Skip to main content
VibeAudit Liability Index
criticaldatabase/RLS riskFix order 2

Supabase RLS Roulette

What it is

Supabase or database access is present without enough proof of row-level security, policy tests, or private server mediation.

This usually appears when a generated app connects to a managed database before least-privilege roles, migrations, and policy tests are established.

How to fix it

Add RLS policies, policy tests, migration proof, and server-side access boundaries before launch.

  1. 1Add row-level security policies and keep them in migrations.
  2. 2Write policy tests for allowed and denied tenants or users.
  3. 3Keep service-role access behind server-only mediation.

How VibeAudit checks for this

VibeAudit checks this with BAAS_SUPABASE_LOCAL and SAST_LOCAL_STRUCTURAL evidence for policies, migrations, server-only clients, and database route controls when those files are supplied. The free tier may show the surface name and an upgrade prompt, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan