npm - supasec - Versions diffs - 1.0.1 → 1.0.3 - Mend

supasec 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/COMPLETION_REPORT.md +324 -0
package/FIXES_SUMMARY.md +224 -0
package/IMPLEMENTATION_NOTES.md +305 -0
package/QUICK_REFERENCE.md +185 -0
package/README.md +1 -1
package/REPORTING.md +217 -0
package/STATUS.md +269 -0
package/dist/commands/scan.d.ts +1 -0
package/dist/commands/scan.d.ts.map +1 -1
package/dist/commands/scan.js +186 -15
package/dist/commands/scan.js.map +1 -1
package/dist/models/scan-result.d.ts +8 -0
package/dist/models/scan-result.d.ts.map +1 -1
package/dist/models/scan-result.js.map +1 -1
package/dist/reporters/html.d.ts +18 -0
package/dist/reporters/html.d.ts.map +1 -0
package/dist/reporters/html.js +946 -0
package/dist/reporters/html.js.map +1 -0
package/dist/reporters/index.d.ts +2 -0
package/dist/reporters/index.d.ts.map +1 -1
package/dist/reporters/index.js +2 -0
package/dist/reporters/index.js.map +1 -1
package/dist/reporters/terminal.d.ts.map +1 -1
package/dist/reporters/terminal.js +9 -0
package/dist/reporters/terminal.js.map +1 -1
package/dist/scanners/secrets/detector.d.ts.map +1 -1
package/dist/scanners/secrets/detector.js +6 -2
package/dist/scanners/secrets/detector.js.map +1 -1
package/package.json +1 -1
package/reports/supasec---------app-2026-01-28-16-58-47.html +804 -0
package/reports/supasec---------app-2026-01-28-17-06-43.html +722 -0
package/reports/supasec---------app-2026-01-28-17-07-23.html +722 -0
package/reports/supasec---------app-2026-01-28-17-08-00.html +722 -0
package/reports/supasec---------app-2026-01-28-17-08-20.html +722 -0
package/reports/supasec---------app-2026-01-28-17-08-41.html +722 -0
package/reports/supasec-au---your-app-2026-01-28-17-14-57.html +715 -0
package/reports/supasec-au---your-app-2026-01-28-17-19-03.html +715 -0
package/reports/supasec-audityour-app-2026-01-28-17-09-24.html +722 -0
package/reports/supasec-ex-mple-com-2026-01-28-17-14-52.json +229 -0
package/reports/supasec-ex-mple-com-2026-01-28-17-15-39.html +715 -0
package/reports/supasec-ex-mple-com-2026-01-28-17-17-22.html +715 -0
package/reports/supasec-example-com-2026-01-28-17-15-06.html +715 -0
package/reports/supasec-my--------------name-com-2026-01-28-17-15-02.html +715 -0
package/reports/supasec-st-ging-com-2026-01-28-17-16-17.html +715 -0
package/PUBLISHING.md +0 -51

