Back to Details

supabase-pentest

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Supabase Security Audit Orchestrator

Supabase安全审计统筹工具

🔵 RECOMMENDED: USE PLAN MODE FOR COMPLEX AUDITS
When your environment supports Plan Mode, it is strongly recommended to activate it before starting the audit:
  • Use the 
    EnterPlanMode
    tool at the start of the orchestration
  • Plan Mode enables better organization of multi-phase audits
  • It allows the user to validate the approach before execution
  • If Plan Mode is not available, proceed directly with execution
Plan Mode provides better traceability and user control over the audit process.
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
  • Write to 
    .sb-pentest-context.json
    IMMEDIATELY after each discovery
  • Log to 
    .sb-pentest-audit.log
    BEFORE and AFTER each action
  • DO NOT wait until a phase or skill completes to update files
  • If the audit crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill orchestrates a complete security audit of a Supabase-based application, guiding you through each phase with validation checkpoints.
🔵 推荐:复杂审计使用Plan Mode
当你的环境支持Plan Mode时,强烈建议在开始审计前激活它:
  • 在统筹流程开始时使用
    EnterPlanMode
    工具
  • Plan Mode能更好地组织多阶段审计
  • 它允许用户在执行前验证审计方案
  • 如果不支持Plan Mode,直接进入执行阶段
Plan Mode能为审计流程提供更好的可追溯性和用户控制权。
🔴 关键要求:需逐步更新文件
你必须逐步写入上下文文件,而不是只在最后统一写入。
  • 每次发现问题后立即写入
    .sb-pentest-context.json
  • 每次操作前后都要记录到
    .sb-pentest-audit.log
  • 不要等到某个阶段或技能完成后再更新文件
  • 如果审计崩溃或中断,所有已有的发现必须已保存
这是强制性要求。不逐步更新文件属于严重错误。
本工具可统筹完成基于Supabase的应用的完整安全审计,通过验证检查点引导你完成每个阶段。

⚠️ MANDATORY: Progressive Context File Management

⚠️ 强制性要求:逐步上下文文件管理

BEFORE starting any audit, you MUST:
  1. Create 
    .sb-pentest-context.json
    if it doesn't exist
  2. Create 
    .sb-pentest-audit.log
    if it doesn't exist
  3. Create 
    .sb-pentest-evidence/
    directory structure
  4. Initialize context with target URL and timestamp
DURING execution - WRITE AS YOU GO:
  1. BEFORE each action → Log to 
    .sb-pentest-audit.log
  2. AFTER each discovery → IMMEDIATELY update 
    .sb-pentest-context.json
  3. AFTER each test → Save evidence to 
    .sb-pentest-evidence/
  4. DO NOT batch writes → Each finding must be saved as it's discovered
  5. Verify after each skill → Check that ALL files were updated before proceeding
在开始任何审计之前,你必须:
  1. 如果
    .sb-pentest-context.json
    不存在则创建它
  2. 如果
    .sb-pentest-audit.log
    不存在则创建它
  3. 创建
    .sb-pentest-evidence/
    目录结构
  4. 用目标URL和时间戳初始化上下文
执行过程中——逐步写入:
  1. 每次操作前 → 记录到
    .sb-pentest-audit.log
  2. 每次发现问题后 → 立即更新
    .sb-pentest-context.json
  3. 每次测试后 → 将证据保存到
    .sb-pentest-evidence/
  4. 不要批量写入 → 每个发现必须在发现时立即保存
  5. 每次技能执行后验证 → 检查所有文件已更新后再继续

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

📋 系统化文档要求

All tracking files MUST be systematically maintained throughout the entire audit.
整个审计过程中必须系统维护所有跟踪文件。

Required Files (MANDATORY)

必需文件(强制性)

FilePurposeUpdate Frequency
.sb-pentest-context.json
Centralized state and findingsAfter EVERY discovery
.sb-pentest-audit.log
Chronological action logBEFORE and AFTER every action
.sb-pentest-evidence/timeline.md
Timestamped findings narrativeAfter EVERY significant finding
.sb-pentest-evidence/curl-commands.sh
Reproducible test commandsAfter EVERY curl/HTTP request
文件用途更新频率
.sb-pentest-context.json
集中存储状态和发现结果每次发现问题后
.sb-pentest-audit.log
按时间顺序记录操作日志每次操作前后
.sb-pentest-evidence/timeline.md
带时间戳的发现记录每次有重要发现后
.sb-pentest-evidence/curl-commands.sh
可复现的测试命令每次执行curl/HTTP请求后

