admin/QwenClaw-with-Auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ead4b32ec8e0cc2ea9c169acae69a121d23b518
QwenClaw-with-Auth/skills/suparalph-security/SKILL.md

463 lines
11 KiB
Markdown
Raw Blame History

# SupaRalph Security Skill for QwenClaw
## Overview
**Name:** suparalph-security
**Source:** https://github.com/vibeforge1111/vibeship-suparalph
**Mascot:** *"I'm in danger!"* - Ralph Wiggum
**SupaRalph** is an open-source **Supabase penetration testing and security scanner** that actively tests Supabase projects for vulnerabilities by executing real attacks rather than static analysis.
---
## What SupaRalph Does
| Capability | Description |
|------------|-------------|
| **Active Testing** | Executes real exploits against your Supabase project |
| **277 Attack Vectors** | Full coverage across all Supabase attack surfaces |
| **Zero Persistence** | No credentials or results stored - session only |
| **AI-Powered Fixes** | Copy findings to Supabase AI for SQL fix generation |
| **CI/CD Ready** | GitHub Actions integration for automated scans |
| **Compliance Mapping** | OWASP Top 10, SOC2, GDPR coverage |
---
## Attack Categories (277 Total Vectors)
| Category | Attacks | What It Tests |
|----------|---------|---------------|
| **RLS** | 100+ | Row Level Security bypass, USING(true), missing policies |
| **Auth** | 43+ | Weak passwords, MFA bypass, JWT manipulation, session attacks |
| **API** | 39+ | GraphQL introspection, CORS, security headers, credentials |
| **Storage** | 23+ | Public buckets, path traversal, file type abuse |
| **Functions** | 15+ | Edge function auth bypass, rate limit bypass |
| **Database** | 14+ | Direct access, injection, extension abuse |
| **Vibecoder** | 13+ | Common AI-generated code mistakes |
| **Realtime** | 13+ | Subscription leaks, channel hijacking |
---
## Installation
### Option 1: Run Locally
```bash
# Clone the repository
git clone https://github.com/vibeforge1111/vibeship-suparalph.git
cd vibeship-suparalph
# Install dependencies
npm install
# Start development server
npm run dev
```
Open: http://localhost:5173
### Option 2: Demo Mode
Enter `demo` as the URL to see a simulated scan without connecting to a real project.
---
## Usage with QwenClaw
### Basic Security Scan
```bash
# Start QwenClaw
qwenclaw start
# Send task to scan Supabase project
qwenclaw send "Use the suparalph-security skill to scan my Supabase project for vulnerabilities"
```
### Interactive Scan
```bash
qwenclaw send "Use suparalph-security to:
1. Get my Supabase project URL
2. Run a full security scan with 277 attack vectors
3. Review findings and generate remediation plan
4. Copy critical findings for Supabase AI fix generation"
```
### CI/CD Integration
```bash
qwenclaw send "Use suparalph-security skill to set up GitHub Actions for automated security scanning on every push"
```
---
## Usage Workflow
### Step 1: Get Supabase URL
1. Go to https://supabase.com/dashboard
2. Select your project
3. Settings → API
4. Copy **Project URL**
### Step 2: Run Security Scan
**Via Web UI:**
1. Open http://localhost:5173
2. Paste your Supabase URL
3. Optionally add anon key for deeper testing
4. Click "BREACH TEST"
5. Watch attacks execute in real-time via terminal UI
**Via QwenClaw:**
```bash
qwenclaw send "Run SupaRalph security scan on https://your-project.supabase.co"
```
### Step 3: Review Results
Results show in real-time terminal UI:
- ✅ Passed tests (green)
- ⚠️ Warnings (yellow)
- 🚨 Breached (red)
### Step 4: Fix Vulnerabilities
1. Click "Copy Findings for AI"
2. Open https://supabase.com/dashboard/project/_/sql/new
3. Paste findings
4. Ask Supabase AI to generate SQL fixes
---
## Integration Patterns
### Pattern 1: Pre-Deployment Security Check
```bash
qwenclaw send "Before deploying, use suparalph-security to scan the Supabase project and block deployment if critical vulnerabilities found"
```
### Pattern 2: Automated PR Security Review
```bash
qwenclaw send "Use suparalph-security to set up automated security scanning on pull requests with comment on findings"
```
### Pattern 3: AI Agent Security Loop
```bash
# With Ralph Wiggum Loop + Spark Intelligence
while :; do
qwenclaw send "Use suparalph-security to scan for new vulnerabilities"
qwenclaw send "Fix any critical findings with Supabase AI"
done
```
### Pattern 4: Compliance Reporting
```bash
qwenclaw send "Use suparalph-security to generate OWASP Top 10 compliance report for audit"
```
---
## Report Generation
### JSON Report (Machine-Readable)
```typescript
import { generateJSONReport } from '$lib/engine/reports';
const json = generateJSONReport(report, {
includeEvidence: true,
includeCompliance: true
});
```
### Markdown Report (Documentation)
```typescript
const md = generateMarkdownReport(report, {
includeCompliance: true,
includeFixes: true
});
```
### HTML Report (Shareable)
```typescript
const html = generateHTMLReport(report);
```
---
## CI/CD Setup (GitHub Actions)
### Create `.github/workflows/suparalph-scan.yml`
```yaml
name: SupaRalph Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run SupaRalph Scan
uses: vibeforge1111/suparalph-action@v1
with:
supabase-url: ${{ secrets.SUPABASE_URL }}
supabase-anon-key: ${{ secrets.SUPABASE_ANON_KEY }}
fail-on-critical: true
generate-report: true
- name: Upload Security Report
uses: actions/upload-artifact@v4
with:
name: suparalph-report
path: ./suparalph-report.html
```
### Required Secrets
| Secret | Description |
