SOC 2 · ISO 27001 evidence
Turn your Supabase scan into auditor-ready control evidence
A security questionnaire asks how you enforce row-level authorization; a SOC 2 audit asks for evidence. Aegis maps every RLS and application-layer finding to the SOC 2 Trust Services Criteria and ISO 27001 Annex A controls it speaks to — covered, gap, or not assessed — and exports it as Markdown or JSON you can hand to an auditor.
npx @aegiskit/cli report --framework soc2Runs locally, contacts nothing. Add --format json for GRC ingest.
Honest scope: this is a reference mapping of application-layer technical controls, not a certification and not a substitute for an audit. It complements Vanta/Drata; it does not replace them.
Why this exists
The money question in every security review is authorization
Horizontal controls (headers, rate limiting, CSRF) are easy to evidence. The control that stalls enterprise deals is the one a library can't fix for you: does your row-level access actually scope data to its owner? Aegis gives you machine-checked evidence for exactly that.
Questionnaires ask for proof, not promises
"Describe how you enforce tenant isolation and row-level access control" — you need a concrete, current artifact, not a paragraph.
Auditors want technical evidence mapped to controls
A finding is more useful when it is already labelled CC6.1 or A.8.3 with a source location and a remediation.
AI-built apps reach the trigger fast
The first enterprise deal, procurement due diligence, or SOC 2 kickoff arrives before the security work is done — evidence has to be one command away.
Control mapping
Which SOC 2 / ISO 27001 control is each finding evidence for?
Aegis maps by OWASP Top 10 (2021) category, so the same access-control checks land on the same control. Switch frameworks and expand a control to see what it covers and how Aegis evidences it.
SOC 2 — Common Criteria (2017 TSC) — The security Common Criteria points of focus Aegis's checks touch.
- CC6.1
Logical access controls over protected information assets
Covers
- A01Broken Access Control
How Aegis evidences it: RLS owner-scoping, IDOR / broken authorization
- A05Security Misconfiguration
How Aegis evidences it: security headers / CSP, committed secrets, client-exposed env
- A01Broken Access Control
- CC6.6
Protection against threats from outside the system boundary
Covers
- A04Insecure Design
How Aegis evidences it: missing rate limiting on AI / expensive routes
- A05Security Misconfiguration
How Aegis evidences it: security headers / CSP, committed secrets, client-exposed env
- A10Server-Side Request Forgery (SSRF)
How Aegis evidences it: tainted server-side fetch targets
- A04Insecure Design
- CC6.7
Secure transmission, movement, and removal of information
Covers
- A02Cryptographic Failures
How Aegis evidences it: weak hashing, insecure randomness, non-constant-time compares
- A02Cryptographic Failures
- CC6.8
Prevent or detect unauthorized or malicious software
Covers
- A03Injection
How Aegis evidences it: SQL injection, XSS, command / code injection
- A08Software & Data Integrity Failures
How Aegis evidences it: unvalidated postMessage origins
- A03Injection
- CC7.1
Detect configuration changes and newly introduced vulnerabilities
Covers
- A03Injection
How Aegis evidences it: SQL injection, XSS, command / code injection
- A06Vulnerable & Outdated Components
How Aegis evidences it: super-linear (ReDoS) regular expressions
- A03Injection
Reference mapping — technical rule to control associations involve interpretation and require your auditor's confirmation. Aegis covers a subset of application-layer controls only.
ISO/IEC 27001:2022 — Annex A — The Annex A controls Aegis's checks touch.
- A.8.3
Information access restriction
Covers
- A01Broken Access Control
How Aegis evidences it: RLS owner-scoping, IDOR / broken authorization
- A01Broken Access Control
- A.8.6
Capacity management
Covers
- A04Insecure Design
How Aegis evidences it: missing rate limiting on AI / expensive routes
- A04Insecure Design
- A.8.8
Management of technical vulnerabilities
Covers
- A06Vulnerable & Outdated Components
How Aegis evidences it: super-linear (ReDoS) regular expressions
- A06Vulnerable & Outdated Components
- A.8.9
Configuration management
Covers
- A05Security Misconfiguration
How Aegis evidences it: security headers / CSP, committed secrets, client-exposed env
- A05Security Misconfiguration
- A.8.23
Web filtering
Covers
- A10Server-Side Request Forgery (SSRF)
How Aegis evidences it: tainted server-side fetch targets
- A10Server-Side Request Forgery (SSRF)
- A.8.24
Use of cryptography
Covers
- A02Cryptographic Failures
How Aegis evidences it: weak hashing, insecure randomness, non-constant-time compares
- A02Cryptographic Failures
- A.8.28
Secure coding
Covers
- A03Injection
How Aegis evidences it: SQL injection, XSS, command / code injection
- A08Software & Data Integrity Failures
How Aegis evidences it: unvalidated postMessage origins
- A03Injection
Reference mapping — technical rule to control associations involve interpretation and require your auditor's confirmation. Aegis covers a subset of application-layer controls only.
