Security Report Generator
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
-
Write to .sb-pentest-audit.log IMMEDIATELY as you process each section
-
Update .sb-pentest-context.json with report metadata progressively
-
DO NOT wait until the entire report is generated to update files
-
If the skill crashes or is interrupted, the partial progress must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill generates a comprehensive Markdown security audit report from all collected findings.
When to Use This Skill
-
After completing security audit phases
-
To document findings for stakeholders
-
To create actionable remediation plans
-
For compliance and audit trail purposes
Prerequisites
-
Audit phases completed (context file populated)
-
Findings collected in .sb-pentest-context.json
Report Structure
The generated report includes:
-
Executive Summary — High-level overview for management
-
Security Score — Quantified risk assessment
-
Critical Findings (P0) — Immediate action required
-
High Findings (P1) — Address soon
-
Medium Findings (P2) — Plan to address
-
Detailed Analysis — Per-component breakdown
-
Remediation Plan — Prioritized action items
-
Appendix — Technical details, methodology
Usage
Generate Report
Generate security report from audit findings
Custom Report Name
Generate report as security-audit-2025-01.md
Specific Sections
Generate executive summary only
Output Format
The skill generates supabase-audit-report.md :
Supabase Security Audit Report
Target: https://myapp.example.com Project: abc123def.supabase.co Date: January 31, 2025 Auditor: Internal Security Team
Executive Summary
Overview
This security audit identified 12 vulnerabilities across the Supabase implementation, including 3 critical (P0) issues requiring immediate attention.
Key Findings
| Severity | Count | Status |
|---|---|---|
| 🔴 P0 (Critical) | 3 | Immediate action required |
| 🟠 P1 (High) | 4 | Address within 7 days |
| 🟡 P2 (Medium) | 5 | Address within 30 days |
Security Score
Score: 35/100 (Grade: D)
The application has significant security gaps that expose user data and allow privilege escalation. Critical issues must be addressed before the application can be considered secure.
Most Critical Issues
- Service Role Key Exposed — Full database access possible
- Database Backups Public — All data downloadable
- Admin Function No Auth — Any user can access admin features
Recommended Actions
-
⚡ Immediate (Today):
- Rotate service role key
- Make backup bucket private
- Add admin role verification
-
🔜 This Week:
- Enable RLS on all tables
- Enable email confirmation
- Fix IDOR in Edge Functions
-
📅 This Month:
- Strengthen password policy
- Restrict CORS origins
- Add rate limiting to functions
Critical Findings (P0)
P0-001: Service Role Key Exposed in Client Code
Severity: 🔴 Critical Component: Key Management CVSS: 9.8 (Critical)
Description
The Supabase service_role key was found in client-side JavaScript code. This key bypasses all Row Level Security policies and provides full database access.
Location
File: /static/js/admin.chunk.js Line: 89 Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'
Impact
- Full read/write access to all database tables
- Bypass of all RLS policies
- Access to auth.users table (all user data)
- Ability to delete or modify any data
Proof of Concept
curl 'https://abc123def.supabase.co/rest/v1/users' \
-H 'apikey: [service_role_key]' \
-H 'Authorization: Bearer [service_role_key]'
# Returns ALL users with full data
Remediation
Immediate:
- Rotate the service role key in Supabase Dashboard
- Settings → API → Regenerate service_role key
- Remove the key from client code
- Redeploy the application
Long-term:
// Move privileged operations to Edge Functions
// supabase/functions/admin-action/index.ts
import { createClient } from '@supabase/supabase-js'
Deno.serve(async (req) => {
// Service key only on server
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
)
// Verify caller is admin before proceeding
// ...
})
Documentation:
- Supabase API Keys
- Edge Functions
P0-002: Database Backups Publicly Accessible
Severity: 🔴 Critical
Component: Storage
CVSS: 9.1 (Critical)
Description
The storage bucket named "backups" is configured as public, exposing database dumps, user exports, and environment secrets.
Exposed Files
File
Size
Content
db-backup-2025-01-30.sql
125MB
Full database dump
users-export.csv
2.3MB
All user data with PII
secrets.env
1KB
API keys and passwords
Impact
- Complete data breach (all database content)
- Exposed credentials for third-party services
- User PII exposed (emails, names, etc.)
Remediation
Immediate:
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';
-- Delete or move files
-- Consider incident response procedures
Credential Rotation:
- Stripe API keys
- Database password
- JWT secret
- Any other keys in secrets.env
P0-003: Admin Edge Function Privilege Escalation
Severity: 🔴 Critical
Component: Edge Functions
CVSS: 8.8 (High)
Description
The /functions/v1/admin-panel
Edge Function is accessible to any authenticated user without role verification.