Verification Checklist (Before Each Phase Transition)

阶段转换前的验证清单

Before moving to the next phase, the orchestrator MUST verify:
  • .sb-pentest-context.json
    contains all discoveries from current phase
  • .sb-pentest-audit.log
    has entries for all actions performed
  • Evidence files exist in 
    .sb-pentest-evidence/XX-phase-name/
  • timeline.md
    is updated with any P0/P1/P2 findings
  • curl-commands.sh
    contains all HTTP requests made
If any file is missing or incomplete, DO NOT proceed to the next phase.
进入下一阶段前,统筹工具必须验证:
  • .sb-pentest-context.json
    包含当前阶段的所有发现
  • .sb-pentest-audit.log
    有所有执行操作的记录
  • 证据文件已保存到
    .sb-pentest-evidence/XX-phase-name/
  • timeline.md
    已更新所有P0/P1/P2级发现
  • curl-commands.sh
    包含所有已发送的HTTP请求
如果任何文件缺失或不完整,请勿进入下一阶段。

Progressive Write Pattern

逐步写入模式

Each skill MUST follow this pattern:
1. [LOG] Write START entry to audit.log
2. [CONTEXT] Update context.json with "phase_in_progress"
3. [ACTION] Perform the test/scan
4. [EVIDENCE] Save evidence file IMMEDIATELY
5. [CURL] Append curl command to curl-commands.sh
6. [TIMELINE] Update timeline.md if significant finding
7. [CONTEXT] Update context.json with results
8. [LOG] Write COMPLETE entry to audit.log
每个技能必须遵循以下模式:
1. [日志] 向audit.log写入开始记录
2. [上下文] 更新context.json中的"phase_in_progress"
3. [操作] 执行测试/扫描
4. [证据] 立即保存证据文件
5. [CURL] 将curl命令追加到curl-commands.sh
6. [时间线] 如果有重要发现则更新timeline.md
7. [上下文] 更新context.json中的结果
8. [日志] 向audit.log写入完成记录

Failure Recovery

故障恢复

If a skill or phase fails:
  • All files updated up to the failure point are preserved
  • The audit can be resumed from the last successful checkpoint
  • Context file indicates exactly where the audit stopped
⚠️ WHY THIS MATTERS:
  • If the audit is interrupted, crashes, or times out, findings up to that point are preserved
  • Long-running skills must save progress incrementally, not just at the end
  • Users can monitor progress in real-time by watching the log file
FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.
Each individual skill is responsible for updating these files AS IT WORKS, not just at completion. If a skill does not update the context progressively, the orchestrator must do it immediately after each discovery.
如果某个技能或阶段失败:
  • 故障发生前更新的所有文件都会被保留
  • 审计可以从最后一个成功的检查点恢复
  • 上下文文件会明确指示审计中断的位置
⚠️ 为什么这很重要:
  • 如果审计被中断、崩溃或超时,截至该点的所有发现都会被保留
  • 耗时较长的技能必须逐步保存进度,而不是只在最后保存
  • 用户可以通过查看日志文件实时监控进度
不逐步更新上下文文件是不被允许的。
每个独立技能在工作时都负责更新这些文件,而不是只在完成后更新。如果某个技能没有逐步更新上下文,统筹工具必须在每次发现后立即更新。

When to Use This Skill

何时使用本工具

  • Running a complete security assessment on a Supabase application
  • Performing internal security self-assessment before production
  • Auditing an application after security concerns are raised
  • Conducting periodic security reviews
  • 对Supabase应用进行完整的安全评估
  • 上线前执行内部安全自我评估
  • 出现安全问题后对应用进行审计
  • 定期进行安全审查

Prerequisites

前提条件

  • A public URL of the application to audit
  • Authorization to test the target application (you must own it or have explicit permission)
  • Internet access to reach the target URL
  • 待审计应用的公开URL
  • 测试目标应用的权限(你必须拥有该应用或获得明确许可)
  • 可访问目标URL的网络环境

Important Security Notice

重要安全声明

⚠️  AUTHORIZATION REQUIRED

Before proceeding, you must confirm:

1. I own this application, OR
2. I have explicit written authorization to perform security testing

Unauthorized security testing may violate laws and terms of service.
Type "I confirm I am authorized to test this application" to proceed.
⚠️  需要授权

继续之前,你必须确认:

1. 我拥有此应用,或
2. 我已获得明确的书面授权进行安全测试

未经授权的安全测试可能违反法律和服务条款。
输入"我确认我有权测试此应用"以继续。

Audit Phases

审计阶段

The orchestrator runs these phases sequentially with confirmation between each.
📁 REMINDER: After EVERY phase, verify that:
  • .sb-pentest-context.json
    is updated with phase results
  • .sb-pentest-audit.log
    has START and COMPLETE entries
  • Evidence files are saved to 
    .sb-pentest-evidence/XX-phase/
  • timeline.md
    reflects any significant findings
  • curl-commands.sh
    contains all HTTP requests made
统筹工具会按顺序运行这些阶段,每个阶段之间需要确认。
📁 提醒:每个阶段结束后,验证:
  • .sb-pentest-context.json
    已更新阶段结果
  • .sb-pentest-audit.log
    有开始和完成记录
  • 证据文件已保存到
    .sb-pentest-evidence/XX-phase/
  • timeline.md
    已记录重要发现
  • curl-commands.sh
    包含所有已发送的HTTP请求

Phase 0: Initialization

阶段0:初始化

Sets up the audit environment and evidence collection.
Pre-Phase Action (if supported):
  • Use 
    EnterPlanMode
     if the environment supports it
  • This allows the user to validate the audit approach before execution
  • If Plan Mode is not available, proceed directly
Actions:
  • Create 
    .sb-pentest-context.json
  • Create 
    .sb-pentest-audit.log
  • Create 
    .sb-pentest-evidence/
    directory structure
  • Initialize 
    curl-commands.sh
    with header
  • Initialize 
    timeline.md
    with audit start
  • Log initialization to 
    .sb-pentest-audit.log
Skills invoked:
  • supabase-evidence
    (initialization)
Verification before proceeding:
  • All 4 tracking files exist
  • Evidence directory structure is complete
  • User authorization confirmed
Output: Ready to collect evidence with full directory structure
设置审计环境和证据收集机制。
阶段前操作(如果支持):
  • 如果环境支持,使用
    EnterPlanMode
  • 这允许用户在执行前验证审计方案
  • 如果不支持Plan Mode,直接进入下一阶段
操作:
  • 创建
    .sb-pentest-context.json
  • 创建
    .sb-pentest-audit.log
  • 创建
    .sb-pentest-evidence/
    目录结构
  • 用头部信息初始化
    curl-commands.sh
  • 用审计开始时间初始化
    timeline.md
  • 将初始化操作记录到
    .sb-pentest-audit.log
调用的技能:
  • supabase-evidence
    (初始化)
继续前的验证:
  • 所有4个跟踪文件已存在
  • 证据目录结构完整
  • 用户已确认授权
输出: 已准备好完整的目录结构用于收集证据

Phase 1: Detection

阶段1:检测

Determines if the target uses Supabase and extracts basic information.
Skills invoked:
  • supabase-detect
Output: Confirmation of Supabase usage, project URL identified
Evidence saved to: 
.sb-pentest-evidence/01-detection/
确定目标是否使用Supabase并提取基本信息。
调用的技能:
  • supabase-detect
输出: 确认是否使用Supabase,识别项目URL
证据保存到: 
.sb-pentest-evidence/01-detection/

Phase 2: Key Extraction

阶段2:密钥提取

Scans client-side code for exposed credentials.
Skills invoked:
  • supabase-extract-url
  • supabase-extract-anon-key
  • supabase-extract-service-key
  • supabase-extract-jwt
  • supabase-extract-db-string
Output: List of all discovered credentials with severity assessment
Evidence saved to: 
.sb-pentest-evidence/02-extraction/
扫描客户端代码以查找暴露的凭证。
调用的技能:
  • supabase-extract-url
  • supabase-extract-anon-key
  • supabase-extract-service-key
  • supabase-extract-jwt
  • supabase-extract-db-string
输出: 所有发现的凭证列表及风险等级评估
证据保存到: 
.sb-pentest-evidence/02-extraction/

Phase 3: API Audit

阶段3:API审计

Tests PostgREST API exposure and RLS policies.
Skills invoked:
  • supabase-audit-tables-list
  • supabase-audit-tables-read
  • supabase-audit-rls
  • supabase-audit-rpc
Output: Tables accessible, data exposure assessment, RLS gaps
Evidence saved to: 
.sb-pentest-evidence/03-api-audit/
测试PostgREST API暴露情况和RLS策略。
调用的技能:
  • supabase-audit-tables-list
  • supabase-audit-tables-read
  • supabase-audit-rls
  • supabase-audit-rpc
输出: 可访问的表、数据暴露评估、RLS漏洞
证据保存到: 
.sb-pentest-evidence/03-api-audit/

Phase 4: Storage Audit

阶段4:存储审计

Checks storage bucket configurations and access.
Skills invoked:
  • supabase-audit-buckets-list
  • supabase-audit-buckets-read
  • supabase-audit-buckets-public
Output: Bucket inventory, public exposure, accessible files
Evidence saved to: 
.sb-pentest-evidence/04-storage-audit/
检查存储桶配置和访问权限。
调用的技能:
  • supabase-audit-buckets-list
  • supabase-audit-buckets-read
  • supabase-audit-buckets-public
输出: 存储桶清单、公开暴露情况、可访问文件
证据保存到: 
.sb-pentest-evidence/04-storage-audit/

Phase 5: Auth Audit

阶段5:认证审计

Analyzes authentication configuration and potential weaknesses.
Skills invoked:
  • supabase-audit-auth-config
  • supabase-audit-auth-signup
  • supabase-audit-auth-users
  • supabase-audit-authenticated
    NEW: Creates test user (with consent) to detect IDOR
Output: Auth provider analysis, signup restrictions, enumeration risks, authenticated vs anonymous comparison
Evidence saved to: 
.sb-pentest-evidence/05-auth-audit/
⚠️ Note: 
supabase-audit-authenticated
will ask for explicit consent before creating a test user. This is optional but highly recommended to detect IDOR and cross-user access vulnerabilities.
分析认证配置和潜在弱点。
调用的技能:
  • supabase-audit-auth-config
  • supabase-audit-auth-signup
  • supabase-audit-auth-users
  • supabase-audit-authenticated
    新增:经同意后创建测试用户以检测IDOR
输出: 认证提供商分析、注册限制、枚举风险、认证用户与匿名用户对比
证据保存到: 
.sb-pentest-evidence/05-auth-audit/
⚠️ 注意: 
supabase-audit-authenticated
在创建测试用户前会请求明确同意。这是可选操作,但强烈建议执行以检测IDOR和跨用户访问漏洞。

Phase 6: Realtime & Functions Audit

阶段6:实时功能与函数审计

Tests WebSocket channels and Edge Functions.
Skills invoked:
  • supabase-audit-realtime
  • supabase-audit-functions
Output: Exposed channels, function endpoints, access control issues
Evidence saved to: 
.sb-pentest-evidence/06-realtime-audit/
and 
.sb-pentest-evidence/07-functions-audit/
测试WebSocket通道和Edge Functions。
调用的技能:
  • supabase-audit-realtime
  • supabase-audit-functions
输出: 暴露的通道、函数端点、访问控制问题
证据保存到: 
.sb-pentest-evidence/06-realtime-audit/
.sb-pentest-evidence/07-functions-audit/

Phase 7: Report Generation

阶段7:报告生成

Compiles all findings into a comprehensive report.
Skills invoked:
  • supabase-report
Output: Full Markdown report with executive summary, findings, and remediation
将所有发现整理成综合报告。
调用的技能:
  • supabase-report
输出: 完整的Markdown报告,包含执行摘要、发现结果和修复建议

