home / skills / yoanbernabeu / supabase-pentest-skills / supabase-report-compare

supabase-report-compare skill

safe

/skills/report/supabase-report-compare

This skill compares two security audit reports to track remediation progress and identify new vulnerabilities.

npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-report-compare

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

11.4 KB

---
name: supabase-report-compare
description: Compare two security audit reports to track remediation progress and identify new vulnerabilities.
---

# Report Comparison

This skill compares two security audit reports to track progress over time.

## When to Use This Skill

- After fixing vulnerabilities, to verify remediation
- For periodic security reviews
- To track security posture over time
- To identify regression (new vulnerabilities)

## Prerequisites

- Two audit reports in Markdown format
- Reports should be from the same project

## Usage

### Basic Comparison

```
Compare security reports old-report.md and new-report.md
```

### With Specific Paths

```
Compare reports/audit-v1.md with reports/audit-v2.md
```

## Output Format

```
═══════════════════════════════════════════════════════════
 SECURITY AUDIT COMPARISON
═══════════════════════════════════════════════════════════

 Previous Audit: January 15, 2025
 Current Audit:  January 31, 2025
 Days Between:   16 days

 ─────────────────────────────────────────────────────────
 Score Comparison
 ─────────────────────────────────────────────────────────

 Previous Score: 35/100 (Grade: D)
 Current Score:  72/100 (Grade: C)
 Improvement:    +37 points ⬆️

 ┌────────────────────────────────────────────────────────┐
 │ Score Progress                                         │
 │                                                        │
 │  100 ┤                                                 │
 │   80 ┤                              ████████ 72       │
 │   60 ┤                              ████████          │
 │   40 ┤ ████████ 35                  ████████          │
 │   20 ┤ ████████                     ████████          │
 │    0 ┴─────────────────────────────────────────────── │
 │        Jan 15                       Jan 31            │
 └────────────────────────────────────────────────────────┘

 ─────────────────────────────────────────────────────────
 Findings Summary
 ─────────────────────────────────────────────────────────

 | Status      | P0  | P1  | P2  | Total |
 |-------------|-----|-----|-----|-------|
 | Previous    | 3   | 4   | 5   | 12    |
 | Current     | 0   | 2   | 4   | 6     |
 | Fixed       | 3   | 2   | 2   | 7     |
 | New         | 0   | 0   | 1   | 1     |

 ─────────────────────────────────────────────────────────
 Fixed Vulnerabilities ✅
 ─────────────────────────────────────────────────────────

 P0 (Critical) - ALL FIXED! 🎉

 ✅ P0-001: Service Role Key Exposed
    Status: FIXED
    Resolution: Key rotated, removed from client code
    Fixed on: January 16, 2025

 ✅ P0-002: Database Backups Publicly Accessible
    Status: FIXED
    Resolution: Bucket made private, files deleted
    Fixed on: January 16, 2025

 ✅ P0-003: Admin Function Privilege Escalation
    Status: FIXED
    Resolution: Added admin role verification
    Fixed on: January 17, 2025

 P1 (High) - 2 of 4 Fixed

 ✅ P1-001: Email Confirmation Disabled
    Status: FIXED
    Resolution: Email confirmation now required
    Fixed on: January 20, 2025

 ✅ P1-002: IDOR in get-user-data Function
    Status: FIXED
    Resolution: Added user ownership verification
    Fixed on: January 18, 2025

 P2 (Medium) - 2 of 5 Fixed

 ✅ P2-001: Weak Password Policy
    Status: FIXED
    Resolution: Minimum length increased to 10
    Fixed on: January 22, 2025

 ✅ P2-003: Disposable Emails Accepted
    Status: FIXED
    Resolution: Email validation added
    Fixed on: January 25, 2025

 ─────────────────────────────────────────────────────────
 Remaining Vulnerabilities ⚠️
 ─────────────────────────────────────────────────────────

 P1 (High) - 2 Remaining

 🟠 P1-003: User Enumeration via Timing Attack
    Status: OPEN (16 days)
    Priority: Address this week
    Note: Was in previous report, not yet fixed

 🟠 P1-004: Admin Channel Publicly Accessible
    Status: OPEN (16 days)
    Priority: Address this week

 P2 (Medium) - 3 Remaining

 🟡 P2-002: Wildcard CORS Origin
    Status: OPEN (16 days)

 🟡 P2-004: Verbose Error Messages
    Status: OPEN (16 days)

 🟡 P2-005: Rate Limiting Not Enforced on Functions
    Status: OPEN (16 days)

 ─────────────────────────────────────────────────────────
 New Vulnerabilities 🆕
 ─────────────────────────────────────────────────────────

 P2 (Medium) - 1 New Issue

 🆕 P2-006: New Storage Bucket Without RLS
    Severity: 🟡 P2
    Component: Storage
    Description: New bucket 'user-uploads' created without
                 RLS policies. Currently empty but will
                 need policies before production use.
    First Seen: January 31, 2025

 ─────────────────────────────────────────────────────────
 Progress Analysis
 ─────────────────────────────────────────────────────────

 Remediation Rate: 58% (7 of 12 fixed)

 By Severity:
 ├── P0 (Critical): 100% fixed ✅
 ├── P1 (High): 50% fixed
 └── P2 (Medium): 40% fixed

 Time to Fix (Average):
 ├── P0: 1.3 days (excellent)
 ├── P1: 3.5 days (good)
 └── P2: 5.5 days (acceptable)

 Regression: 1 new issue introduced
             (lower severity, acceptable)

 ─────────────────────────────────────────────────────────
 Recommendations
 ─────────────────────────────────────────────────────────

 1. CONTINUE PROGRESS
    Great work fixing all P0 issues! Focus now on
    remaining P1 issues:
    - User enumeration timing attack
    - Admin broadcast channel

 2. ADDRESS NEW ISSUE
    Configure RLS on 'user-uploads' bucket before
    it's used in production.

 3. SCHEDULE FOLLOW-UP
    Recommend another audit in 14 days to verify
    remaining fixes.

 ─────────────────────────────────────────────────────────
 Trend Analysis
 ─────────────────────────────────────────────────────────

 If you have 3+ reports, trend analysis is available:

 | Date       | Score | P0 | P1 | P2 | Total |
 |------------|-------|----|----|----| ------|
 | 2024-12-01 | 28    | 4  | 5  | 6  | 15    |
 | 2025-01-15 | 35    | 3  | 4  | 5  | 12    |
 | 2025-01-31 | 72    | 0  | 2  | 4  | 6     |

 Trend: Improving ⬆️

═══════════════════════════════════════════════════════════
```