[... additional P0 findings ...]
High Findings (P1)
P1-001: Email Confirmation Disabled
Severity: 🟠 High
Component: Authentication
[... P1 findings ...]
Medium Findings (P2)
P2-001: Weak Password Policy
Severity: 🟡 Medium
Component: Authentication
[... P2 findings ...]
Detailed Analysis by Component
API Security
Table
RLS
Access Level
Status
users
❌
Full read
🔴 P0
orders
✅
None
✅
posts
✅
Published only
✅
Storage Security
Bucket
Public
Sensitive Files
Status
avatars
Yes
No
✅
backups
Yes
Yes (45 files)
🔴 P0
Authentication
Setting
Current
Recommended
Status
Email confirm
Disabled
Enabled
🟠 P1
Password min
6
8+
🟡 P2
Remediation Plan
Phase 1: Critical (Immediate)
ID
Action
Owner
Deadline
P0-001
Rotate service key
DevOps
Today
P0-002
Make backups private
DevOps
Today
P0-003
Add admin role check
Backend
Today
Phase 2: High Priority (This Week)
ID
Action
Owner
Deadline
P1-001
Enable email confirmation
Backend
3 days
P1-002
Fix IDOR in get-user-data
Backend
3 days
Phase 3: Medium Priority (This Month)
ID
Action
Owner
Deadline
P2-001
Strengthen password policy
Backend
14 days
P2-002
Restrict CORS origins
DevOps
14 days
Appendix
A. Methodology
This audit was performed using the Supabase Pentest Skills toolkit, which includes:
- Passive reconnaissance of client-side code
- API endpoint testing with anon and service keys
- Storage bucket enumeration and access testing
- Authentication flow analysis
- Real-time channel subscription testing
B. Tools Used
- supabase-pentest-skills v1.0.0
- curl for API testing
- Browser DevTools for client code analysis
C. Audit Scope
- Target URL: https://myapp.example.com
- Supabase Project: abc123def
- Components tested: API, Storage, Auth, Realtime, Edge Functions
- Exclusions: None
D. Audit Log
Full audit log available in .sb-pentest-audit.log
Report generated by supabase-pentest-skills
Audit completed: January 31, 2025 at 15:00 UTC
## Score Calculation
The security score is calculated based on:
| Factor | Weight | Calculation |
|--------|--------|-------------|
| P0 findings | -25 per issue | Critical vulnerabilities |
| P1 findings | -10 per issue | High severity issues |
| P2 findings | -5 per issue | Medium severity issues |
| RLS coverage | +10 if 100% | All tables have RLS |
| Auth hardening | +10 | Email confirm, strong passwords |
| Base score | 100 | Starting point |
### Grade Scale
| Score | Grade | Description |
|-------|-------|-------------|
| 90-100 | A | Excellent security posture |
| 80-89 | B | Good, minor improvements needed |
| 70-79 | C | Acceptable, address issues |
| 60-69 | D | Poor, significant issues |
| 0-59 | F | Critical, immediate action needed |
## Context Input
The report generator reads from `.sb-pentest-context.json`:
```json
{
"target_url": "https://myapp.example.com",
"supabase": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def"
},
"findings": [
{
"id": "P0-001",
"severity": "P0",
"component": "keys",
"title": "Service Role Key Exposed",
"description": "...",
"location": "...",
"remediation": "..."
}
],
"audit_completed": "2025-01-31T15:00:00Z"
}
Report Customization
Include/Exclude Sections
Generate report without appendix
Generate report with executive summary only
Different Formats
Generate report in JSON format
Generate report summary as HTML
MANDATORY: Context File Dependency
⚠️ This skill REQUIRES properly populated tracking files.
Prerequisites
Before generating a report, ensure:
- .sb-pentest-context.json
exists and contains findings from audit skills
- .sb-pentest-audit.log
exists with timestamped actions
- All relevant audit skills have updated these files
If Context Files Are Missing
If context files are missing or empty:
- DO NOT generate an empty report
- Inform the user that audit skills must be run first
- Recommend running supabase-pentest
for a complete audit
Report Generation Output
After generating the report, this skill MUST:
-
Log to .sb-pentest-audit.log
:
[TIMESTAMP] [supabase-report] [START] Generating security report
[TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
[TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged
-
Update .sb-pentest-context.json
with report metadata:
{
"report": {
"generated_at": "...",
"filename": "supabase-audit-report.md",
"findings_count": { "p0": 3, "p1": 4, "p2": 5 }
}
}
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
Related Skills
- supabase-report-compare
— Compare with previous reports
- supabase-pentest
— Run full audit first
- supabase-help
— List all available skills