supabase-report-compare
SKILL.md
Report Comparison
This skill compares two security audit reports to track progress over time.
When to Use This Skill
- After fixing vulnerabilities, to verify remediation
- For periodic security reviews
- To track security posture over time
- To identify regression (new vulnerabilities)
Prerequisites
- Two audit reports in Markdown format
- Reports should be from the same project
Usage
Basic Comparison
Compare security reports old-report.md and new-report.md
With Specific Paths
Compare reports/audit-v1.md with reports/audit-v2.md
Output Format
═══════════════════════════════════════════════════════════
SECURITY AUDIT COMPARISON
═══════════════════════════════════════════════════════════
Previous Audit: January 15, 2025
Current Audit: January 31, 2025
Days Between: 16 days
─────────────────────────────────────────────────────────
Score Comparison
─────────────────────────────────────────────────────────
Previous Score: 35/100 (Grade: D)
Current Score: 72/100 (Grade: C)
Improvement: +37 points ⬆️
┌────────────────────────────────────────────────────────┐
│ Score Progress │
│ │
│ 100 ┤ │
│ 80 ┤ ████████ 72 │
│ 60 ┤ ████████ │
│ 40 ┤ ████████ 35 ████████ │
│ 20 ┤ ████████ ████████ │
│ 0 ┴─────────────────────────────────────────────── │
│ Jan 15 Jan 31 │
└────────────────────────────────────────────────────────┘
─────────────────────────────────────────────────────────
Findings Summary
─────────────────────────────────────────────────────────
| Status | P0 | P1 | P2 | Total |
|-------------|-----|-----|-----|-------|
| Previous | 3 | 4 | 5 | 12 |
| Current | 0 | 2 | 4 | 6 |
| Fixed | 3 | 2 | 2 | 7 |
| New | 0 | 0 | 1 | 1 |
─────────────────────────────────────────────────────────
Fixed Vulnerabilities ✅
─────────────────────────────────────────────────────────
P0 (Critical) - ALL FIXED! 🎉
✅ P0-001: Service Role Key Exposed
Status: FIXED
Resolution: Key rotated, removed from client code
Fixed on: January 16, 2025
✅ P0-002: Database Backups Publicly Accessible
Status: FIXED
Resolution: Bucket made private, files deleted
Fixed on: January 16, 2025
✅ P0-003: Admin Function Privilege Escalation
Status: FIXED
Resolution: Added admin role verification
Fixed on: January 17, 2025
P1 (High) - 2 of 4 Fixed
✅ P1-001: Email Confirmation Disabled
Status: FIXED
Resolution: Email confirmation now required
Fixed on: January 20, 2025
✅ P1-002: IDOR in get-user-data Function
Status: FIXED
Resolution: Added user ownership verification
Fixed on: January 18, 2025
P2 (Medium) - 2 of 5 Fixed
✅ P2-001: Weak Password Policy
Status: FIXED
Resolution: Minimum length increased to 10
Fixed on: January 22, 2025
✅ P2-003: Disposable Emails Accepted
Status: FIXED
Resolution: Email validation added
Fixed on: January 25, 2025
─────────────────────────────────────────────────────────
Remaining Vulnerabilities ⚠️
─────────────────────────────────────────────────────────
P1 (High) - 2 Remaining
🟠 P1-003: User Enumeration via Timing Attack
Status: OPEN (16 days)
Priority: Address this week
Note: Was in previous report, not yet fixed
🟠 P1-004: Admin Channel Publicly Accessible
Status: OPEN (16 days)
Priority: Address this week
P2 (Medium) - 3 Remaining
🟡 P2-002: Wildcard CORS Origin
Status: OPEN (16 days)
🟡 P2-004: Verbose Error Messages
Status: OPEN (16 days)
🟡 P2-005: Rate Limiting Not Enforced on Functions
Status: OPEN (16 days)
─────────────────────────────────────────────────────────
New Vulnerabilities 🆕
─────────────────────────────────────────────────────────
P2 (Medium) - 1 New Issue
🆕 P2-006: New Storage Bucket Without RLS
Severity: 🟡 P2
Component: Storage
Description: New bucket 'user-uploads' created without
RLS policies. Currently empty but will
need policies before production use.
