Security signal
Critical
Safety signal Severe · ≤25/100
High score means fewer critical app-safety findings; red verdicts mean urgent proof exists.
Security signal
Critical
Safety signal Severe · ≤25/100
High score means fewer critical app-safety findings; red verdicts mean urgent proof exists.
Maintainability signal
Healthy
Maintainability score 97/100
High score means low change-risk; cleanup labels point to specific maintainability findings.
Test signal
Mostly covered
Detected test confidence 82/100
High score means critical flows appear covered; the label calls out remaining gaps only when score and evidence justify it.
Fix now
12
Fix soon
12
Can wait
5
Top 3 fixes
Critical
Fix now
.env
Environment file appears committed
Why it matters
Committed environment files often contain API keys, database URLs, or signing secrets.
Suggested fix
Remove the file from git history if it contains real secrets, rotate exposed keys, and commit only a safe example file.
Verification step
Confirm the real secret file is not tracked.
Category: Security
Critical
Fix now
app/api/stripe/webhook/route.ts
Webhook handler may be missing signature verification
Why it matters
Unsigned webhook requests can fake payment, subscription, or account state changes.
Suggested fix
Verify the provider signature using the raw request body before processing the event.
Verification step
Send an unsigned webhook and confirm it is rejected.
Category: Security
Critical
Fix now
lib/projects.ts
Supabase service role key touches user-owned data
Why it matters
The service role bypasses Supabase RLS. A missing code-level ownership check can expose or mutate every user's data.
Suggested fix
Use user-scoped Supabase clients for normal user data, keep service-role access in narrow admin/server-only paths, and enforce owner filters plus RLS.
Verification step
Confirm this code never runs for normal user requests.
Category: Data Safety
Export / client-safe summary
Demo the Studio/agency workflow: top 3 risks, safety signal, badge-ready status, before/after verification notes, and client-safe handoff without raw source.
Recommended fix order
Auth, payment, secrets, user data, or unsafe execution risk.
Signals shown
Important hardening: permissions, containers, tests, and maintainability.
Signals shown
Lower urgency cleanup after the risky paths are handled.
Signals shown
Cross-check only - these are already counted in Fix soon or Can wait, not extra findings.
Already in findings
Source
github.com/abyssguard/sample-vulnerable-ai-saas
Saved report
10 files / 708 lines / Full report scan
Handling
Source forgotten after report build
Fix admin access, payment webhook validation, and user-data ownership first. The app is not hopeless, but it is not ready to trust with real users until these flows are checked and re-scanned.
Evidence-backed findings
Each grouped finding expands with affected file/line, observed evidence, suggested fix, verification step, and confidence caveat.
Showing 29 of 29 active findings. Red counts exclude ignored findings.
.env:1
Committed environment files often contain API keys, database URLs, or signing secrets.
Affected file / line
.env:1
Confidence caveat
A non-example env file was present in the scanned source tree.
Observed evidence
.env is present in the repository file list.
Suggested fix
Remove the file from git history if it contains real secrets, rotate exposed keys, and commit only a safe example file.
Verification step
Confirm the real secret file is not tracked.
Technical details
app/api/stripe/webhook/route.ts:3
Unsigned webhook requests can fake payment, subscription, or account state changes.
Affected file / line
app/api/stripe/webhook/route.ts:3
Confidence caveat
A webhook provider was detected without a common signature verification marker.
Observed evidence
Webhook-like handler was found, but common signature verification calls were not detected.
Suggested fix
Verify the provider signature using the raw request body before processing the event.
Verification step
Send an unsigned webhook and confirm it is rejected.
Technical details
lib/projects.ts:3
The service role bypasses Supabase RLS. A missing code-level ownership check can expose or mutate every user's data.
Affected file / line
lib/projects.ts:3
Confidence caveat
The file references a Supabase service-role key and likely user-owned table access.
Observed evidence
A Supabase service-role key appears in code that queries likely user-owned tables.
Suggested fix
Use user-scoped Supabase clients for normal user data, keep service-role access in narrow admin/server-only paths, and enforce owner filters plus RLS.
Verification step
Confirm this code never runs for normal user requests.
Technical details
app/api/ai/agent/route.ts:9
Prompt injection or user input can become server-side command execution if tool actions are not strictly isolated.
Affected file / line
app/api/ai/agent/route.ts:9
Confidence caveat
The file combines command/code execution markers with request or tool input markers.
Observed evidence
Command/code execution appears in a route that also handles request or LLM/tool input.
Suggested fix
Remove direct shell/code execution from AI routes or replace it with a narrow server-side allowlist of safe operations.
Verification step
Send a command-like payload and confirm it is rejected.
Technical details
app/api/admin/users/route.ts:3
If middleware does not protect this route, users may be able to read or change data they should not access.
Affected file / line
app/api/admin/users/route.ts:3
Confidence caveat
No common auth marker was found in the route file. Global middleware may still protect it.
Observed evidence
Route exports a handler for sensitive-looking data, but no common server-side auth marker was found in the file.
Suggested fix
Require a server-side session and the right role/ownership check before doing any sensitive work.
Verification step
Request the route while logged out.
Technical details
app/admin/page.tsx:1
If middleware is missing or misconfigured, anyone may be able to load admin UI and trigger admin workflows.
Affected file / line
app/admin/page.tsx:1
Confidence caveat
The file path is clearly admin-scoped and the page file did not show a common auth marker. Middleware may still protect it.
Observed evidence
An admin page route was found without a common server-side auth marker in the page or layout file.
Suggested fix
Require a server-side session and admin-role check in the admin page/layout before rendering admin content.
Verification step
Open the admin page logged out.
Technical details
app/api/checkout/route.ts:7
Paid access should normally be granted from verified provider events, not from client-controlled requests.
Affected file / line
app/api/checkout/route.ts:7
Confidence caveat
The file appears to combine request input with payment/access state writes outside a webhook path.
Observed evidence
A non-webhook API route appears to accept request input and write subscription, plan, paid, or access state.
Suggested fix
Move paid-access state changes behind verified webhooks or server-side provider lookups, and reject direct client attempts to set paid state.
Verification step
Attempt to set paid/subscription state from the client route.
Technical details
app/api/ai/agent/route.ts:14
If users can choose tools or tool definitions, prompt injection can expand what the model is allowed to do.
Affected file / line
app/api/ai/agent/route.ts:14
Confidence caveat
A request body value appears to be passed into the LLM tool configuration.
Observed evidence
LLM tool configuration appears to come from request-controlled data.
Suggested fix
Define server-side tool allowlists and ignore request-provided tool definitions unless they are strictly validated against safe options.
Verification step
Send a request with an unexpected tool.
Technical details
app/api/checkout/route.ts:6
A user may be able to choose a cheaper or unintended price if billing plans are trusted from the browser.
Affected file / line
app/api/checkout/route.ts:6
Confidence caveat
The scanner saw request-controlled price/product input without a common allowlist marker.
Observed evidence
Checkout-like code reads a price/product id from request input without a visible server-side allowlist.
Suggested fix
Map allowed plans to server-side provider price ids and reject unknown client plan names before creating checkout sessions.
Verification step
Send a checkout request with an unknown price id.
Technical details
app/api/admin/users/route.ts:4
A user may be able to read or change another user's data if ownership is enforced nowhere else.
Affected file / line
app/api/admin/users/route.ts:4
Confidence caveat
The scanner saw database access to likely user-owned data without an obvious ownership marker.
Observed evidence
Grouped 2 matching instances. Representative evidence: User-owned data names appear near database queries, but common owner/user filters were not detected in the file.
Suggested fix
Filter reads and writes by the current user and confirm database-level row policies cover the table.
Verification step
Create two test users with separate records.
Technical details
app/api/ai/agent/route.ts:9
Prompt injection or model mistakes can trigger unintended sends, deletes, network calls, filesystem writes, billing actions, or shell commands.
Affected file / line
app/api/ai/agent/route.ts:9
Confidence caveat
The file combines AI/agent markers and side-effect markers without visible guard markers. Some guards may live in a shared helper.
Observed evidence
Agent/tool code appears near an external side-effect marker without common approval, allowlist, or audit-log controls.
Suggested fix
Require server-side tool allowlists, human approval for external side effects, dry-run previews, and durable audit logs for agent actions.
Verification step
Attempt a side-effecting prompt injection.
Technical details
app/api/upload/route.ts:6
Unauthenticated uploads can create storage abuse, malware hosting, surprise bills, or user data exposure.
Affected file / line
app/api/upload/route.ts:6
Confidence caveat
No common auth marker was found in an upload-like API route. Middleware may still protect it.
Observed evidence
Upload-like API route was found without a common server-side auth marker.
Suggested fix
Require a signed-in user before parsing or storing uploaded files, and enforce per-user storage limits.
Verification step
Attempt upload while logged out.
