Skip to main content
友田 陽大

SOC 2 · ISO 27001 evidence

Turn your Supabase scan into auditor-ready control evidence

A security questionnaire asks how you enforce row-level authorization; a SOC 2 audit asks for evidence. Aegis maps every RLS and application-layer finding to the SOC 2 Trust Services Criteria and ISO 27001 Annex A controls it speaks to — covered, gap, or not assessed — and exports it as Markdown or JSON you can hand to an auditor.

npx @aegiskit/cli report --framework soc2

Runs locally, contacts nothing. Add --format json for GRC ingest.

Honest scope: this is a reference mapping of application-layer technical controls, not a certification and not a substitute for an audit. It complements Vanta/Drata; it does not replace them.

Why this exists

The money question in every security review is authorization

Horizontal controls (headers, rate limiting, CSRF) are easy to evidence. The control that stalls enterprise deals is the one a library can't fix for you: does your row-level access actually scope data to its owner? Aegis gives you machine-checked evidence for exactly that.

  • Questionnaires ask for proof, not promises

    "Describe how you enforce tenant isolation and row-level access control" — you need a concrete, current artifact, not a paragraph.

  • Auditors want technical evidence mapped to controls

    A finding is more useful when it is already labelled CC6.1 or A.8.3 with a source location and a remediation.

  • AI-built apps reach the trigger fast

    The first enterprise deal, procurement due diligence, or SOC 2 kickoff arrives before the security work is done — evidence has to be one command away.

Control mapping

Which SOC 2 / ISO 27001 control is each finding evidence for?

Aegis maps by OWASP Top 10 (2021) category, so the same access-control checks land on the same control. Switch frameworks and expand a control to see what it covers and how Aegis evidences it.

SOC 2 — Common Criteria (2017 TSC)The security Common Criteria points of focus Aegis's checks touch.

  • CC6.1

    Logical access controls over protected information assets

    Covers

    • A01Broken Access Control

      How Aegis evidences it: RLS owner-scoping, IDOR / broken authorization

    • A05Security Misconfiguration

      How Aegis evidences it: security headers / CSP, committed secrets, client-exposed env

  • CC6.6

    Protection against threats from outside the system boundary

    Covers

    • A04Insecure Design

      How Aegis evidences it: missing rate limiting on AI / expensive routes

    • A05Security Misconfiguration

      How Aegis evidences it: security headers / CSP, committed secrets, client-exposed env

    • A10Server-Side Request Forgery (SSRF)

      How Aegis evidences it: tainted server-side fetch targets

  • CC6.7

    Secure transmission, movement, and removal of information

    Covers

    • A02Cryptographic Failures

      How Aegis evidences it: weak hashing, insecure randomness, non-constant-time compares

  • CC6.8

    Prevent or detect unauthorized or malicious software

    Covers

    • A03Injection

      How Aegis evidences it: SQL injection, XSS, command / code injection

    • A08Software & Data Integrity Failures

      How Aegis evidences it: unvalidated postMessage origins

  • CC7.1

    Detect configuration changes and newly introduced vulnerabilities

    Covers

    • A03Injection

      How Aegis evidences it: SQL injection, XSS, command / code injection

    • A06Vulnerable & Outdated Components

      How Aegis evidences it: super-linear (ReDoS) regular expressions

Reference mapping — technical rule to control associations involve interpretation and require your auditor's confirmation. Aegis covers a subset of application-layer controls only.

The deliverable

One command, an auditor-ready report

aegis report runs your scan and emits control-by-control evidence: covered, gap, or not assessed, with the source location and fix for every gap. Markdown to hand over, JSON to ingest into a GRC tool.

# SOC 2 (2017 Trust Services Criteria) — application-layer control evidence

> Technical evidence for a subset of application-layer controls — not a
> certification, an attestation, or a substitute for an audit.

**Scanned files:** 128 · **Rules applied:** 33 · **No gaps detected:** 4 · **Gaps found:** 1

## Control coverage

| Control | Title | Status | Evidence |
| --- | --- | --- | --- |
| CC6.1 | Logical access controls | Gap(s) found | 1 finding |
| CC6.6 | Boundary protection | No gaps detected | — |
| CC6.7 | Secure data transmission | No gaps detected | — |
| CC6.8 | Prevent malicious software | No gaps detected | — |
| CC7.1 | Detect new vulnerabilities | No gaps detected | — |

## Gaps — findings to remediate

### CC6.1 — Logical access controls over protected information assets

- **rls/policy-not-owner-scoped** (HIGH) — supabase/migrations/0003_notes.sql:8
  - Policy on "notes" (SELECT) only checks that the caller is authenticated,
    but the table has an ownership column — every authenticated user can read
    every row, not just their own.
  - Fix: scope the policy to the caller, e.g. USING (auth.uid() = user_id).
Excerpt of aegis report --framework soc2 --format md (illustrative).

How it works

From scan to evidence in three steps

No database connection, no signup, no data leaves your machine.

  1. 1

    Scan

    Aegis reads your Next.js code and supabase/migrations SQL and finds the application-layer gaps — statically, in CI.

  2. 2

    Map

    Each finding is mapped to the SOC 2 / ISO 27001 controls it is evidence for, by OWASP category, and marked covered or a gap.

  3. 3

    Export

    Get Markdown for the auditor and the questionnaire, or JSON for your GRC platform. Remediate the gaps, re-run, watch them close.

Honest scope

What this is — and what it is not

Aegis generates machine-readable evidence for a subset of application-layer technical controls. It does not issue a certification, and a clean report is never proof that a control is effective — only that the common technical gaps are absent.

Policy documents, HR, vendor management, and continuous monitoring are the domain of a GRC platform (Vanta/Drata) and a human auditor. Aegis complements them by making the application-layer evidence trustworthy and one command away.

Have evidence before your next security review

Run it free today, or have me take the whole access-control review — from findings through fix design to audit-ready evidence.

FAQ

  • Does aegis report make my app SOC 2 compliant?

    No. It produces technical evidence for a subset of application-layer controls, mapped to SOC 2 / ISO 27001. Certification is issued by an auditor after a full engagement; this artifact is an input to that, not a substitute for it.

  • How is this different from Vanta or Drata?

    Vanta/Drata manage the whole GRC program — policies, monitoring, vendors, evidence collection. Aegis is the application-layer technical control the platforms can't inspect for you: it reads your RLS and code and proves whether row-level access is actually scoped. Use it alongside them.

  • Which controls does it map to?

    SOC 2 Common Criteria CC6.1, CC6.6, CC6.7, CC6.8 and CC7.1, and ISO 27001:2022 Annex A A.8.3, A.8.6, A.8.8, A.8.9, A.8.23, A.8.24 and A.8.28 — the application-layer subset. Mapping is by OWASP Top 10 (2021) category and is a reference mapping requiring auditor confirmation.

  • Can I answer a customer security questionnaire with this?

    It gives you a concrete, current artifact for the access-control and secure-coding questions — the finding, the control, the source location, the fix. Pair it with your policies and monitoring for the full answer.

  • Does it need database access or send my code anywhere?

    No. aegis report is static: it reads your repository locally and contacts nothing. The free in-browser RLS checker is the same — your SQL never leaves the page.