- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Audit Buckets Public
supabase-audit-buckets-public_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-public- SKILL.md12.6 KB
Overview
This skill discovers Supabase storage buckets that are publicly accessible and flags buckets containing potentially sensitive content. It provides clear classification (appropriate, needs review, critical) and actionable remediation steps to secure exposed data. The skill is optimized for quick checks and deeper scans before production deployments.
How this skill works
The skill enumerates storage buckets and tests public object access using the Supabase storage public object endpoint. It inspects filenames, file types, and simple content indicators (extensions and keywords) to classify findings into severity levels (P0, P1, P2). For each bucket tested it records timestamps, findings, and recommended SQL or policy changes.
When to use it
- Before deploying to production to verify storage configuration
- When you suspect user uploads or backups are accessible publicly
- As part of routine security scans or pre-deployment checklists
- After storage configuration changes or permission updates
- During incident response when confirming exposure of specific files
Best practices
- Treat backups and .env files as P0 — they must never be public
- Make new buckets private by default and grant create/insert rights only to admins
- Use user-specific paths and RLS-based policies for user uploads
- Run this audit regularly and integrate into CI/CD pre-deploy checks
- Log and persist findings progressively while scanning to avoid data loss
Example use cases
- Quick scan that lists public buckets and marks obvious safe assets like public avatars
- Deep scan that enumerates files, detects keywords like 'secret', 'backup', 'invoice', and classifies severity
- Immediate emergency check when a team reports leaked URLs to identify exposed backups or secrets
- Automated weekly scheduled audit that writes findings to a context file and evidence directory
- Pre-deployment validation to ensure no user-upload buckets are accidentally public
FAQ
Patterns like *.sql, *.env, *secret*, *backup*, and *export* are treated as P0 (critical) and should never be public.
What immediate actions are recommended for a critical finding?
Make the bucket private via UPDATE storage.buckets SET public = false WHERE name = '<bucket>'; remove or move exposed files; rotate any exposed secrets; and follow incident response procedures.