Technical details
package.json:2
Users need a controlled way to verify fixes for auth, payments, data access, uploads, webhooks, and AI tools.
Affected file / line
package.json:2
Confidence caveat
package.json was parsed and no test-like script name was present.
Observed evidence
Critical app flows were detected, but package.json has no test-like script.
Suggested fix
Add a focused test script and at least one critical-flow regression test before relying on the report as fixed.
Verification step
Run the new test script locally.
Technical details
app/api/stripe/webhook/route.ts:3
Payment providers retry webhooks. Duplicate processing can grant access twice, revoke the wrong state, or create inconsistent subscription records.
Affected file / line
app/api/stripe/webhook/route.ts:3
Confidence caveat
No common idempotency marker was found. The handler may delegate this elsewhere, so verify the call chain.
Observed evidence
Webhook-like handler was found, but no common event-id/idempotency marker was detected.
Suggested fix
Store provider event ids and skip already-processed events before changing subscription or account state.
Verification step
Replay the same webhook event twice.
Technical details
app/api/upload/route.ts:7
Unrestricted uploads can create storage abuse, malware distribution, or unexpected file execution risk.
Affected file / line
app/api/upload/route.ts:7
Confidence caveat
The scanner saw upload-like code without obvious validation markers.
Observed evidence
Upload-like code was detected without common file size or content-type checks.
Suggested fix
Limit file size, allowed MIME types/extensions, and storage destination before accepting uploads.
Verification step
Upload an oversized file and confirm rejection.
Technical details
app/api/upload/route.ts:10
Private user uploads can leak if stored in public buckets or returned as public URLs without an access check.
Affected file / line
app/api/upload/route.ts:10
Confidence caveat
Public access markers were found near upload handling. Confirm whether the files contain user data.
Observed evidence
Upload-like code references public file access markers.
Suggested fix
Store uploads privately by default and serve them through signed URLs or authenticated download routes.
Verification step
Upload a file as user A.
Technical details
package.json:6
Without a lockfile, installs can resolve different transitive dependency versions than the ones tested or reviewed.
Affected file / line
package.json:6
Confidence caveat
A package manifest was visible and no supported lockfile path was present in the scan input.
Observed evidence
package.json declares dependencies, but no npm, pnpm, yarn, or bun lockfile was present in the scanned snapshot.
Suggested fix
Commit the package manager lockfile used in development and CI, then keep dependency updates explicit and reviewed.
Verification step
Install dependencies from a clean checkout.
Technical details
app/api/ai/agent/route.ts:2
Unvalidated AI inputs can leak data, trigger unsafe tools, or make the model act on attacker-controlled instructions.
Affected file / line
app/api/ai/agent/route.ts:2
Confidence caveat
The route appears to connect user input to an LLM without a visible validation marker.
Observed evidence
LLM/API usage appears near request input, but common validation or allowlist markers were not found.
Suggested fix
Validate request shape, limit what data reaches the model, and allowlist any tools the model can call.
Verification step
Send malformed input and confirm it is rejected.
Technical details
app/api/upload/route.ts:9
User-controlled filenames can overwrite files, leak names, or create path traversal and cache confusion risks.
Affected file / line
app/api/upload/route.ts:9
Confidence caveat
Original filename usage was found without obvious sanitization or random id generation.
Observed evidence
The upload path appears to use the original filename without a visible randomization or sanitization marker.
Suggested fix
Generate server-side object keys with random ids, preserve extensions only after validation, and store the original name as metadata.
Verification step
Upload two files with the same name.
Technical details
app/api/admin/users/route.ts:3
Expensive or sensitive routes can be abused for spam, cost spikes, brute force attempts, or degraded service.
Affected file / line
app/api/admin/users/route.ts:3
Confidence caveat
A route looked sensitive or expensive and no rate-limit marker was visible.
Observed evidence
Grouped 5 matching instances. Representative evidence: High-risk route keywords were detected, but common rate-limit markers were not found.
Suggested fix
Add a simple per-IP or per-user rate limit around this route.
Verification step
Send repeated requests and confirm 429 after the limit.
Technical details
lib/projects.ts:1
If code-level ownership checks are missed, RLS is the database backstop that prevents cross-user data exposure.
Affected file / line
lib/projects.ts:1
Confidence caveat
Migrations may live outside the scanned source cap, but no RLS policy file was visible in this snapshot.
Observed evidence
Supabase user-data access was detected, but scanned SQL migrations did not show row-level security policies.
Suggested fix
Add or verify Supabase migrations that enable RLS and create owner-based policies for user-owned tables.