First Seen: January 31, 2025
─────────────────────────────────────────────────────────
Progress Analysis
─────────────────────────────────────────────────────────
Remediation Rate: 58% (7 of 12 fixed)
By Severity:
├── P0 (Critical): 100% fixed ✅
├── P1 (High): 50% fixed
└── P2 (Medium): 40% fixed
Time to Fix (Average):
├── P0: 1.3 days (excellent)
├── P1: 3.5 days (good)
└── P2: 5.5 days (acceptable)
Regression: 1 new issue introduced
(lower severity, acceptable)
─────────────────────────────────────────────────────────
Recommendations
─────────────────────────────────────────────────────────
1. CONTINUE PROGRESS
Great work fixing all P0 issues! Focus now on
remaining P1 issues:
- User enumeration timing attack
- Admin broadcast channel
2. ADDRESS NEW ISSUE
Configure RLS on 'user-uploads' bucket before
it's used in production.
3. SCHEDULE FOLLOW-UP
Recommend another audit in 14 days to verify
remaining fixes.
─────────────────────────────────────────────────────────
Trend Analysis
─────────────────────────────────────────────────────────
If you have 3+ reports, trend analysis is available:
| Date | Score | P0 | P1 | P2 | Total |
|------------|-------|----|----|----| ------|
| 2024-12-01 | 28 | 4 | 5 | 6 | 15 |
| 2025-01-15 | 35 | 3 | 4 | 5 | 12 |
| 2025-01-31 | 72 | 0 | 2 | 4 | 6 |
Trend: Improving ⬆️
═══════════════════════════════════════════════════════════
Comparison Logic
Finding Matching
Findings are matched between reports using:
- ID match — Same P0-001, P1-002, etc.
- Component + Title match — Same issue description
- Location match — Same file/line/endpoint
Status Determination
| Previous | Current | Status |
|---|---|---|
| Present | Absent | Fixed ✅ |
| Present | Present | Remaining ⚠️ |
| Absent | Present | New 🆕 |
| Absent | Absent | N/A |
Score Calculation
Change = Current Score - Previous Score
Positive change = Improvement ⬆️
Negative change = Regression ⬇️
No change = Stable ➡️
Context Output
{
"comparison": {
"previous_date": "2025-01-15",
"current_date": "2025-01-31",
"previous_score": 35,
"current_score": 72,
"score_change": 37,
"findings": {
"previous_total": 12,
"current_total": 6,
"fixed": 7,
"remaining": 5,
"new": 1
},
"by_severity": {
"P0": { "previous": 3, "current": 0, "fixed": 3, "new": 0 },
"P1": { "previous": 4, "current": 2, "fixed": 2, "new": 0 },
"P2": { "previous": 5, "current": 4, "fixed": 2, "new": 1 }
},
"remediation_rate": 0.58,
"trend": "improving"
}
}
Report Output
The comparison generates supabase-audit-comparison.md:
# Security Audit Comparison Report
## Summary
| Metric | Previous | Current | Change |
|--------|----------|---------|--------|
| Score | 35/100 | 72/100 | +37 ⬆️ |
| P0 Issues | 3 | 0 | -3 ✅ |
| P1 Issues | 4 | 2 | -2 ✅ |
| P2 Issues | 5 | 4 | -1 ✅ |
| Total | 12 | 6 | -6 ✅ |
## Fixed Issues (7)
[Detailed list of fixed issues...]
## Remaining Issues (5)
[Detailed list of remaining issues...]
## New Issues (1)
[Detailed list of new issues...]
## Recommendations
[Action items based on comparison...]
Multiple Report Comparison
For trend analysis across 3+ reports:
Compare trend across reports/audit-*.md
Output includes:
- Score trend graph
- Issue count over time
- Average time to fix
- Recurring issues identification
Best Practices
Naming Convention
reports/
├── supabase-audit-2024-12-01.md
├── supabase-audit-2025-01-15.md
├── supabase-audit-2025-01-31.md
└── supabase-audit-comparison-2025-01-31.md
Regular Audits
| Frequency | Purpose |
|---|---|
| After fixes | Verify remediation |
| Monthly | Catch regressions |
| Before releases | Pre-production check |
| After incidents | Post-incident review |
Tracking Progress
- Keep all reports in version control
- Link to issue tracker (GitHub, Jira)
- Include in sprint planning
- Report to stakeholders
Related Skills
supabase-report— Generate the reports to comparesupabase-pentest— Run full auditsupabase-help— Quick reference
Weekly Installs
60
Repository
yoanbernabeu/supabase-pentest-skillsFirst Seen
Jan 31, 2026
Security Audits
Installed on
claude-code53
codex34
opencode33
gemini-cli30
antigravity26
cursor25