Workflow with Plan Mode

Plan Mode工作流

When Plan Mode is supported, the recommended workflow is:
1. User requests audit → Agent uses EnterPlanMode
2. Agent explores target superficially (detect Supabase, extract URL)
3. Agent writes plan to plan file with:
   - Target URL
   - Detected Supabase configuration
   - Proposed phases to execute
   - Estimated scope
4. Agent uses ExitPlanMode → User reviews and approves
5. Agent executes phases with systematic file updates
6. After each phase → Agent confirms files are updated
7. Final report generation
Benefits of Plan Mode:
  • User can adjust scope before execution starts
  • Better visibility into what will be tested
  • Clearer audit trail from planning to execution
当支持Plan Mode时,推荐工作流如下:
1. 用户请求审计 → 智能体使用EnterPlanMode
2. 智能体初步探查目标(检测Supabase、提取URL)
3. 智能体将方案写入计划文件,包含:
   - 目标URL
   - 检测到的Supabase配置
   - 建议执行的阶段
   - 预估范围
4. 智能体使用ExitPlanMode → 用户审核并批准
5. 智能体执行阶段并系统更新文件
6. 每个阶段后 → 智能体确认文件已更新
7. 生成最终报告
Plan Mode的优势:
  • 用户可在执行前调整范围
  • 更清晰地了解将测试的内容
  • 从规划到执行的审计轨迹更明确

Usage

使用方法

Basic Full Audit (with Plan Mode)

基础完整审计(使用Plan Mode)

Run a Supabase security audit on https://myapp.example.com
The agent SHOULD:
  1. Use 
    EnterPlanMode
    if available
  2. Present the audit plan for approval
  3. Execute with systematic file updates
Run a Supabase security audit on https://myapp.example.com
智能体应:
  1. 如果可用则使用
    EnterPlanMode
  2. 提交审计方案供批准
  3. 执行并系统更新文件

Basic Full Audit (without Plan Mode)

基础完整审计(不使用Plan Mode)

Run a Supabase security audit on https://myapp.example.com --no-plan
Run a Supabase security audit on https://myapp.example.com --no-plan

Resume from Phase

从指定阶段恢复

Continue Supabase audit from Phase 3 (API Audit)
Continue Supabase audit from Phase 3 (API Audit)

Skip Specific Phases

跳过指定阶段

Run Supabase audit on https://myapp.example.com, skip auth audit
Run Supabase audit on https://myapp.example.com, skip auth audit

Context Files and Evidence (MANDATORY)

上下文文件和证据(强制性)

⚠️ CRITICAL: Updating tracking files and collecting evidence is MANDATORY.
The orchestrator creates and manages:
File/DirectoryPurpose
.sb-pentest-context.json
Stores extracted data between phases
.sb-pentest-audit.log
Logs all actions with timestamps
.sb-pentest-evidence/
Evidence directory for professional audits
⚠️ 关键要求:更新跟踪文件和收集证据是强制性的。
统筹工具创建并管理:
文件/目录用途
.sb-pentest-context.json
阶段间存储提取的数据
.sb-pentest-audit.log
带时间戳记录所有操作
.sb-pentest-evidence/
专业审计的证据目录

Evidence Collection

证据收集

The orchestrator initializes the evidence directory at the start of every audit:
.sb-pentest-evidence/
├── README.md                    # Evidence index
├── curl-commands.sh             # All reproducible curl commands
├── timeline.md                  # Chronological findings
├── 01-detection/                # Detection evidence
├── 02-extraction/               # Key extraction evidence
├── 03-api-audit/                # API audit evidence
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # Storage audit evidence
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # Auth audit evidence
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # Realtime audit evidence
├── 07-functions-audit/          # Functions audit evidence
└── screenshots/                 # Optional screenshots
Each skill MUST save evidence to its respective directory as it works.
统筹工具在每次审计开始时初始化证据目录:
.sb-pentest-evidence/
├── README.md                    # 证据索引
├── curl-commands.sh             # 所有可复现的curl命令
├── timeline.md                  # 按时间顺序的发现记录
├── 01-detection/                # 检测阶段证据
├── 02-extraction/               # 密钥提取阶段证据
├── 03-api-audit/                # API审计阶段证据
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # 存储审计阶段证据
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # 认证审计阶段证据
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # 实时功能审计阶段证据
├── 07-functions-audit/          # 函数审计阶段证据
└── screenshots/                 # 可选截图
每个技能必须在工作时将证据保存到对应的目录。

