ASAI App Security Review
For the best review experience, use a desktop browser. Mobile keeps the report readable, but wide dashboards are easier to review on a larger screen.

Example report

Security audit overview

Launch decision, risk breakdown, top issue, and next steps from this static pre-launch review.

Free PreviewStatic reviewMasked evidenceNo code execution

AI App Security Review demo

May 31, 2026, 6:42 PM | report_demo_001

Full report access

Export is available with the full Launch Review.

01

Executive overview

Can I launch?

Blocked

2 launch blockers should be fixed before public launch.

Launch blockers and next actions are the primary decision path. The score is supporting context.

Blockers

2

First priority

Rotate exposed Supabase service-role credentials and remove them from public/client-exposed configuration before public launch.

Warnings

1

Hardening

0

Total findings

3

Score is low because 2 launch blockers and 1 critical finding and 2 high-risk findings were detected.

Readiness score

/100

0

score

Secondary context for the launch decision.

Severity

14 total

Critical

1

High

2

Medium

4

Low

7

Detected stack

4
Next.jsSupabaseStripeVercel

Preview summary

Issue counts

14 total
Critical1
High2
Medium4
Low7

Sample finding

Exposed Supabase service role key

Critical
SecretsHigh confidence

The service-role key can bypass normal Supabase row-level protections and should only exist on the server.

Full file path and audit evidence unlock with the full report.

Launch access

Unlock the full action plan

Free Preview proves the scan worked without exposing the complete report. Request launch access to unlock full findings, file paths, fix guidance, re-scan access, export, and AI-assisted guidance.

Request launch access
02

Your app structure

Your app structure

Inferred application structure

Your app structure is inferred from static files and configuration signals. It may not include runtime-only services.

NeutralWarningHigh risk
U

User / client

Browser or API consumer

FE

Frontend

Next.js / React

API

API layer

Next.js routes or handlers

Services

3
A

Auth

Supabase Auth

DB

Database

Supabase / Postgres

$

Payments

Stripe

Map summary

5

detected nodes

3

High

0

Warn

2

Neutral

Frontend
API layer
Auth
Database
Payments
03

Abuse preview

Attack path previewFull report locked

Detailed attack paths unlock with the full report.

Your scan found signals worth reviewing before launch. Free Preview shows the risk signal; the full report shows how the signals connect.

Unlocks with the full report

+

Top inferred paths from the current findings

+

Related finding locations and supporting evidence

+

Verification guidance before public launch

04

What to fix first

What to fix first

Prioritized issues before launch

Free Preview

Showing 3 sample findings of 3

Full details locked

Free Preview shows the score, counts, and a few representative findings. Full file paths, complete evidence, fix details, export, and AI-assisted fix guidance is available with the full report.

CriticalSecretsHigh confidence

Exposed Supabase service role key

File path available in full report

If exposed, this key can bypass normal Supabase row-level protections and access or change data with elevated privileges.

Business impact

Customer records or account data may be exposed, modified, or reachable by the wrong user.

Launch recommendation

Fix before accepting users. Verify the evidence and re-run the review before public launch.

Fix effort

Quick

HighAuthorizationHigh confidence

Missing ownership check on project API route

File path available in full report

A user may be able to access or modify another user's record by changing an ID.

Business impact

Customer records or account data may be exposed, modified, or reachable by the wrong user.

Launch recommendation

Fix before public launch unless you can confirm it is not reachable in production.

Fix effort

Moderate

MediumConfigurationMedium confidence

Missing security headers

File path available in full report

Database rules may allow broader access than intended if the policy or grant is not restricted.

Business impact

Browser-facing behavior may increase abuse, phishing, or trust risk if left broad.

Launch recommendation

Review before launch. It may not block launch by itself, but it should be understood and tracked.

Fix effort

Quick

Free Preview shows the risk signal. The full report unlocks the full evidence, file paths, and remediation path.

See what unlocks
05

Fix preview locked

Fix previewFull report locked

Before / after fix guidance unlocks with the full report.

Free Preview confirms the scan found a pattern. The full report shows the exact remediation direction to review and test.

Unlocks with the full report

+

Before / after guidance based on the selected finding

+

File-specific fix direction and review steps

+

AI-assisted fix guidance for applying the fix carefully

06

Remediation

Launch accessOpening soon

Unlock the full Launch Readiness Report

Free Preview shows the signal. The full report unlocks complete findings, file paths, fix guidance, remediation roadmap, follow-up scan access, and sanitized export.

Full findings and file paths

Complete masked evidence

Attack paths and fix preview

Remediation roadmap and re-scan access

Sanitized export and AI-assisted fix guidance

07

Review scope / trust

Review scope / trust

What this static review covered

This report uses static project signals and masked evidence. It is designed to reduce obvious launch risk, not to prove complete security.

Static review

Checked signals

Included

Project signals

  • Uploaded project structure and indexed source/config files
  • Detected stack and framework indicators
  • Dependency and package information

Launch-risk patterns

  • Secret-like patterns
  • Configuration and browser-security patterns
  • Authentication and ownership patterns

Framework packs

  • Supabase key, RLS, policy, grant, and storage hints when present
  • Stripe key, webhook, checkout, and payment route hints when present
  • Next.js client component, route handler, redirect, middleware, and protected route hints when present

Important limitations

Verify

No runtime execution

  • Uploaded code was not executed
  • Dependencies were not installed
  • Authenticated runtime behavior was not tested

No live environment verification

  • Production environment variables were not verified
  • Live database permissions were not checked
  • Detected secrets were not tested for validity

Not a full assurance claim

  • This is not a full penetration test
  • This review reduces obvious launch risk but cannot prove complete protection

Category summary

Finding coverage by area

3 total findings

Secrets

1

Supabase

0

Stripe

0

Next.js

0

Authorization

1

Configuration

1

Dependencies

0

Code Patterns

0

Other

0