Efficient Supabase Security Audit
Enterprise-grade command for conduct, comprehensive, supabase, security. Includes structured workflows, validation checks, and reusable patterns for database.
Efficient Supabase Security Audit
Conduct comprehensive Supabase security audits covering RLS policies, API key exposure, permission analysis, and vulnerability scanning.
When to Use This Command
Run this command when you need to:
- Audit Row Level Security policies for gaps, over-permissive rules, or missing coverage on tables
- Scan your codebase and configuration for exposed Supabase API keys or service role credentials
- Generate a compliance-ready security report with vulnerability scores and remediation steps
Consider alternatives when:
- You need to optimize query performance (use quick-supabase-performance-optimizer)
- You want to manage backups and disaster recovery (use quick-supabase-backup-manager)
Quick Start
Configuration
name: efficient-supabase-security-audit type: command category: database
Example Invocation
claude command:run efficient-supabase-security-audit --scope full --project myapp-prod
Example Output
[Audit] Project: myapp-prod | Started: 2026-03-15 08:00:00 UTC
[RLS Analysis]
Tables with RLS enabled: 38/42
CRITICAL: 4 tables without RLS: audit_logs, temp_imports, analytics_raw, system_config
Policies reviewed: 64 | Issues found: 3
- orders_update: allows cross-user updates (missing auth.uid() check)
- profiles_select: exposes email to all authenticated users
- payments_insert: no rate limiting policy
[API Key Scan]
Service role key exposure: NONE detected in source code
Anon key in client bundle: OK (expected for public client)
[Permission Matrix]
Over-privileged roles: 1 (reporting_role has DELETE on users table)
[Score] Security: 72/100 (3 critical, 2 warnings)
[Report] Full report saved: security-audit-20260315.md
Core Concepts
Security Audit Overview
| Aspect | Details |
|---|---|
| Scope | RLS policies, API keys, role permissions, auth config, CORS, rate limiting |
| Severity Levels | Critical, Warning, Info based on exploitability and impact |
| Compliance | Maps findings to GDPR, SOC2, and OWASP guidelines |
| Output | Terminal summary plus detailed markdown report with remediation steps |
Audit Workflow
[Connect to Supabase Project]
|
[Enumerate Tables + Policies]
|
[RLS Coverage Analysis]
|
[API Key Exposure Scan]
|
[Permission Matrix Review]
|
[Auth + CORS Configuration Check]
|
[Score + Report Generation]
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| scope | string | full | Audit scope: full, rls-only, keys-only, permissions, or auth |
| project | string | auto | Supabase project reference or connection string |
| severity | string | warning | Minimum severity to report: critical, warning, or info |
| fix | boolean | false | Auto-generate fix SQL for identified RLS issues |
| output | string | both | Report output: terminal, markdown, json, or both |
Best Practices
-
Run Before Every Production Release - Schedule a full security audit as part of your release checklist. New tables added during development often lack RLS policies until someone remembers to add them.
-
Fix Critical Issues Immediately - Tables without RLS and over-permissive policies are direct data exposure risks. Address critical findings before the next deployment, not in the next sprint.
-
Audit After Schema Changes - Every migration that adds tables, columns, or functions can introduce new security gaps. Run a targeted
--scope rls-onlyaudit after each schema change. -
Review Auto-Generated Fixes - When using
--fix, review every generated SQL statement before applying. Automated RLS fixes may be too restrictive and break legitimate application queries. -
Track Security Score Over Time - Record the audit score from each run. A declining score indicates security debt accumulating faster than it is being addressed.
Common Issues
-
False Positive on Internal Tables - System tables like
_realtimeorstorage.objectsmay trigger warnings. Add them to an exclusion list if they are managed by Supabase infrastructure. -
RLS Audit Misses Function-Based Policies - Policies that delegate logic to database functions require the function body to be analyzed. Ensure
--scope fullis used to inspect function definitions. -
Key Scan Misses Environment Files - The codebase scan checks source files but may not detect keys in
.env.productionor CI/CD secrets. Verify key management across all deployment environments manually.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Git Commit Message Generator
Generates well-structured conventional commit messages by analyzing staged changes. Follows Conventional Commits spec with scope detection.
React Component Scaffolder
Scaffolds a complete React component with TypeScript types, Tailwind styles, Storybook stories, and unit tests. Follows project conventions automatically.
CI/CD Pipeline Generator
Generates GitHub Actions workflows for CI/CD including linting, testing, building, and deploying. Detects project stack automatically.