AntigravityRvadvAuditSecurity Audit: Secrets Management and Vault

Security Audit: Secrets Management and Vault

Security Audit: Secrets Management and Vault

1.3.1 API Keys and Secrets

.env.example

  • Severity: INFO
  • Location: .env.example
  • Description: The file contains placeholder environment variables with comments explaining their use. No real secrets are present.
  • Evidence: All variables are empty (e.g., DEEPSEEK_API_KEY=).
  • Recommendation: Ensure that the actual .env file (which is ignored by git) contains the real secrets and is never committed.
  • CWE: None

.gitignore

  • Severity: INFO
  • Location: .gitignore
  • Description: The .gitignore file correctly ignores .env, .env.*, and other sensitive files (e.g., *.key, *.pem, local-scraper/.env).
  • Evidence: Lines 9-11, 38-42, 58.
  • Recommendation: Keep the .gitignore updated to ignore any new sensitive files.
  • CWE: None

Hardcoded Secrets in Source Code

  • Severity: LOW
  • Location: src directory (and other source directories)
  • Description: No hardcoded secrets (API keys, passwords, tokens) were found in the source code (src, components, pages, etc.) via grep for common patterns.
  • Evidence: grep commands returned no output.
  • Recommendation: Continue to avoid hardcoding secrets. Use environment variables or secrets management.
  • CWE: CWE-798: Use of Hard-coded Credentials

1.3.2 Supabase Vault

Migration 043 (043_encrypt_clients_passwords.sql)

  • Severity: MEDIUM
  • Location: supabase/migrations/043_encrypt_clients_passwords.sql
  • Description: The migration uses pgp_sym_encrypt for encrypting passwords, which is good. However, it includes a fallback to a hardcoded key 'CHANGE_ME_USE_VAULT' if the Vault secret is not set. This could lead to weak encryption if the Vault is not properly configured.
  • Evidence: Lines 28-31: SELECT coalesce( (SELECT decrypted_secret FROM vault.decrypted_secrets WHERE name = 'senha_inss_key' LIMIT 1), 'CHANGE_ME_USE_VAULT' ) INTO encryption_key;
  • Recommendation: Remove the fallback in production and ensure that the Vault secret is set. Consider adding a check that raises an error if the secret is not found in the Vault.
  • CWE: CWE-798: Use of Hard-coded Credentials (if fallback is used) and CWE-260: Password in Configuration File (if the fallback is considered a configuration issue)

Migration 005 (005_senha_inss_encryption.sql)

  • Severity: MEDIUM
  • Location: supabase/migrations/005_senha_inss_encryption.sql
  • Description: Similar to migration 043, migration 005 has a fallback to the hardcoded key 'CHANGE_ME_USE_VAULT' for the encryption key.
  • Evidence: Lines 21-24: SELECT coalesce( (SELECT decrypted_secret FROM vault.decrypted_secrets WHERE name = 'senha_inss_key' LIMIT 1), 'CHANGE_ME_USE_VAULT' ) INTO encryption_key;
  • Recommendation: Remove the fallback and ensure the Vault secret is set.
  • CWE: CWE-798: Use of Hard-coded Credentials

Edge Functions Use of Deno.env.get

  • Severity: INFO
  • Location: supabase/functions/ (multiple files)
  • Description: Edge Functions correctly use Deno.env.get to retrieve secrets (e.g., SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, API keys for LLMs).
  • Evidence: Multiple lines showing Deno.env.get calls.
  • Recommendation: Continue using Deno.env.get for accessing secrets in Edge Functions.
  • CWE: None

Service Role Key Exposure

  • Severity: INFO
  • Location: src directory (searched for VITE_)
  • Description: No VITE_* variables were found in the source code, indicating that the Service Role Key is not exposed to the frontend.
  • Evidence: grep for VITE_ returned no output.
  • Recommendation: Ensure that no Supabase service role key is ever exposed to the client-side code.
  • CWE: None
Built with LogoFlowershow