Security Report Generator
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to IMMEDIATELY as you process each section
- Update with report metadata progressively
- DO NOT wait until the entire report is generated to update files
- If the skill crashes or is interrupted, the partial progress must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill generates a comprehensive Markdown security audit report from all collected findings.
When to Use This Skill
- After completing security audit phases
- To document findings for stakeholders
- To create actionable remediation plans
- For compliance and audit trail purposes
Prerequisites
- Audit phases completed (context file populated)
- Findings collected in
Report Structure
The generated report includes:
- Executive Summary — High-level overview for management
- Security Score — Quantified risk assessment
- Critical Findings (P0) — Immediate action required
- High Findings (P1) — Address soon
- Medium Findings (P2) — Plan to address
- Detailed Analysis — Per-component breakdown
- Remediation Plan — Prioritized action items
- Appendix — Technical details, methodology
Usage
Generate Report
Generate security report from audit findings
Custom Report Name
Generate report as security-audit-2025-01.md
Specific Sections
Generate executive summary only
Output Format
markdown
# Supabase Security Audit Report
**Target:** https://myapp.example.com
**Project:** abc123def.supabase.co
**Date:** January 31, 2025
**Auditor:** Internal Security Team
---
## Executive Summary
### Overview
This security audit identified **12 vulnerabilities** across the Supabase implementation, including **3 critical (P0)** issues requiring immediate attention.
### Key Findings
|----------|-------|--------|
| 🔴 P0 (Critical) | 3 | Immediate action required |
| 🟠 P1 (High) | 4 | Address within 7 days |
| 🟡 P2 (Medium) | 5 | Address within 30 days |
### Security Score
**Score: 35/100 (Grade: D)**
The application has significant security gaps that expose user data and allow privilege escalation. Critical issues must be addressed before the application can be considered secure.
### Most Critical Issues
1. **Service Role Key Exposed** — Full database access possible
2. **Database Backups Public** — All data downloadable
3. **Admin Function No Auth** — Any user can access admin features
### Recommended Actions
1. ⚡ **Immediate (Today):**
- Rotate service role key
- Make backup bucket private
- Add admin role verification
2. 🔜 **This Week:**
- Enable RLS on all tables
- Enable email confirmation
- Fix IDOR in Edge Functions
3. 📅 **This Month:**
- Strengthen password policy
- Restrict CORS origins
- Add rate limiting to functions
---
## Critical Findings (P0)
### P0-001: Service Role Key Exposed in Client Code
**Severity:** 🔴 Critical
**Component:** Key Management
**CVSS:** 9.8 (Critical)
#### Description
The Supabase service_role key was found in client-side JavaScript code. This key bypasses all Row Level Security policies and provides full database access.
#### Location
File: /static/js/admin.chunk.js
Line: 89
Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'
#### Impact
- Full read/write access to all database tables
- Bypass of all RLS policies
- Access to auth.users table (all user data)
- Ability to delete or modify any data
#### Proof of Concept
```bash
curl 'https://abc123def.supabase.co/rest/v1/users' \
-H 'apikey: [service_role_key]' \
-H 'Authorization: Bearer [service_role_key]'
# Returns ALL users with full data
Remediation
Immediate:
- Rotate the service role key in Supabase Dashboard
- Settings → API → Regenerate service_role key
- Remove the key from client code
- Redeploy the application
Long-term:
typescript
// Move privileged operations to Edge Functions
// supabase/functions/admin-action/index.ts
import { createClient } from '@supabase/supabase-js'
Deno.serve(async (req) => {
// Service key only on server
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
)
// Verify caller is admin before proceeding
// ...
})
Documentation:
P0-002: Database Backups Publicly Accessible
Severity: 🔴 Critical
Component: Storage
CVSS: 9.1 (Critical)
Description
The storage bucket named "backups" is configured as public, exposing database dumps, user exports, and environment secrets.
Exposed Files
| File | Size | Content |
|---|
| db-backup-2025-01-30.sql | 125MB | Full database dump |
| users-export.csv | 2.3MB | All user data with PII |
| secrets.env | 1KB | API keys and passwords |
Impact
- Complete data breach (all database content)
- Exposed credentials for third-party services
- User PII exposed (emails, names, etc.)
Remediation
Immediate:
sql
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';
-- Delete or move files
-- Consider incident response procedures
Credential Rotation:
- Stripe API keys
- Database password
- JWT secret
- Any other keys in secrets.env
P0-003: Admin Edge Function Privilege Escalation
Severity: 🔴 Critical
Component: Edge Functions
CVSS: 8.8 (High)
Description
The
/functions/v1/admin-panel
Edge Function is accessible to any authenticated user without role verification.
[... additional P0 findings ...]
High Findings (P1)
P1-001: Email Confirmation Disabled
Severity: 🟠 High
Component: Authentication
[... P1 findings ...]
Medium Findings (P2)
P2-001: Weak Password Policy
Severity: 🟡 Medium
Component: Authentication
[... P2 findings ...]
Detailed Analysis by Component
API Security
| Table | RLS | Access Level | Status |
|---|
| users | ❌ | Full read | 🔴 P0 |
| orders | ✅ | None | ✅ |
| posts | ✅ | Published only | ✅ |
Storage Security
| Bucket | Public | Sensitive Files | Status |
|---|
| avatars | Yes | No | ✅ |
| backups | Yes | Yes (45 files) | 🔴 P0 |
Authentication
| Setting | Current | Recommended | Status |
|---|
| Email confirm | Disabled | Enabled | 🟠 P1 |
| Password min | 6 | 8+ | 🟡 P2 |
Remediation Plan
Phase 1: Critical (Immediate)
| ID | Action | Owner | Deadline |
|---|
| P0-001 | Rotate service key | DevOps | Today |
| P0-002 | Make backups private | DevOps | Today |
| P0-003 | Add admin role check | Backend | Today |
Phase 2: High Priority (This Week)
| ID | Action | Owner | Deadline |
|---|
| P1-001 | Enable email confirmation | Backend | 3 days |
| P1-002 | Fix IDOR in get-user-data | Backend | 3 days |
Phase 3: Medium Priority (This Month)
| ID | Action | Owner | Deadline |
|---|
| P2-001 | Strengthen password policy | Backend | 14 days |
| P2-002 | Restrict CORS origins | DevOps | 14 days |
Appendix
A. Methodology
This audit was performed using the Supabase Pentest Skills toolkit, which includes:
- Passive reconnaissance of client-side code
- API endpoint testing with anon and service keys
- Storage bucket enumeration and access testing
- Authentication flow analysis
- Real-time channel subscription testing
B. Tools Used
- supabase-pentest-skills v1.0.0
- curl for API testing
- Browser DevTools for client code analysis
C. Audit Scope
- Target URL: https://myapp.example.com
- Supabase Project: abc123def
- Components tested: API, Storage, Auth, Realtime, Edge Functions
- Exclusions: None
D. Audit Log
Full audit log available in
Report generated by supabase-pentest-skills
Audit completed: January 31, 2025 at 15:00 UTC
## Score Calculation
The security score is calculated based on:
| Factor | Weight | Calculation |
|--------|--------|-------------|
| P0 findings | -25 per issue | Critical vulnerabilities |
| P1 findings | -10 per issue | High severity issues |
| P2 findings | -5 per issue | Medium severity issues |
| RLS coverage | +10 if 100% | All tables have RLS |
| Auth hardening | +10 | Email confirm, strong passwords |
| Base score | 100 | Starting point |
### Grade Scale
| Score | Grade | Description |
|-------|-------|-------------|
| 90-100 | A | Excellent security posture |
| 80-89 | B | Good, minor improvements needed |
| 70-79 | C | Acceptable, address issues |
| 60-69 | D | Poor, significant issues |
| 0-59 | F | Critical, immediate action needed |
## Context Input
The report generator reads from `.sb-pentest-context.json`:
```json
{
"target_url": "https://myapp.example.com",
"supabase": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def"
},
"findings": [
{
"id": "P0-001",
"severity": "P0",
"component": "keys",
"title": "Service Role Key Exposed",
"description": "...",
"location": "...",
"remediation": "..."
}
],
"audit_completed": "2025-01-31T15:00:00Z"
}
Report Customization
Include/Exclude Sections
Generate report without appendix
Generate report with executive summary only
Different Formats
Generate report in JSON format
Generate report summary as HTML
MANDATORY: Context File Dependency
⚠️ This skill REQUIRES properly populated tracking files.
Prerequisites
Before generating a report, ensure:
- exists and contains findings from audit skills
- exists with timestamped actions
- All relevant audit skills have updated these files
If Context Files Are Missing
If context files are missing or empty:
- DO NOT generate an empty report
- Inform the user that audit skills must be run first
- Recommend running for a complete audit
Report Generation Output
After generating the report, this skill MUST:
-
[TIMESTAMP] [supabase-report] [START] Generating security report
[TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
[TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged
-
Update with report metadata:
json
{
"report": {
"generated_at": "...",
"filename": "supabase-audit-report.md",
"findings_count": { "p0": 3, "p1": 4, "p2": 5 }
}
}
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
Related Skills
- — Compare with previous reports
- — Run full audit first
- — List all available skills