# SupaRalph Security Skill for QwenClaw

## Overview

**Name:** suparalph-security  
**Source:** https://github.com/vibeforge1111/vibeship-suparalph  
**Mascot:** *"I'm in danger!"* - Ralph Wiggum

**SupaRalph** is an open-source **Supabase penetration testing and security scanner** that actively tests Supabase projects for vulnerabilities by executing real attacks rather than static analysis.

---

## What SupaRalph Does

| Capability | Description |
|------------|-------------|
| **Active Testing** | Executes real exploits against your Supabase project |
| **277 Attack Vectors** | Full coverage across all Supabase attack surfaces |
| **Zero Persistence** | No credentials or results stored - session only |
| **AI-Powered Fixes** | Copy findings to Supabase AI for SQL fix generation |
| **CI/CD Ready** | GitHub Actions integration for automated scans |
| **Compliance Mapping** | OWASP Top 10, SOC2, GDPR coverage |

---

## Attack Categories (277 Total Vectors)

| Category | Attacks | What It Tests |
|----------|---------|---------------|
| **RLS** | 100+ | Row Level Security bypass, USING(true), missing policies |
| **Auth** | 43+ | Weak passwords, MFA bypass, JWT manipulation, session attacks |
| **API** | 39+ | GraphQL introspection, CORS, security headers, credentials |
| **Storage** | 23+ | Public buckets, path traversal, file type abuse |
| **Functions** | 15+ | Edge function auth bypass, rate limit bypass |
| **Database** | 14+ | Direct access, injection, extension abuse |
| **Vibecoder** | 13+ | Common AI-generated code mistakes |
| **Realtime** | 13+ | Subscription leaks, channel hijacking |

---

## Installation

### Option 1: Run Locally

```bash
# Clone the repository
git clone https://github.com/vibeforge1111/vibeship-suparalph.git
cd vibeship-suparalph

# Install dependencies
npm install

# Start development server
npm run dev
```

Open: http://localhost:5173

### Option 2: Demo Mode

Enter `demo` as the URL to see a simulated scan without connecting to a real project.

---

## Usage with QwenClaw

### Basic Security Scan

```bash
# Start QwenClaw
qwenclaw start

# Send task to scan Supabase project
qwenclaw send "Use the suparalph-security skill to scan my Supabase project for vulnerabilities"
```

### Interactive Scan

```bash
qwenclaw send "Use suparalph-security to:
1. Get my Supabase project URL
2. Run a full security scan with 277 attack vectors
3. Review findings and generate remediation plan
4. Copy critical findings for Supabase AI fix generation"
```

### CI/CD Integration

```bash
qwenclaw send "Use suparalph-security skill to set up GitHub Actions for automated security scanning on every push"
```

---

## Usage Workflow

### Step 1: Get Supabase URL

1. Go to https://supabase.com/dashboard
2. Select your project
3. Settings → API
4. Copy **Project URL**

### Step 2: Run Security Scan

**Via Web UI:**
1. Open http://localhost:5173
2. Paste your Supabase URL
3. Optionally add anon key for deeper testing
4. Click "BREACH TEST"
5. Watch attacks execute in real-time via terminal UI

**Via QwenClaw:**
```bash
qwenclaw send "Run SupaRalph security scan on https://your-project.supabase.co"
```

### Step 3: Review Results

Results show in real-time terminal UI:
- ✅ Passed tests (green)
- ⚠️ Warnings (yellow)
- 🚨 Breached (red)

### Step 4: Fix Vulnerabilities

1. Click "Copy Findings for AI"
2. Open https://supabase.com/dashboard/project/_/sql/new
3. Paste findings
4. Ask Supabase AI to generate SQL fixes

---

## Integration Patterns

### Pattern 1: Pre-Deployment Security Check

```bash
qwenclaw send "Before deploying, use suparalph-security to scan the Supabase project and block deployment if critical vulnerabilities found"
```

### Pattern 2: Automated PR Security Review

```bash
qwenclaw send "Use suparalph-security to set up automated security scanning on pull requests with comment on findings"
```

### Pattern 3: AI Agent Security Loop

```bash
# With Ralph Wiggum Loop + Spark Intelligence
while :; do 
  qwenclaw send "Use suparalph-security to scan for new vulnerabilities"
  qwenclaw send "Fix any critical findings with Supabase AI"
done
```

### Pattern 4: Compliance Reporting

```bash
qwenclaw send "Use suparalph-security to generate OWASP Top 10 compliance report for audit"
```

---

## Report Generation

### JSON Report (Machine-Readable)

```typescript
import { generateJSONReport } from '$lib/engine/reports';

const json = generateJSONReport(report, { 
  includeEvidence: true,
  includeCompliance: true 
});
```

### Markdown Report (Documentation)

```typescript
const md = generateMarkdownReport(report, { 
  includeCompliance: true,
  includeFixes: true 
});
```

### HTML Report (Shareable)

```typescript
const html = generateHTMLReport(report);
```

---

## CI/CD Setup (GitHub Actions)

### Create `.github/workflows/suparalph-scan.yml`

```yaml
name: SupaRalph Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    
    steps:
      - uses: actions/checkout@v4
      
      - name: Run SupaRalph Scan
        uses: vibeforge1111/suparalph-action@v1
        with:
          supabase-url: ${{ secrets.SUPABASE_URL }}
          supabase-anon-key: ${{ secrets.SUPABASE_ANON_KEY }}
          fail-on-critical: true
          generate-report: true
      
      - name: Upload Security Report
        uses: actions/upload-artifact@v4
        with:
          name: suparalph-report
          path: ./suparalph-report.html
```

