Threads
Loading user profile...
DiscussionHealthy802 introduced an open-source tool called 'ship-safe' that scans Supabase projects for security issues like hardcoded service role keys, missing RLS policies, and insecure headers. The tool provides a security score and a prioritized list of fixes. LevelSoft1165 suggested reaching out to the Supabase team for potential integration into their CLI tool.
DiscussionHealthy802 introduced an update to their open-source tool, Ship Safe, which now includes auto-remediation for security issues like leaked Supabase keys. The tool can automatically move hardcoded secrets to a `.env` file and improve team synchronization by generating `.env.example` files. It also includes deeper checks for Supabase-specific security concerns.
Thank you! Let me know if you have any feedback
Yes, every finding includes the exact file path, line number, and matched snippet. Also, the --json output has a strict schema and the new --compare flag in v4.2 does exactly that, shows a per-category delta table between runs so you can track improvements. There is no dedicated RLS agent yet but that's a great idea. Thanks for the suggestion
That's actually intentional and I mentioned it in the README. The whole point is that the .env files are gitignored because they contain secrets. And It scans the files locally and reports findings to your terminal. The keys wont be send nowhere
I love the no-backend approach, but since AI can be notoriously bad at writing secure Postgres functions and RLS policies, I actually built [an open-source CLI](https://github.com/asamassekou10/ship-safe) called ship-safe to automatically scan my Supabase logic before deploying
Using Edge Functions as a serverless AI proxy is a super clean architecture for mobile apps, and if you used AI to help write any of that backend code, you might want to run it through this [open-source scanner ship-safe](https://github.com/asamassekou10/ship-safe) just to ensure no vulnerabilities were left behind
Tell her to make sure Row Level Security is turned on for every table and that the Service Role Key is strictly hidden from the client side. If she uses AI to help code, she needs to be extra careful because AI is notorious for messing up Supabase security. I built a free open-source scanner called [ship-safe](https://github.com/asamassekou10/ship-safe) specifically for this exact problem. Just ask her to run npx ship-safe agent before launch to automatically find any vulnerabilities the AI might have left behind
You’re right. Setting that up globally creates a really strong baseline
Yeah I agree, .cursorrules definitely helps but I treat [ship-safe](https://github.com/asamassekou10/ship-safe) as an extra automated layer. It catches the edge cases when the AI inevitably gets lazy and ignores the prompt instructions
Zero trust is exactly the right mindset. I actually built ship-safe because doing that level of manual review on every single AI database call was slowing me down
Thanks! Let me know if you have any feedback
You could definitely build a Claude skill or MCP server to do something similar. The main advantage here is having a dedicated, lightweight CLI that runs locally in your terminal or CI/CD without needing to prompt an LLM every time