chore: install static analysis tool Snyk and generate static security analysis artifact

[PDFour4]

Tool Overview: Snyk (Static Security Analysis)

I selected Snyk, a static analysis and security vulnerability scanner, which was not on the starter list. It analyzes both open-source dependencies (SCA) and custom application code (SAST) for security flaws.

• Documentation: https://docs.snyk.io/

Evidence of Installation & Execution:

• Installation: Added snyk as a devDependency in package.json.
• Artifact: The snyk-code-analysis-artifact.txt file in this commit contains the terminal output of the vulnerability scan. The scan successfully executed and identified 247 total open issues.

Evaluation

What types of problems does it catch?

• Comprehensive Security Context: This tool goes beyond basic code quality linting. For example, it successfully identified 19 High-severity "Path Traversal" vulnerabilities in the admin upload controllers, explaining exactly how user input flows into file system reads/writes.

False Positives, False Negatives, and True Positives we don't care about:

• True positives we don't care about: The tool lacks built-in context about testing environments. It flagged over 30 "Use of Hardcoded Passwords" as security vulnerabilities. While technically true (they are hardcoded), we don't care because they are safely contained within test/ files (like test/authentication.js) and will never hit production.
• False Negatives: Like all static scanners, Snyk analyzes syntax and data flow but cannot understand complex business logic flaws (e.g., if a user is able to access a feature they shouldn't be able to due to a logic error in our permissions system).

Customization (Possible & Necessary):

• Before Use: To take care of the test file issues mentioned above, it is necessary to use a .snyk configuration file to explicitly ignore the test/ directory.
• Over time: As NodeBB continues to grow, it is possible to customize the scan commands (e.g., npx snyk code test --severity-threshold=high) so that builds only flag High-severity issues, opposed to halting development for Low-risk warnings.

Integration into the Development Process:

• CI/CD Pipeline: Snyk should be integrated directly into our GitHub Actions workflow. By configuring it to run on every Pull Request targeting the main branch, we can automatically block code merges if a High or Critical vulnerability is introduced, preventing bad code from ever reaching production.