### Required Secrets

| Secret | Description |
|--------|-------------|
| `SUPABASE_URL` | Your Supabase project URL |
| `SUPABASE_ANON_KEY` | Your anon/public key |

---

## Compliance Mapping

| Framework | Coverage | Mapped Controls |
|-----------|----------|-----------------|
| **OWASP Top 10 2021** | A01-A10 | Full coverage |
| **SOC2** | CC6.1, CC6.6, CC6.7 | Access control, security controls |
| **GDPR** | Articles 32, 33 | Security of processing, breach notification |

---

## Security & Privacy

| Feature | Description |
|---------|-------------|
| **Zero Persistence** | No credentials or scan results stored |
| **Session Only** | All data cleared when browser closes |
| **No Server Storage** | Scans run client-side |
| **Open Source** | Full code transparency |
| **Authorized Testing Only** | Only scan projects you own or have permission to test |

---

## Usage in QwenClaw

### Basic Scan

```
Use the suparalph-security skill to scan my Supabase project at https://my-project.supabase.co
```

### Full Security Audit

```
Use suparalph-security to:
1. Run all 277 attack vectors
2. Generate JSON report with evidence
3. Generate Markdown compliance report for OWASP Top 10
4. Create GitHub issue for each critical finding
```

### Automated Fix Workflow

```
Use suparalph-security with spark-intelligence to:
1. Scan for vulnerabilities
2. Capture findings in Spark memory
3. Generate pre-tool advisory for future similar issues
4. Copy critical findings to Supabase AI for fixes
```

### Vibecoder Analysis (AI-Generated Code)

```
Use suparalph-security to scan for Vibecoder vulnerabilities (common AI-generated code mistakes) and provide remediation guidance
```

---

## Attack Vector Examples

### RLS Bypass (Critical)

```typescript
// Attack: Missing RLS policy
{
  id: 'rls-missing-policy',
  name: 'Missing RLS Policy',
  description: 'Table has no RLS policies configured',
  severity: 'critical',
  async execute(ctx) {
    // Check if RLS is enabled
    // Check for policies on all tables
    return {
      breached: true,
      status: 'breached',
      summary: 'Table "users" has no RLS policies',
      evidence: { table: 'users', policies: [] }
    };
  }
}
```

### Auth: Weak Password Policy

```typescript
// Attack: Weak password requirements
{
  id: 'auth-weak-password',
  name: 'Weak Password Policy',
  description: 'Password requirements are below security standards',
  severity: 'high',
  async execute(ctx) {
    // Test minimum password length
    // Test complexity requirements
    return {
      breached: true,
      status: 'warning',
      summary: 'Minimum password length is 6 (recommended: 12+)',
      evidence: { minLength: 6, recommended: 12 }
    };
  }
}
```

### Vibecoder: AI-Generated Mistake

```typescript
// Attack: Common AI-generated code vulnerability
{
  id: 'vibecoder-hardcoded-secrets',
  name: 'Hardcoded Secrets in Code',
  description: 'AI-generated code often includes hardcoded API keys',
  severity: 'critical',
  async execute(ctx) {
    // Scan for hardcoded credentials
    return {
      breached: true,
      status: 'breached',
      summary: 'Hardcoded API key found in edge function',
      evidence: { file: 'send-email.ts', line: 15 }
    };
  }
}
```

---

## Best Practices

### 1. Scan Before Deployment
Always run SupaRalph before deploying to production.

### 2. Automate with CI/CD
Set up GitHub Actions for automated scans on every push/PR.

### 3. Fix Critical First
Prioritize critical and high severity findings.

### 4. Use Supabase AI for Fixes
Copy findings to Supabase SQL Editor and ask AI to generate fixes.

### 5. Regular Scanning
Schedule weekly or monthly security scans.

### 6. Combine with Spark Intelligence
Use Spark to capture security patterns and prevent future vulnerabilities.

---

## Integration with Other Skills

### With Spark Intelligence

```bash
qwenclaw send "Use suparalph-security to scan, then spark-intelligence to capture findings as pre-tool advisories for future development"
```

**Benefits:**
- Spark remembers vulnerabilities found
- Pre-tool advisory warns before similar mistakes
- Auto-promotes security best practices to CLAUDE.md

### With Ralph Autonomous Agent

```bash
qwenclaw send "Use ralph-autonomous-agent with suparalph-security to continuously scan and fix vulnerabilities in a loop"
```

**Loop Pattern:**
```bash
while :; do 
  qwenclaw send "Scan with suparalph-security"
  qwenclaw send "Fix critical findings"
  qwenclaw send "Re-scan to verify fixes"
done
```

### With Frontend-Design

```bash
qwenclaw send "Use frontend-design skill to create a security dashboard that displays SupaRalph scan results"
```

---

## Skill Metadata

```yaml
name: suparalph-security
version: 1.0.0
category: security
description: Supabase penetration testing with 277 attack vectors, 
             AI-powered fixes, and CI/CD integration
author: Vibeship (https://github.com/vibeforge1111/vibeship-suparalph)
license: MIT
tags:
  - security
  - supabase
  - penetration-testing
  - compliance
  - owasp
  - ci-cd
  - ai-fixes
```

---

## Resources

- **GitHub:** https://github.com/vibeforge1111/vibeship-suparalph
- **Demo:** http://localhost:5173 (run locally) or enter `demo` for simulated scan
- **Supabase Dashboard:** https://supabase.com/dashboard
- **Supabase AI:** https://supabase.com/dashboard/project/_/sql/new

---

## Disclaimer

> ⚠️ **For authorized testing only.** Only scan Supabase projects you own or have explicit permission to test. SupaRalph performs real attacks that could affect data. Use responsibly.

---

**SupaRalph: "I'm in danger!" - But your Supabase project doesn't have to be!** 🔒✨