Security Audit: Comprehensive Snyk-equivalent security scan report

[devin-ai-integration]

Summary

Adds a SECURITY_AUDIT_REPORT.md containing findings from an automated security audit of the MetaMask Mobile repository. The audit was intended to use Snyk MCP but fell back to open-source equivalents (Semgrep, Trivy, Checkov) because the Snyk MCP server was unavailable and the provided Snyk CLI token was a non-functional placeholder.

No code changes are included — this PR is report-only. It documents 145 total findings across five scan categories:

• SAST (Semgrep): 13 findings, including 1 high-severity remote property injection in SanitizationMiddleware.ts
• SCA (Trivy): 96 dependency vulnerabilities (10 critical, 39 high), primarily in yarn.lock and several Gemfile.lock files
• IaC (Checkov): 26 GitHub Actions workflow failures (missing permissions declarations)
• Container (Trivy): 10 Dockerfile misconfigurations (6 high — root user issues)
• Secrets (Trivy): 0 findings
• SBOM: Generation was attempted but failed (CycloneDX needs package-lock.json; repo uses yarn.lock)

The report includes a prioritized 32-item remediation plan.

Review & Testing Checklist for Human

• Validate critical findings are real and exploitable in this context. Many dependency CVEs come from Gemfile.lock files in ios/branch-ios-sdk/ and node_modules/lottie-*/ — these are transitive deps in vendored/third-party code and may not be directly exploitable in the mobile app. The severity counts could be inflated by false positives.
• Manually verify the HIGH SAST finding at app/core/SanitizationMiddleware.ts:103 (remote property injection). This is in a sanitization middleware, so it may already be intentionally handling bracket notation safely — or it may be a genuine vulnerability. Semgrep cannot determine context here.
• Confirm this report should live in-repo rather than in a separate security tracking system (e.g., Jira, a private wiki). Committing vulnerability details to a public-facing repo (or one with broad access) could expose actionable attack surface information.
• Review remediation timelines and priorities — the suggested 1-week/2-week/1-month windows may not align with the team's release cadence or risk appetite.
• Note the SBOM gap — one of five intended scan types did not produce output. If SBOM compliance is required, a follow-up is needed.

Notes

• The scans used Semgrep v1.152.0, Trivy v0.69.1, and Checkov v3.2.504 — all current as of the audit date. Different tool versions or Snyk itself may produce different results.
• Some node_modules Dockerfile findings (Section 3.3) are from third-party packages and not directly actionable.

Link to Devin run: https://app.devin.ai/sessions/c4c61ecd43b34b21a779b47d77e46265
Requested by: @priya-cognition

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring