supabase-report skill

---
name: supabase-report
description: Generate a comprehensive Markdown security audit report with executive summary, findings, and remediation guidance.
---

# Security Report Generator

> 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-audit.log` **IMMEDIATELY as you process each section**
> - Update `.sb-pentest-context.json` with report metadata **progressively**
> - **DO NOT** wait until the entire report is generated to update files
> - If the skill crashes or is interrupted, the partial progress must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**

This skill generates a comprehensive Markdown security audit report from all collected findings.

## When to Use This Skill

- After completing security audit phases
- To document findings for stakeholders
- To create actionable remediation plans
- For compliance and audit trail purposes

## Prerequisites

- Audit phases completed (context file populated)
- Findings collected in `.sb-pentest-context.json`

## Report Structure

The generated report includes:

1. **Executive Summary** — High-level overview for management
2. **Security Score** — Quantified risk assessment
3. **Critical Findings (P0)** — Immediate action required
4. **High Findings (P1)** — Address soon
5. **Medium Findings (P2)** — Plan to address
6. **Detailed Analysis** — Per-component breakdown
7. **Remediation Plan** — Prioritized action items
8. **Appendix** — Technical details, methodology

## Usage

### Generate Report

```
Generate security report from audit findings
```

### Custom Report Name

```
Generate report as security-audit-2025-01.md
```

### Specific Sections

```
Generate executive summary only
```

## Output Format

The skill generates `supabase-audit-report.md`:

```markdown
# Supabase Security Audit Report

**Target:** https://myapp.example.com
**Project:** abc123def.supabase.co
**Date:** January 31, 2025
**Auditor:** Internal Security Team

---

## Executive Summary

### Overview

This security audit identified **12 vulnerabilities** across the Supabase implementation, including **3 critical (P0)** issues requiring immediate attention.

### Key Findings

| Severity | Count | Status |
|----------|-------|--------|
| 🔴 P0 (Critical) | 3 | Immediate action required |
| 🟠 P1 (High) | 4 | Address within 7 days |
| 🟡 P2 (Medium) | 5 | Address within 30 days |

### Security Score

**Score: 35/100 (Grade: D)**

The application has significant security gaps that expose user data and allow privilege escalation. Critical issues must be addressed before the application can be considered secure.

### Most Critical Issues

1. **Service Role Key Exposed** — Full database access possible
2. **Database Backups Public** — All data downloadable
3. **Admin Function No Auth** — Any user can access admin features

### Recommended Actions

1. ⚡ **Immediate (Today):**
   - Rotate service role key
   - Make backup bucket private
   - Add admin role verification

2. 🔜 **This Week:**
   - Enable RLS on all tables
   - Enable email confirmation
   - Fix IDOR in Edge Functions

3. 📅 **This Month:**
   - Strengthen password policy
   - Restrict CORS origins
   - Add rate limiting to functions

---

## Critical Findings (P0)

### P0-001: Service Role Key Exposed in Client Code

**Severity:** 🔴 Critical
**Component:** Key Management
**CVSS:** 9.8 (Critical)

#### Description

The Supabase service_role key was found in client-side JavaScript code. This key bypasses all Row Level Security policies and provides full database access.

#### Location

```
File: /static/js/admin.chunk.js
Line: 89
Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'
```

#### Impact

- Full read/write access to all database tables
- Bypass of all RLS policies
- Access to auth.users table (all user data)
- Ability to delete or modify any data

#### Proof of Concept

```bash
curl 'https://abc123def.supabase.co/rest/v1/users' \
  -H 'apikey: [service_role_key]' \
  -H 'Authorization: Bearer [service_role_key]'

# Returns ALL users with full data
```

#### Remediation

**Immediate:**
1. Rotate the service role key in Supabase Dashboard
   - Settings → API → Regenerate service_role key
2. Remove the key from client code
3. Redeploy the application

**Long-term:**
```typescript
// Move privileged operations to Edge Functions
// supabase/functions/admin-action/index.ts

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // Service key only on server
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
  )