Verification step
Inspect Supabase table policies.
Technical details
package.json:1
Headers such as CSP, HSTS, X-Frame-Options, and Referrer-Policy reduce XSS, clickjacking, downgrade, and data-leak impact.
Affected file / line
package.json:1
Confidence caveat
Headers may be added by the hosting platform outside the scanned repository, so the live site should be probed.
Observed evidence
A Next.js app was detected, but scanned source/config did not show common security headers.
Suggested fix
Add security headers through next.config, middleware, or the deployment edge layer, then verify them against the live URL.
Verification step
Run the app locally or in staging.
Technical details
package.json:1
Application-layer floods, scripted signup/login abuse, and expensive endpoint traffic can take an app down or create surprise bills even when the code has no data leak.
Affected file / line
package.json:1
Confidence caveat
Edge DDoS controls are often configured outside the repository, so this static finding means no proof was visible in the scan.
Observed evidence
The repo appears to expose API routes, but scanned source/config did not show CDN/WAF, bot protection, or edge rate-limit markers.
Suggested fix
Add an edge protection layer such as Cloudflare, Vercel Firewall, provider WAF rules, bot challenges, or global rate limits for high-cost routes.
Verification step
Identify the deployed edge/CDN provider.
Technical details
.env:1
Security bugs and outages become harder to contain when auth, payment, AI, or data failures do not produce actionable alerts.
Affected file / line
.env:1
Confidence caveat
Monitoring may be configured outside the repository, so this finding means no proof was visible in scanned files.
Observed evidence
Critical app flows were detected, but scanned source/config did not show common monitoring, error tracking, or alert-routing markers.
Suggested fix
Add production error monitoring and alert routing for auth, payments, webhooks, background scans, and other critical flows.
Verification step
Trigger a safe test error in staging.
Technical details
.github/workflows/:1
Without CI, risky changes can land without tests, typecheck, or lint running automatically.
Affected file / line
.github/workflows/:1
Confidence caveat
CI may exist outside GitHub Actions or outside the scanned source cap, but no workflow file was visible.
Observed evidence
Critical app flows were detected, but no GitHub Actions workflow files were visible in the scanned snapshot.
Suggested fix
Add a small CI workflow that runs install, typecheck/build, and focused tests for critical flows.
Verification step
Open a test PR.
Technical details
package.json:6
An SBOM makes it faster to answer customer, incident, and vulnerability-response questions about affected packages.
Affected file / line
package.json:6
Confidence caveat
The scanner saw package dependencies but no SBOM file or obvious SBOM script.
Observed evidence
Dependencies are declared, but no SBOM file or SBOM generation script was visible in the scanned snapshot.
Suggested fix
Add a CycloneDX or SPDX SBOM generation command and include it in release or security-review workflows.
Verification step
Run the SBOM generation command.
Technical details
package.json:1
Missing license metadata can slow customer reviews, open-source publication, and downstream dependency analysis.
Affected file / line
package.json:1
Confidence caveat
The package manifest lacks both private: true and a license field.
Observed evidence
package.json is not marked private and does not include a license field.
Suggested fix
Mark the package private if it is never published, or add the intended license metadata.
Verification step
Confirm whether the package is private or distributed.
Technical details
SECURITY.md:1
When a vulnerability or compromise happens, teams need a clear contact, triage owner, rotation list, and notification path before stress hits.
Affected file / line
SECURITY.md:1
Confidence caveat
No supported security/incident document path was present in the scan input.
Observed evidence
No SECURITY.md, incident-response runbook, or equivalent security process document was visible in the scanned snapshot.
Suggested fix
Add a short SECURITY.md or incident-response runbook with reporting contact, severity triage, credential rotation, evidence preservation, and user notification steps.
Verification step
Confirm the security contact reaches an owner.
Technical details
tests/:1
Critical-flow tests are useful release hygiene, but missing test references should not look like an urgent app vulnerability without direct unsafe code evidence.
Affected file / line
tests/:1
Confidence caveat
No scanned test files were found for this critical flow. AbyssGuard groups and downgrades repo-wide checklist absence findings so clean scaffolds are not dominated by scary warnings.
Observed evidence
Grouped 5 matching instances. Representative evidence: A admin access flow was detected, but scanned test files did not reference it. This is repo-wide checklist guidance, not direct runtime exploit evidence.
Suggested fix
Review the detected flow and add focused tests when it is part of shipped runtime behavior.
Verification step
Run the new test locally.
Technical details