Skip to content

Representative walkthrough · not a live scan

Evidence, fix prompts, and retest workflow in one report.

Follow a report from the first verified evidence through independent deep scanners, AI-assisted remediation, re-testing, and continuous monitoring. Every value on this page is labelled as representative—not customer telemetry.

app.example.com

Security scan · representative

Partial
  • Base report ready for review
  • Independent deep engines continue
  • Score confidence follows verified coverage

Progressive delivery

Useful evidence now. Deeper coverage without blocking the report.

Base modules publish their verified observations first. Nuclei, OWASP ZAP, and Medusa keep their own state and join the same report only when their results are ready. Pending and unavailable never mean passed.

Report ready

Base security modules

Verified URL evidence is available now.

Running

Nuclei

Template-backed checks continue independently.

Queued

OWASP ZAP

The base report does not wait for this engine.

Unavailable in this sample

Medusa

No verified Medusa result was produced, so no clean pass is inferred.

What the reader can trust: Only completed, verified scanner output can become a confirmed finding or a clean pass. The report refreshes as independent engines finish; it never invents a result to fill a gap.

Findings

Evidence is the source of truth. Interpretation stays labelled.

CriticalVerified live evidencesupabase:service_role_exposed

Supabase service-role key exposed in client bundle

Observed by scanner
A browser-delivered JavaScript asset contains a Supabase service-role token fingerprint. The secret value is redacted from the report.
AI interpretation
Treat the token as compromised: rotate it, move privileged calls server-side, and review Supabase audit activity. This guidance does not replace the scanner evidence above.
MediumVerified HTTP evidenceheaders:content_security_policy_missing

Content Security Policy is missing

Observed by scanner
The final HTML response did not include a Content-Security-Policy or Content-Security-Policy-Report-Only header. Response details are retained as evidence.
AI interpretation
Start in report-only mode, review violations, then enforce a policy scoped to the application's actual script and connection origins.

Passed checks

  • TLS certificate is valid and not near expiry.
  • DMARC policy is present for the primary domain.
  • No public .env file detected on common exposure paths.
  • No malware or defacement signal in the latest monitor check.

Score transparency

This walkthrough does not publish a made-up final score. A real report labels the score as assessed, provisional, or not assessed from its verified weighted coverage, and keeps pending, partial, and unavailable scanners visible.

Base coverage

Completed

Deep coverage

Still in progress

Unavailable

Never counted as passed

AI fix prompt

Remove the exposed Supabase service-role credential.
Rotate and revoke the compromised key before deployment.
Move privileged operations into a server-only module.
Keep only the anon key in browser-delivered code.
Add a build test that rejects service-role fingerprints.

Generated from the verified finding context. Secrets and sensitive evidence stay redacted from the prompt.

Compliance mapping

References help route remediation work. They do not claim certification or legal compliance.

OWASP A01: Broken Access ControlOWASP A05: Security MisconfigurationCWE-798: Use of Hard-coded CredentialsCWE-693: Protection Mechanism Failure

Care monitoring

Make this report the baseline, not the finish line.

Care watches uptime, SSL, DNS, blocklists, client-side threats, defacement, and recurring deep scan results. It records verified changes and keeps incomplete scanners visible instead of turning them into false reassurance.

Honest score and finding history

No past runs are fabricated for this sample. History begins after ownership verification and Care activation.

  1. Baseline

    Current verified report

    Captured after activation

  2. Weekly

    Compare deep results

    New, resolved, and changed

  3. On change

    Alert, fix, re-test

    Only verified regressions

Email owner
Slack team
Signed webhook