supabase-audit-buckets-public_skill

This skill identifies publicly accessible storage buckets in Supabase and provides actionable remediation guidance to prevent data exposure.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-public

  • SKILL.md12.6 KB

Overview

This skill discovers Supabase storage buckets that are publicly accessible and flags buckets containing potentially sensitive content. It provides clear classification (appropriate, needs review, critical) and actionable remediation steps to secure exposed data. The skill is optimized for quick checks and deeper scans before production deployments.

How this skill works

The skill enumerates storage buckets and tests public object access using the Supabase storage public object endpoint. It inspects filenames, file types, and simple content indicators (extensions and keywords) to classify findings into severity levels (P0, P1, P2). For each bucket tested it records timestamps, findings, and recommended SQL or policy changes.

When to use it

  • Before deploying to production to verify storage configuration
  • When you suspect user uploads or backups are accessible publicly
  • As part of routine security scans or pre-deployment checklists
  • After storage configuration changes or permission updates
  • During incident response when confirming exposure of specific files

Best practices

  • Treat backups and .env files as P0 — they must never be public
  • Make new buckets private by default and grant create/insert rights only to admins
  • Use user-specific paths and RLS-based policies for user uploads
  • Run this audit regularly and integrate into CI/CD pre-deploy checks
  • Log and persist findings progressively while scanning to avoid data loss

Example use cases

  • Quick scan that lists public buckets and marks obvious safe assets like public avatars
  • Deep scan that enumerates files, detects keywords like 'secret', 'backup', 'invoice', and classifies severity
  • Immediate emergency check when a team reports leaked URLs to identify exposed backups or secrets
  • Automated weekly scheduled audit that writes findings to a context file and evidence directory
  • Pre-deployment validation to ensure no user-upload buckets are accidentally public

FAQ

Patterns like *.sql, *.env, *secret*, *backup*, and *export* are treated as P0 (critical) and should never be public.

What immediate actions are recommended for a critical finding?

Make the bucket private via UPDATE storage.buckets SET public = false WHERE name = '<bucket>'; remove or move exposed files; rotate any exposed secrets; and follow incident response procedures.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-audit-buckets-public skill by yoanbernabeu/supabase-pentest-skills | VeilStrat