|--------|-------------|
| `SUPABASE_URL` | Your Supabase project URL |
| `SUPABASE_ANON_KEY` | Your anon/public key |
---
## Compliance Mapping
| Framework | Coverage | Mapped Controls |
|-----------|----------|-----------------|
| **OWASP Top 10 2021** | A01-A10 | Full coverage |
| **SOC2** | CC6.1, CC6.6, CC6.7 | Access control, security controls |
| **GDPR** | Articles 32, 33 | Security of processing, breach notification |
---
## Security & Privacy
| Feature | Description |
|---------|-------------|
| **Zero Persistence** | No credentials or scan results stored |
| **Session Only** | All data cleared when browser closes |
| **No Server Storage** | Scans run client-side |
| **Open Source** | Full code transparency |
| **Authorized Testing Only** | Only scan projects you own or have permission to test |
---
## Usage in QwenClaw
### Basic Scan
```
Use the suparalph-security skill to scan my Supabase project at https://my-project.supabase.co
```
### Full Security Audit
```
Use suparalph-security to:
1. Run all 277 attack vectors
2. Generate JSON report with evidence
3. Generate Markdown compliance report for OWASP Top 10
4. Create GitHub issue for each critical finding
```
### Automated Fix Workflow
```
Use suparalph-security with spark-intelligence to:
1. Scan for vulnerabilities
2. Capture findings in Spark memory
3. Generate pre-tool advisory for future similar issues
4. Copy critical findings to Supabase AI for fixes
```
### Vibecoder Analysis (AI-Generated Code)
```
Use suparalph-security to scan for Vibecoder vulnerabilities (common AI-generated code mistakes) and provide remediation guidance
```
---
## Attack Vector Examples
### RLS Bypass (Critical)
```typescript
// Attack: Missing RLS policy
{
id: 'rls-missing-policy',
name: 'Missing RLS Policy',
description: 'Table has no RLS policies configured',
severity: 'critical',
async execute(ctx) {
// Check if RLS is enabled
// Check for policies on all tables
return {
breached: true,
status: 'breached',
summary: 'Table "users" has no RLS policies',
evidence: { table: 'users', policies: [] }
};
}
}
```
### Auth: Weak Password Policy
```typescript
// Attack: Weak password requirements
{
id: 'auth-weak-password',
name: 'Weak Password Policy',
description: 'Password requirements are below security standards',
severity: 'high',
async execute(ctx) {
// Test minimum password length
// Test complexity requirements
return {
breached: true,
status: 'warning',
summary: 'Minimum password length is 6 (recommended: 12+)',
evidence: { minLength: 6, recommended: 12 }
};
}
}
```
### Vibecoder: AI-Generated Mistake
```typescript
// Attack: Common AI-generated code vulnerability
{
id: 'vibecoder-hardcoded-secrets',
name: 'Hardcoded Secrets in Code',
description: 'AI-generated code often includes hardcoded API keys',
severity: 'critical',
async execute(ctx) {
// Scan for hardcoded credentials
return {
breached: true,
status: 'breached',
summary: 'Hardcoded API key found in edge function',
evidence: { file: 'send-email.ts', line: 15 }
};
}
}
```
---
## Best Practices
### 1. Scan Before Deployment
Always run SupaRalph before deploying to production.
### 2. Automate with CI/CD
Set up GitHub Actions for automated scans on every push/PR.
### 3. Fix Critical First
Prioritize critical and high severity findings.
### 4. Use Supabase AI for Fixes
Copy findings to Supabase SQL Editor and ask AI to generate fixes.
### 5. Regular Scanning
Schedule weekly or monthly security scans.
### 6. Combine with Spark Intelligence
Use Spark to capture security patterns and prevent future vulnerabilities.
---
## Integration with Other Skills
### With Spark Intelligence
```bash
qwenclaw send "Use suparalph-security to scan, then spark-intelligence to capture findings as pre-tool advisories for future development"
```
**Benefits:**
- Spark remembers vulnerabilities found
- Pre-tool advisory warns before similar mistakes
- Auto-promotes security best practices to CLAUDE.md
### With Ralph Autonomous Agent
```bash
qwenclaw send "Use ralph-autonomous-agent with suparalph-security to continuously scan and fix vulnerabilities in a loop"
```
**Loop Pattern:**
```bash
while :; do
qwenclaw send "Scan with suparalph-security"
qwenclaw send "Fix critical findings"
qwenclaw send "Re-scan to verify fixes"
done
```
### With Frontend-Design
```bash
qwenclaw send "Use frontend-design skill to create a security dashboard that displays SupaRalph scan results"
```
---
## Skill Metadata
```yaml
name: suparalph-security
version: 1.0.0
category: security
description: Supabase penetration testing with 277 attack vectors,
AI-powered fixes, and CI/CD integration
author: Vibeship (https://github.com/vibeforge1111/vibeship-suparalph)
license: MIT
tags:
- security
- supabase
- penetration-testing
- compliance
- owasp
- ci-cd
- ai-fixes
```
---
## Resources
- **GitHub:** https://github.com/vibeforge1111/vibeship-suparalph
- **Demo:** http://localhost:5173 (run locally) or enter `demo` for simulated scan
- **Supabase Dashboard:** https://supabase.com/dashboard
- **Supabase AI:** https://supabase.com/dashboard/project/_/sql/new
---
## Disclaimer
> ⚠️ **For authorized testing only.** Only scan Supabase projects you own or have explicit permission to test. SupaRalph performs real attacks that could affect data. Use responsibly.
---
**SupaRalph: "I'm in danger!" - But your Supabase project doesn't have to be!** 🔒✨
Reference in New Issue View Git Blame Copy Permalink