Mandatory Update Rules

强制性更新规则

  1. After each skill execution, 
    .sb-pentest-context.json
    MUST be updated with results
  2. Every action MUST be logged in 
    .sb-pentest-audit.log
    with timestamp
  3. If files don't exist, they MUST be created at audit start
  4. Never complete a skill without updating context files
  1. 每个技能执行后,必须用结果更新
    .sb-pentest-context.json
  2. 每个操作必须带时间戳记录到
    .sb-pentest-audit.log
  3. 如果文件不存在,必须在审计开始时创建
  4. 不要在技能完成后才更新上下文文件

Mandatory Log Format

强制性日志格式

Each entry in 
.sb-pentest-audit.log
must follow this format:
[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message
Example:
[2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated
.sb-pentest-audit.log
中的每个条目必须遵循以下格式:
[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] 消息
示例:
[2025-01-31 14:00:00] [supabase-detect] [START] 开始检测Supabase
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] 检测到Supabase
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json已更新

Context File Structure

上下文文件结构

json
{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}
json
{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}

Rate Limiting

请求频率限制

The orchestrator implements adaptive rate limiting:
  1. Starts with normal request speed
  2. If HTTP 429 (Too Many Requests) is detected, backs off exponentially
  3. Respects Supabase's rate limit headers
统筹工具实现了自适应请求频率限制:
  1. 以正常请求速度开始
  2. 如果检测到HTTP 429(请求过多),则指数级降低请求频率
  3. 遵守Supabase的频率限制头部信息

Output Format

输出格式

After each phase:
═══════════════════════════════════════════════════════════
 PHASE 2 COMPLETE: Key Extraction
═══════════════════════════════════════════════════════════

 Findings:
 ├── ✅ Anon key found (expected)
 ├── ❌ P0: Service role key EXPOSED in main.js:1247
 └── ⚠️  P1: JWT secret pattern detected

 Proceed to Phase 3 (API Audit)? [Y/n]
═══════════════════════════════════════════════════════════
每个阶段结束后:
═══════════════════════════════════════════════════════════
 阶段2完成:密钥提取
═══════════════════════════════════════════════════════════

 发现结果:
 ├── ✅ 找到Anon密钥(符合预期)
 ├── ❌ P0级:Service角色密钥在main.js:1247中暴露
 └── ⚠️  P1级:检测到JWT密钥模式

 是否进入阶段3(API审计)?[Y/n]
═══════════════════════════════════════════════════════════

Best Practices

最佳实践

  • Run audits in non-production hours to minimize impact
  • Save the context file for audit trail purposes
  • Review findings with your security team before remediation
  • Re-run the audit after implementing fixes to verify
  • 在非工作时间运行审计以减少影响
  • 保存上下文文件用于审计轨迹记录
  • 修复前与安全团队一起审查发现结果
  • 实施修复后重新运行审计以验证效果

Common Issues

常见问题

Problem: Audit stops at Phase 1 with "Supabase not detected" ✅ Solution: The app may use a custom domain. Manually provide the Supabase URL:
Run audit with Supabase URL https://myproject.supabase.co
Problem: Rate limited during audit ✅ Solution: The orchestrator auto-adjusts. If persistent, wait 5 minutes and resume.
Problem: Context file corrupted ✅ Solution: Delete 
.sb-pentest-context.json
and restart the audit.
问题:审计在阶段1停止,提示"未检测到Supabase"解决方案: 应用可能使用了自定义域名。手动提供Supabase URL:
Run audit with Supabase URL https://myproject.supabase.co
问题:审计过程中被频率限制解决方案: 统筹工具会自动调整。如果持续出现,等待5分钟后恢复。
问题:上下文文件损坏解决方案: 删除
.sb-pentest-context.json
并重新开始审计。

Related Skills

相关技能

  • supabase-help
    — Quick reference for all skills
  • supabase-evidence
    — Evidence collection management
  • supabase-report
    — Generate report from existing context
  • supabase-report-compare
    — Compare with previous audits
  • supabase-help
    — 所有技能的快速参考
  • supabase-evidence
    — 证据收集管理
  • supabase-report
    — 从现有上下文生成报告
  • supabase-report-compare
    — 与之前的审计结果对比