Database Door Left Open
What it is
Database clients or schema files are present without enough visible proof of least-privilege access or migration discipline.
This usually appears when a generated app connects to a managed database before least-privilege roles, migrations, and policy tests are established.
How to fix it
Add migrations, least-privilege roles, server-only clients, and database access tests.
- 1Move schema changes into migrations.
- 2Use least-privilege roles and server-only database clients.
- 3Add database access tests for allowed and denied operations.
How VibeAudit checks for this
VibeAudit checks this with BAAS_SUPABASE_LOCAL and SAST_LOCAL_STRUCTURAL evidence for policies, migrations, server-only clients, and database route controls when those files are supplied. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan