Ce 12885 add weeekly security audit

[cachelina]

Description of Change

A new file weekly_security_audit.yml will assess vulnerabilities in the app by running a weekly yarn audit of the installed packages, and also a vtk scan of VAMobile. The va-mobile-app-alerts channel will send an alert if vulnerabilities found.

Note: Currently, the yarn audit is failing and there's a devops/FE effort to address these vulnerabilities. Until the effort is complete, the yarn audit will fail and send a weekly alert.

Target Release Date

n/a

Link to Issue

Closes #12885

Code testing

• Unit tests have been created or updated to cover this change
• End to end (Detox) tests have been added or updated as needed

Pre-QA Artifacts

Include all artifacts or select not applicable and explain below.

• Screenshots or screen recording at factory default settings (before and after, if applicable) in portrait orientation
• Screenshots in landscape orientation
• Screenshots at 2x text size
• Screen recording of interaction using VoiceOver (iOS) and/or TalkBack (Android)
• Visual artifacts not applicable to this PR (explain why below)

n/a

Screenshots & Video

• Capturing screenshots and videos from Simulator, iOS
• Take screenshots on the Emulator, Android

2x text size

• iOS Dynamic Type: Settings > Accessibility > Display & Text Size > Larger Text. Toggle ON, move slider.
• Android Font Scale: Settings > Accessibility > Display size and text. Adjust Font size and Display size sliders.

VoiceOver / TalkBack (best on actual hardware)

• iOS: Turn on VoiceOver · Screen recording / QuickTime from Mac
• Android: Turn on TalkBack / SCRCPY for desktop capture

Test Context for QA

How does a user get here?

Feature Flags

Risk Assessment:

• Low (UI polish, copy change, isolated component)
• Medium (New feature, non-core path)
• High (Changes to Core Features: Login, Claims, Rx, Secure Messaging, major updates to a backend service, etc.)

What should QA pay extra attention to?

Test Review

n/a

Test User(s)

n/a

Checklist for QA

QA Engineer: Check off the items below as you test
n/a

• Shared Test Script executed (post results as a PR comment)
• Feature-specific verification based on QA Test Context above
• Tested on iOS
• Tested on Android

Run a build for this branch

[jbergman-oddball]

Im suggesting we comment this out for now until dependabot catches up. This will cause false positives and fail the job. Having false failures before real failures will create noise and we will miss the real failures.

[cachelina]

I commented this out!

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow intended to run recurring security checks against the develop branch and alert Slack when issues are detected.

Changes:

• Introduces .github/workflows/weekly-security-audit.yml with a VTK repository scan job.
• Adds a Slack notification job intended to post failures to a channel.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cachelina]

I tested the vtk-scan runs and succeeds on push!