build: Update security scanning details and add npm-check-updates dependency

BUILD_PROCESS_ANALYSIS.md

@@ -12,7 +12,7 @@ The Butler SOS project has a reasonably comprehensive build process but has sign
 - ✅ **Multiple Target Platforms**: Supports macOS (x64, ARM64), Linux, and Docker
 - ✅ **Code Signing & Notarization**: Proper Apple code signing and notarization for macOS builds
 - ✅ **Release Automation**: Uses release-please for automated versioning and releases
-- ✅ **Security Scanning**: CodeQL active, Snyk implemented in insiders-build workflow, and basic dependency checks
+- ✅ **Security Scanning**: CodeQL active, Snyk implemented in insiders-build workflow, SBOM generation active in ci.yaml, and basic dependency checks
 - ✅ **Code Quality**: ESLint, Prettier, and CodeClimate integration
 - ✅ **Testing Framework**: Jest setup with coverage reporting
 - ✅ **Dependency Management**: Dependabot for automated dependency updates
@@ -33,19 +33,24 @@ The Butler SOS project has a reasonably comprehensive build process but has sign
 
 #### 1.1 Consolidate and Enhance Snyk Security Scanning
 
-**Current State**: Snyk is actively implemented in `insiders-build.yaml` but the separate `snyk-security._yml` workflow is disabled
+**Current State**:
+
+- ✅ Snyk is actively implemented in `insiders-build.yaml` workflow with SARIF upload
+- ✅ Snyk security scripts are configured in `package.json`
+- ✅ Snyk scanning is intentionally limited to insiders builds only (by design)
+- ✅ Previous separate `snyk-security._yml` workflow has been removed
 
 **Analysis**:
 
-- ✅ Snyk scanning is working in insiders build workflow
-- ❌ Separate Snyk workflow exists but is disabled (`.yml` extension)
-- ❌ Snyk only runs on insiders builds, not on regular CI
+- ✅ Snyk scanning is working properly in insiders build workflow with SARIF integration
+- ✅ Local Snyk testing available via `npm run security:full`
+- ✅ Snyk scanning scope is appropriately limited to development/insider builds
+- ✅ Clean workflow structure with no duplicate or unused Snyk configurations
 
-**Recommendation**:
+**Current Implementation Status**:
 
-- Enable the disabled `snyk-security._yml` workflow for regular CI builds
-- Add npm audit to complement Snyk scanning
-- Consider adding Snyk to the main `ci.yaml` workflow
+- Snyk security scanning is properly implemented and working as intended
+- No additional Snyk workflow changes needed - current setup is optimal
 
 **Implementation**:
 

package-lock.json

@@ -52,6 +52,7 @@
                 "globals": "^16.3.0",
                 "jest": "^30.0.5",
                 "jsdoc-to-markdown": "^9.1.2",
+                "npm-check-updates": "^18.0.2",
                 "prettier": "^3.6.2",
                 "snyk": "^1.1298.1"
             }
@@ -7459,6 +7460,21 @@
                 "node": ">=0.10.0"
             }
         },
+        "node_modules/npm-check-updates": {
+            "version": "18.0.2",
+            "resolved": "https://registry.npmjs.org/npm-check-updates/-/npm-check-updates-18.0.2.tgz",
+            "integrity": "sha512-9uVFZUCg5oDOcbzdsrJ4BEvq2gikd23tXuF5mqpl4mxVl051lzB00Xmd7ZVjVWY3XNUF3BQKWlN/qmyD8/bwrA==",
+            "dev": true,
+            "license": "Apache-2.0",
+            "bin": {
+                "ncu": "build/cli.js",
+                "npm-check-updates": "build/cli.js"
+            },
+            "engines": {
+                "node": "^18.18.0 || >=20.0.0",
+                "npm": ">=8.12.1"
+            }
+        },
         "node_modules/npm-run-path": {
             "version": "4.0.1",
             "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-4.0.1.tgz",

package.json

@@ -80,6 +80,7 @@
         "globals": "^16.3.0",
         "jest": "^30.0.5",
         "jsdoc-to-markdown": "^9.1.2",
+        "npm-check-updates": "^18.0.2",
         "prettier": "^3.6.2",
         "snyk": "^1.1298.1"
     }