## Comparison Logic

### Finding Matching

Findings are matched between reports using:

1. **ID match** — Same P0-001, P1-002, etc.
2. **Component + Title match** — Same issue description
3. **Location match** — Same file/line/endpoint

### Status Determination

| Previous | Current | Status |
|----------|---------|--------|
| Present | Absent | Fixed ✅ |
| Present | Present | Remaining ⚠️ |
| Absent | Present | New 🆕 |
| Absent | Absent | N/A |

### Score Calculation

```
Change = Current Score - Previous Score

Positive change = Improvement ⬆️
Negative change = Regression ⬇️
No change = Stable ➡️
```

## Context Output

```json
{
  "comparison": {
    "previous_date": "2025-01-15",
    "current_date": "2025-01-31",
    "previous_score": 35,
    "current_score": 72,
    "score_change": 37,
    "findings": {
      "previous_total": 12,
      "current_total": 6,
      "fixed": 7,
      "remaining": 5,
      "new": 1
    },
    "by_severity": {
      "P0": { "previous": 3, "current": 0, "fixed": 3, "new": 0 },
      "P1": { "previous": 4, "current": 2, "fixed": 2, "new": 0 },
      "P2": { "previous": 5, "current": 4, "fixed": 2, "new": 1 }
    },
    "remediation_rate": 0.58,
    "trend": "improving"
  }
}
```

