RSA_JWK = {k: PRIVATE_JWK[k] for k in ["kty", "n", "e", "alg", "use", "kid"] if k in PRIVATE_JWK}