The deliverable
One command, an auditor-ready report
aegis report runs your scan and emits control-by-control evidence: covered, gap, or not assessed, with the source location and fix for every gap. Markdown to hand over, JSON to ingest into a GRC tool.
# SOC 2 (2017 Trust Services Criteria) — application-layer control evidence
> Technical evidence for a subset of application-layer controls — not a
> certification, an attestation, or a substitute for an audit.
**Scanned files:** 128 · **Rules applied:** 33 · **No gaps detected:** 4 · **Gaps found:** 1
## Control coverage
| Control | Title | Status | Evidence |
| --- | --- | --- | --- |
| CC6.1 | Logical access controls | Gap(s) found | 1 finding |
| CC6.6 | Boundary protection | No gaps detected | — |
| CC6.7 | Secure data transmission | No gaps detected | — |
| CC6.8 | Prevent malicious software | No gaps detected | — |
| CC7.1 | Detect new vulnerabilities | No gaps detected | — |
## Gaps — findings to remediate
### CC6.1 — Logical access controls over protected information assets
- **rls/policy-not-owner-scoped** (HIGH) — supabase/migrations/0003_notes.sql:8
- Policy on "notes" (SELECT) only checks that the caller is authenticated,
but the table has an ownership column — every authenticated user can read
every row, not just their own.
- Fix: scope the policy to the caller, e.g. USING (auth.uid() = user_id).How it works
From scan to evidence in three steps
No database connection, no signup, no data leaves your machine.
- 1
Scan
Aegis reads your Next.js code and supabase/migrations SQL and finds the application-layer gaps — statically, in CI.
- 2
Map
Each finding is mapped to the SOC 2 / ISO 27001 controls it is evidence for, by OWASP category, and marked covered or a gap.
- 3
Export
Get Markdown for the auditor and the questionnaire, or JSON for your GRC platform. Remediate the gaps, re-run, watch them close.
Honest scope
What this is — and what it is not
Aegis generates machine-readable evidence for a subset of application-layer technical controls. It does not issue a certification, and a clean report is never proof that a control is effective — only that the common technical gaps are absent.
Policy documents, HR, vendor management, and continuous monitoring are the domain of a GRC platform (Vanta/Drata) and a human auditor. Aegis complements them by making the application-layer evidence trustworthy and one command away.
Have evidence before your next security review
Run it free today, or have me take the whole access-control review — from findings through fix design to audit-ready evidence.
npx @aegiskit/cli report --framework soc2FAQ
Does aegis report make my app SOC 2 compliant?
No. It produces technical evidence for a subset of application-layer controls, mapped to SOC 2 / ISO 27001. Certification is issued by an auditor after a full engagement; this artifact is an input to that, not a substitute for it.
How is this different from Vanta or Drata?
Vanta/Drata manage the whole GRC program — policies, monitoring, vendors, evidence collection. Aegis is the application-layer technical control the platforms can't inspect for you: it reads your RLS and code and proves whether row-level access is actually scoped. Use it alongside them.
Which controls does it map to?
SOC 2 Common Criteria CC6.1, CC6.6, CC6.7, CC6.8 and CC7.1, and ISO 27001:2022 Annex A A.8.3, A.8.6, A.8.8, A.8.9, A.8.23, A.8.24 and A.8.28 — the application-layer subset. Mapping is by OWASP Top 10 (2021) category and is a reference mapping requiring auditor confirmation.
Can I answer a customer security questionnaire with this?
It gives you a concrete, current artifact for the access-control and secure-coding questions — the finding, the control, the source location, the fix. Pair it with your policies and monitoring for the full answer.
Does it need database access or send my code anywhere?
No. aegis report is static: it reads your repository locally and contacts nothing. The free in-browser RLS checker is the same — your SQL never leaves the page.