Supabase
Security and best-practice rules for Supabase projects.
Enabled Rules
| Rule | Severity | Description |
|---|---|---|
security/rls-required | warn | Ensures Row Level Security is enabled on all tables |
security/secret-detection | block | Detects Supabase service role keys in client code |
security/env-exposure | block | Prevents server-only env variables in client bundles |
workflow/migration-safety | warn | Flags dangerous SQL patterns (DROP TABLE, TRUNCATE) |
quality/no-console-log | warn | Catches debug logging left in production code |
Usage
import { defineConfig } from '@solanticai/vguard';
export default defineConfig({
presets: ['supabase'],
});
What it enforces
- Row Level Security — Every
CREATE TABLEstatement must be followed by RLS policies. Warns when tables are created withoutALTER TABLE ... ENABLE ROW LEVEL SECURITY. - No service role key leaks — Blocks
SUPABASE_SERVICE_ROLE_KEYorsupabase.createClient(url, serviceKey)patterns in client-accessible code. - Env safety — Only
NEXT_PUBLIC_SUPABASE_URLandNEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEYshould appear in client code. - Migration safety — Warns on destructive SQL operations in migration files. Flags
DROP TABLE,TRUNCATE,DELETE FROMwithoutWHERE, andALTER TABLE DROP COLUMN. - No debug logging — Catches
console.logstatements that may leak query results or auth tokens.