package/reports/supasec-ex-mple-com-2026-01-28-17-14-52.json ADDED Viewed

@@ -0,0 +1,229 @@
+{
+  "scan_metadata": {
+    "tool": "supasec",
+    "version": "1.0.0",
+    "scan_id": "scan_2026-01-28T17-14-52",
+    "target_url": "ex*mple.com/",
+    "scan_date": "2026-01-28T17:14:52.023Z",
+    "scan_duration_seconds": 0.007,
+    "scanner_mode": "url"
+  },
+  "project_info": {
+    "tables_count": 0,
+    "rpcs_count": 0,
+    "storage_buckets": 0,
+    "auth_providers": [],
+    "edge_functions": 0
+  },
+  "summary": {
+    "total_issues": 2,
+    "critical": 0,
+    "high": 1,
+    "medium": 1,
+    "low": 0,
+    "info": 0,
+    "passed_checks": 2,
+    "overall_grade": "B",
+    "overall_score": 85
+  },
+  "findings": [
+    {
+      "finding_id": "SEC-001",
+      "timestamp": "2026-01-28T17:14:52.026Z",
+      "severity": "MEDIUM",
+      "category": "secrets",
+      "subcategory": "supabase",
+      "title": "Supabase Anon Key Exposed",
+      "description": "Found supabase anon key in javascript content. Potential Supabase anon key - verify if properly scoped",
+      "location": {
+        "file": "https://ex*****.com/",
+        "line": 3,
+        "column": 28
+      },
+      "evidence": {
+        "code_snippet": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiJ9.",
+        "matched_pattern": "Supabase Anon Key",
+        "sample_data": {
+          "masked": "eyJh**************************************************iJ9.",
+          "original": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiJ9."
+        },
+        "key_type": "supabase",
+        "line_number": 3,
+        "column_number": 28
+      },
+      "impact": {
+        "severity_score": 5,
+        "description": "Complete database access - attacker can read, write, and delete all data",
+        "affected_resources": [
+          "application",
+          "database",
+          "api"
+        ],
+        "compliance_violations": [
+          "SOC2-CC6.1",
+          "GDPR-Article-32"
+        ]
+      },
+      "remediation": {
+        "summary": "Remove supabase anon key from client-side code",
+        "priority": "HIGH",
+        "effort": "LOW",
+        "steps": [
+          {
+            "order": 1,
+            "action": "Regenerate the service_role key in Supabase dashboard",
+            "command": "Dashboard > Settings > API > Regenerate service_role key"
+          },
+          {
+            "order": 2,
+            "action": "Move service_role key to backend environment variables only",
+            "code": "// Server-side only\nconst supabase = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY)"
+          },
+          {
+            "order": 3,
+            "action": "Use anon key for client-side operations",
+            "code": "// Client-side\nconst supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)"
+          },
+          {
+            "order": 4,
+            "action": "Review database access logs for unauthorized access"
+          }
+        ],
+        "auto_fixable": false
+      },
+      "references": [
+        {
+          "title": "Supabase API Keys Documentation",
+          "url": "https://supabase.com/docs/guides/api#api-keys"
+        },
+        {
+          "title": "CWE-798: Use of Hard-coded Credentials",
+          "url": "https://cwe.mitre.org/data/definitions/798.html"
+        }
+      ],
+      "false_positive_likelihood": "LOW",
+      "confidence": 0.95
+    },
+    {
+      "finding_id": "SEC-003",
+      "timestamp": "2026-01-28T17:14:52.027Z",
+      "severity": "HIGH",
+      "category": "secrets",
+      "subcategory": "auth",
+      "title": "JWT Token Exposed",
+      "description": "Found jwt token in javascript content. JWT token detected",
+      "location": {
+        "file": "https://ex*****.com/",
+        "line": 3,
+        "column": 28
+      },
+      "evidence": {
+        "code_snippet": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiJ9.",
+        "matched_pattern": "JWT Token",
+        "sample_data": {
+          "masked": "eyJh**************************************************iJ9.",
+          "original": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiJ9."
+        },
+        "key_type": "auth",
+        "line_number": 3,
+        "column_number": 28
+      },
+      "impact": {
+        "severity_score": 8,
+        "description": "Authentication token exposure - unauthorized access to user accounts",
+        "affected_resources": [
+          "application",
+          "database",
+          "api"
+        ],
+        "compliance_violations": [
+          "SOC2-CC6.1",
+          "OWASP-A02-2021"
+        ]
+      },
+      "remediation": {
+        "summary": "Remove jwt token from client-side code",
+        "priority": "HIGH",
+        "effort": "LOW",
+        "steps": [
+          {
+            "order": 1,
+            "action": "Remove the exposed secret from client-side code immediately",
+            "code": "// Remove hardcoded key\nconst supabaseKey = process.env.SUPABASE_KEY;"
+          },
+          {
+            "order": 2,
+            "action": "Move the secret to environment variables on the server",
+            "command": "export API_KEY=your_key_here"
+          },
+          {
+            "order": 3,
+            "action": "Regenerate the exposed secret to invalidate the compromised key",
+            "command": "Regenerate in service dashboard"
+          },
+          {
+            "order": 4,
+            "action": "Use only the anon/public key in frontend code",
+            "code": "const supabase = createClient(url, process.env.SUPABASE_ANON_KEY)"
+          }
+        ],
+        "auto_fixable": false
+      },
+      "references": [
+        {
+          "title": "OWASP Authentication Cheat Sheet",
+          "url": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+        }
+      ],
+      "false_positive_likelihood": "LOW",
+      "confidence": 0.95
+    }
+  ],
+  "passed_checks": [
+    {
+      "check_id": "SEC-HTTPS-001",
+      "category": "transport",
+      "title": "HTTPS Enforced",
+      "description": "All connections use HTTPS/TLS 1.2+"
+    },
+    {
+      "check_id": "AUTH-EMAIL-001",
+      "category": "auth",
+      "title": "Email Verification Enabled",
+      "description": "New users must verify email before access"
+    }
+  ],
+  "grading": {
+    "overall_grade": "B",
+    "overall_score": 85,
+    "category_scores": {},
+    "scoring_methodology": {
+      "base_score": 100,
+      "critical_deduction": -20,
+      "high_deduction": -10,
+      "medium_deduction": -5,
+      "low_deduction": -2
+    },
+    "grade_thresholds": {
+      "A": 90,
+      "B": 80,
+      "C": 70,
+      "D": 60,
+      "F": 0
+    },
+    "improvement_priority": [
+      "Fix SEC-003: JWT Token Exposed"
+    ]
+  },
+  "recommendations": {
+    "immediate_actions": [],
+    "security_best_practices": [
+      "Audit all environment variables and secrets management"
+    ],
+    "next_steps": [
+      "Run: supasec fix --interactive",
+      "Schedule weekly scans: supasec watch --interval 604800",
+      "Add to CI/CD: see https://github.com/yourusername/supasec#cicd"
+    ]
+  }
+}