🇺🇸English
Public Bucket Audit
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO , not just at the end.
- Write to
.sb-pentest-context.json IMMEDIATELY after each bucket analyzed
- Log to
.sb-pentest-audit.log BEFORE and AFTER each test
- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill specifically focuses on identifying misconfigured public buckets and exposed sensitive content.
When to Use This Skill
- Quick check for public bucket misconfigurations
- When you suspect sensitive data in public storage
- As a focused security check for storage
- Before deploying to production
Prerequisites
- Supabase URL and anon key available
Why Public Buckets Are Risky
Public buckets allow:
| Access Type | Description |
|---|
| Direct URL | Anyone with the URL can download |
| Enumeration | File listing may be possible |
| No Auth | No authentication required |
| Caching | CDN may cache sensitive files |
Common Misconfiguration Scenarios
- Development mistake — Bucket set public during development
- Wrong bucket — Sensitive file uploaded to public bucket
- Legacy — Bucket was public before RLS existed
- Intentional but wrong — Assumed "nobody knows the URL"
Usage
Quick Public Bucket Check
Check for misconfigured public buckets
Deep Scan
Deep scan public buckets for sensitive content
Output Format
═══════════════════════════════════════════════════════════
PUBLIC BUCKET SECURITY AUDIT
═══════════════════════════════════════════════════════════
Project: abc123def.supabase.co
─────────────────────────────────────────────────────────
Public Bucket Discovery
─────────────────────────────────────────────────────────
Public Buckets Found: 3/5
─────────────────────────────────────────────────────────
1. avatars ✅ APPROPRIATE
─────────────────────────────────────────────────────────
Status: Public (Expected)
Purpose: User profile pictures
Content Analysis:
├── All files are images (jpg, png, webp)
├── No sensitive filenames detected
├── File sizes appropriate for avatars (< 1MB)
└── No metadata concerns
Assessment: This bucket appropriately contains only
public user-facing content.
─────────────────────────────────────────────────────────
2. uploads 🟠 P1 - NEEDS REVIEW
─────────────────────────────────────────────────────────
Status: Public (Unexpected for this content)
Purpose: User file uploads
Content Analysis:
├── Mixed file types (PDF, DOC, images)
├── Some sensitive filenames detected
└── Should likely be private with RLS
Sensitive Content Indicators:
├── 12 files with 'invoice' in name
├── 8 files with 'contract' in name
├── 3 files with 'passport' in name
└── 156 PDF files (may contain sensitive data)
Risk Assessment:
└── 🟠 User-uploaded content publicly accessible
Anyone with filename can access any user's files
Recommendation:
```sql
-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'uploads';
-- Add user-specific RLS
CREATE POLICY "Users access own uploads"
ON storage.objects FOR ALL
USING (
bucket_id = 'uploads'
AND auth.uid()::text = (storage.foldername(name))[1]
);
───────────────────────────────────────────────────────── 3. backups 🔴 P0 - CRITICAL MISCONFIGURATION ─────────────────────────────────────────────────────────
Status: Public (SHOULD NEVER BE PUBLIC) Purpose: Database backups
⚠️ CRITICAL: Backup files publicly accessible!
Exposed Content: ├── 🔴 db-backup-2025-01-30.sql (125MB) │ └── Full database dump with all user data ├── 🔴 db-backup-2025-01-29.sql (124MB) │ └── Previous day backup ├── 🔴 users-export.csv (2.3MB) │ └── User data export with emails, names ├── 🔴 secrets.env (1KB) │ └── Contains API keys and passwords! └── 🔴 .env.production (1KB) └── Production environment secrets!
Public URLs (Currently Accessible): https://abc123def.supabase.co/storage/v1/object/public/backups/db-backup-2025-01-30.sql https://abc123def.supabase.co/storage/v1/object/public/backups/secrets.env
Impact: ├── Complete database can be downloaded ├── All user PII exposed ├── All API secrets exposed └── Full application compromise possible
═══════════════════════════════════════════════════════════ 🚨 IMMEDIATE ACTION REQUIRED 🚨 ═══════════════════════════════════════════════════════════
-
MAKE BUCKET PRIVATE NOW:
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';
-
DELETE PUBLIC FILES: Delete or move all sensitive files from public access
-
ROTATE ALL EXPOSED SECRETS:
- Stripe API keys
- Database passwords
- JWT secrets
- Any other keys in exposed files
-
AUDIT ACCESS LOGS: Check if files were accessed by unauthorized parties
-
INCIDENT RESPONSE: Consider this a data breach and follow your incident response procedures
───────────────────────────────────────────────────────── Summary ─────────────────────────────────────────────────────────
Public Buckets: 3 ├── ✅ Appropriate: 1 (avatars) ├── 🟠 P1 Review: 1 (uploads) └── 🔴 P0 Critical: 1 (backups)
Exposed Sensitive Files: 47 Exposed Secret Files: 2
Critical Finding: Database backups and secrets publicly accessible via direct URL
═══════════════════════════════════════════════════════════
## Bucket Classification
The skill classifies buckets by content:
| Classification | Criteria | Action |
|----------------|----------|--------|
| **Appropriate Public** | Profile images, public assets | None needed |
| **Needs Review** | User uploads, mixed content | Consider making private |
| **Critical Misconfiguration** | Backups, secrets, exports | Immediate remediation |
## Sensitive Content Patterns
### P0 - Critical (Never Public)
- `*.sql` - Database dumps
- `*.env*` - Environment files
- `*secret*`, `*credential*` - Secrets
- `*backup*` - Backup files
- `*export*` - Data exports
### P1 - High (Usually Private)
- `*invoice*`, `*payment*` - Financial
- `*contract*`, `*agreement*` - Legal
- `*passport*`, `*id*`, `*license*` - Identity
- User-uploaded documents
### P2 - Medium (Review Needed)
- Configuration files
- Log files
- Debug exports
## Context Output
```json
{
"public_bucket_audit": {
"timestamp": "2025-01-31T12:00:00Z",
"public_buckets": 3,
"findings": [
{
"bucket": "backups",
"severity": "P0",
"issue": "Database backups and secrets publicly accessible",
"exposed_files": 45,
"critical_files": [
"db-backup-2025-01-30.sql",
"secrets.env",
".env.production"
],
"remediation": "Make bucket private immediately, rotate secrets"
}
]
}
}
Prevention Checklist
After fixing issues, implement these controls:
1. Default Private Buckets
-- Supabase creates buckets public by default in UI
-- Always verify and change to private if needed
UPDATE storage.buckets
SET public = false
WHERE name = 'new-bucket';
2. Restrict Bucket Creation
-- Only allow admin to create buckets
REVOKE INSERT ON storage.buckets FROM authenticated;
REVOKE INSERT ON storage.buckets FROM anon;
3. File Upload Validation
// Validate file type before upload
const allowedTypes = ['image/jpeg', 'image/png'];
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type');
}
// Use user-specific paths
const path = `${user.id}/${file.name}`;
await supabase.storage.from('uploads').upload(path, file);
4. Regular Audits
Run this skill regularly:
- Before each production deployment
- Weekly automated scans
- After any storage configuration changes
MANDATORY: Progressive Context File Updates
⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
Critical Rule: Write As You Go
DO NOT batch all writes at the end. Instead:
- Before analyzing each bucket → Log the action to
.sb-pentest-audit.log
- After each misconfiguration found → Immediately update
.sb-pentest-context.json
- After each sensitive file detected → Log the finding immediately
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Required Actions (Progressive)
-
Update.sb-pentest-context.json with results:
{
"public_bucket_audit": {
"timestamp": "...",
"public_buckets": 3,
"findings": [ ... ]
}
}
-
Log to.sb-pentest-audit.log:
[TIMESTAMP] [supabase-audit-buckets-public] [START] Auditing public buckets
[TIMESTAMP] [supabase-audit-buckets-public] [FINDING] P0: backups bucket is public
[TIMESTAMP] [supabase-audit-buckets-public] [CONTEXT_UPDATED] .sb-pentest-context.json updated
-
If files don't exist , create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
MANDATORY: Evidence Collection
📁 Evidence Directory: .sb-pentest-evidence/04-storage-audit/public-url-tests/
Evidence Files to Create
| File | Content |
|---|
public-url-tests/[bucket]-access.json | Public URL access test results |
public-url-tests/sensitive-content.json | Sensitive content found |
Evidence Format
{
"evidence_id": "STG-PUB-001",
"timestamp": "2025-01-31T10:45:00Z",
"category": "storage-audit",
"type": "public_bucket_audit",
"severity": "P0",
"bucket": "backups",
"public_url_test": {
"url": "https://abc123def.supabase.co/storage/v1/object/public/backups/secrets.env",
"curl_command": "curl -I 'https://abc123def.supabase.co/storage/v1/object/public/backups/secrets.env'",
"response_status": 200,
"content_type": "text/plain",
"accessible": true
},
"assessment": {
"classification": "critical_misconfiguration",
"should_be_public": false,
"contains_sensitive_data": true,
"file_types_exposed": ["sql", "env", "csv"]
},
"remediation": {
"immediate": "UPDATE storage.buckets SET public = false WHERE name = 'backups';",
"secrets_to_rotate": ["All keys in secrets.env"],
"incident_response": "Consider this a data breach"
}
}
Related Skills
supabase-audit-buckets-list — List all bucketssupabase-audit-buckets-read — Test file accesssupabase-report — Generate comprehensive report
Weekly Installs
87
Repository
yoanbernabeu/su…t-skills
GitHub Stars
32
First Seen
Jan 31, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykWarn
Installed on
claude-code70
codex64
opencode62
gemini-cli59
github-copilot54
cursor54