## Report Output

The comparison generates `supabase-audit-comparison.md`:

```markdown
# Security Audit Comparison Report

## Summary

| Metric | Previous | Current | Change |
|--------|----------|---------|--------|
| Score | 35/100 | 72/100 | +37 ⬆️ |
| P0 Issues | 3 | 0 | -3 ✅ |
| P1 Issues | 4 | 2 | -2 ✅ |
| P2 Issues | 5 | 4 | -1 ✅ |
| Total | 12 | 6 | -6 ✅ |

## Fixed Issues (7)

[Detailed list of fixed issues...]

## Remaining Issues (5)

[Detailed list of remaining issues...]

## New Issues (1)

[Detailed list of new issues...]

## Recommendations

[Action items based on comparison...]
```

## Multiple Report Comparison

For trend analysis across 3+ reports:

```
Compare trend across reports/audit-*.md
```

Output includes:

- Score trend graph
- Issue count over time
- Average time to fix
- Recurring issues identification

## Best Practices

### Naming Convention

```
reports/
├── supabase-audit-2024-12-01.md
├── supabase-audit-2025-01-15.md
├── supabase-audit-2025-01-31.md
└── supabase-audit-comparison-2025-01-31.md
```

### Regular Audits

| Frequency | Purpose |
|-----------|---------|
| After fixes | Verify remediation |
| Monthly | Catch regressions |
| Before releases | Pre-production check |
| After incidents | Post-incident review |

### Tracking Progress

1. Keep all reports in version control
2. Link to issue tracker (GitHub, Jira)
3. Include in sprint planning
4. Report to stakeholders

## Related Skills

- `supabase-report` — Generate the reports to compare
- `supabase-pentest` — Run full audit
- `supabase-help` — Quick reference

Overview

This skill compares two security audit reports for a Supabase project to track remediation progress, highlight regressions, and surface new vulnerabilities. It produces a clear side‑by‑side summary of scores, fixed vs remaining findings, and trend data suitable for follow‑up planning. The output is a markdown comparison report ready to add to your audit history or ticketing workflow.

How this skill works

The skill ingests two Markdown audit reports from the same project and matches findings by ID, component+title, or location. It classifies each finding as fixed, remaining, or new, calculates score change and remediation rates, and generates a structured comparison with recommendations. For three or more reports it can produce trend analysis across dates.

When to use it

After applying fixes to verify vulnerabilities were remediated
During periodic security reviews to measure posture over time
Before release to ensure recent changes didn’t introduce regressions
After an incident to confirm follow‑up actions removed risks
When you want a concise comparison to include in stakeholder reports

Best practices

Supply reports from the same project and use consistent naming conventions
Ensure reports include stable finding IDs or clear component/title/location details
Keep reports in version control and link comparison outputs to issue tracker tickets
Run comparisons regularly (weekly/biweekly) while active fixes are in progress
Use the generated recommendations as direct action items for triage

Example use cases

Compare last week's audit with the current audit to confirm P0 issues are closed
Generate a comparison report to attach to a sprint ticket that tracks remaining P1 items
Run trend analysis across three monthly reports to demonstrate improving security metrics
Detect a regression introduced by a recent deploy by spotting new findings
Produce an executive‑friendly summary (scores, remediation rate, top recommendations)

FAQ

What report formats are supported?

The skill expects audit reports in Markdown with findings that include IDs, components, titles, or locations.

How does matching work when IDs are missing?

If IDs are absent the skill attempts to match by component+title and then by location (file/line/endpoint).

Can I compare more than two reports?

Yes — providing 3+ reports enables trend analysis with score graphs, issue counts over time, and recurring issue detection.