  // Verify caller is admin before proceeding
  // ...
})
```

**Documentation:**
- [Supabase API Keys](https://supabase.com/docs/guides/api/api-keys)
- [Edge Functions](https://supabase.com/docs/guides/functions)

---

### P0-002: Database Backups Publicly Accessible

**Severity:** 🔴 Critical
**Component:** Storage
**CVSS:** 9.1 (Critical)

#### Description

The storage bucket named "backups" is configured as public, exposing database dumps, user exports, and environment secrets.

#### Exposed Files

| File | Size | Content |
|------|------|---------|
| db-backup-2025-01-30.sql | 125MB | Full database dump |
| users-export.csv | 2.3MB | All user data with PII |
| secrets.env | 1KB | API keys and passwords |

#### Impact

- Complete data breach (all database content)
- Exposed credentials for third-party services
- User PII exposed (emails, names, etc.)

#### Remediation

**Immediate:**
```sql
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- Delete or move files
-- Consider incident response procedures
```

**Credential Rotation:**
- Stripe API keys
- Database password
- JWT secret
- Any other keys in secrets.env

---

### P0-003: Admin Edge Function Privilege Escalation

**Severity:** 🔴 Critical
**Component:** Edge Functions
**CVSS:** 8.8 (High)

#### Description

The `/functions/v1/admin-panel` Edge Function is accessible to any authenticated user without role verification.

[... additional P0 findings ...]

---

## High Findings (P1)

### P1-001: Email Confirmation Disabled

**Severity:** 🟠 High
**Component:** Authentication

[... P1 findings ...]

---

## Medium Findings (P2)

### P2-001: Weak Password Policy

**Severity:** 🟡 Medium
**Component:** Authentication

[... P2 findings ...]

---

## Detailed Analysis by Component

### API Security

| Table | RLS | Access Level | Status |
|-------|-----|--------------|--------|
| users | ❌ | Full read | 🔴 P0 |
| orders | ✅ | None | ✅ |
| posts | ✅ | Published only | ✅ |

### Storage Security

| Bucket | Public | Sensitive Files | Status |
|--------|--------|-----------------|--------|
| avatars | Yes | No | ✅ |
| backups | Yes | Yes (45 files) | 🔴 P0 |

### Authentication

| Setting | Current | Recommended | Status |
|---------|---------|-------------|--------|
| Email confirm | Disabled | Enabled | 🟠 P1 |
| Password min | 6 | 8+ | 🟡 P2 |

---

## Remediation Plan

### Phase 1: Critical (Immediate)

| ID | Action | Owner | Deadline |
|----|--------|-------|----------|
| P0-001 | Rotate service key | DevOps | Today |
| P0-002 | Make backups private | DevOps | Today |
| P0-003 | Add admin role check | Backend | Today |

### Phase 2: High Priority (This Week)

| ID | Action | Owner | Deadline |
|----|--------|-------|----------|
| P1-001 | Enable email confirmation | Backend | 3 days |
| P1-002 | Fix IDOR in get-user-data | Backend | 3 days |

### Phase 3: Medium Priority (This Month)

| ID | Action | Owner | Deadline |
|----|--------|-------|----------|
| P2-001 | Strengthen password policy | Backend | 14 days |
| P2-002 | Restrict CORS origins | DevOps | 14 days |

---

## Appendix

### A. Methodology

This audit was performed using the Supabase Pentest Skills toolkit, which includes:
- Passive reconnaissance of client-side code
- API endpoint testing with anon and service keys
- Storage bucket enumeration and access testing
- Authentication flow analysis
- Real-time channel subscription testing

### B. Tools Used

- supabase-pentest-skills v1.0.0
- curl for API testing
- Browser DevTools for client code analysis

### C. Audit Scope

- Target URL: https://myapp.example.com
- Supabase Project: abc123def
- Components tested: API, Storage, Auth, Realtime, Edge Functions
- Exclusions: None

### D. Audit Log

Full audit log available in `.sb-pentest-audit.log`

---

**Report generated by supabase-pentest-skills**
**Audit completed:** January 31, 2025 at 15:00 UTC
```

## Score Calculation

The security score is calculated based on:

| Factor | Weight | Calculation |
|--------|--------|-------------|
| P0 findings | -25 per issue | Critical vulnerabilities |
| P1 findings | -10 per issue | High severity issues |
| P2 findings | -5 per issue | Medium severity issues |
| RLS coverage | +10 if 100% | All tables have RLS |
| Auth hardening | +10 | Email confirm, strong passwords |
| Base score | 100 | Starting point |

### Grade Scale

| Score | Grade | Description |
|-------|-------|-------------|
| 90-100 | A | Excellent security posture |
| 80-89 | B | Good, minor improvements needed |
| 70-79 | C | Acceptable, address issues |
| 60-69 | D | Poor, significant issues |
| 0-59 | F | Critical, immediate action needed |

## Context Input

The report generator reads from `.sb-pentest-context.json`:

```json
{
  "target_url": "https://myapp.example.com",
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },
  "findings": [
    {
      "id": "P0-001",
      "severity": "P0",
      "component": "keys",
      "title": "Service Role Key Exposed",
      "description": "...",
      "location": "...",
      "remediation": "..."
    }
  ],
  "audit_completed": "2025-01-31T15:00:00Z"
}
```

## Report Customization

### Include/Exclude Sections

```
Generate report without appendix
Generate report with executive summary only
```

### Different Formats

```
Generate report in JSON format
Generate report summary as HTML
```

## MANDATORY: Context File Dependency

⚠️ **This skill REQUIRES properly populated tracking files.**

### Prerequisites

Before generating a report, ensure:

1. **`.sb-pentest-context.json` exists** and contains findings from audit skills
2. **`.sb-pentest-audit.log` exists** with timestamped actions
3. **All relevant audit skills have updated these files**

### If Context Files Are Missing

If context files are missing or empty:
1. DO NOT generate an empty report
2. Inform the user that audit skills must be run first
3. Recommend running `supabase-pentest` for a complete audit

### Report Generation Output

After generating the report, this skill MUST:

1. **Log to `.sb-pentest-audit.log`**:
   ```
   [TIMESTAMP] [supabase-report] [START] Generating security report
   [TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
   [TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged
   ```

2. **Update `.sb-pentest-context.json`** with report metadata:
   ```json
   {
     "report": {
       "generated_at": "...",
       "filename": "supabase-audit-report.md",
       "findings_count": { "p0": 3, "p1": 4, "p2": 5 }
     }
   }
   ```

**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**

## Related Skills

- `supabase-report-compare` — Compare with previous reports
- `supabase-pentest` — Run full audit first
- `supabase-help` — List all available skills