How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Change Management Audit for Supabase & Firebase Apps

You're probably here because a client, procurement team, insurer, or internal compliance lead has asked for a change management audit, and your first reaction was, “We ship a Supabase or Firebase app, not a bank mainframe.”

That reaction is normal. Modern teams push schema migrations through Git, update RLS or Firestore rules in pull requests, deploy frontend fixes through CI, and patch urgent issues fast. Traditional audit language often sounds like it was written for weekly release trains, change advisory boards, and long paper trails.

The good news is that a solid audit for a modern stack doesn't require theatre. It requires evidence. If you can show who approved a change, what was tested, how it reached production, and whether it worked without harming users, you're already most of the way there. That's the practical centre of a good change management audit for Supabase, Firebase, and CI/CD-driven teams.

Translating Audit Speak for Modern Developers

The email usually sounds heavier than the work is. “Please provide evidence of your change management controls.” Developers read that and hear process overhead, waiting, and screenshots in a spreadsheet. Auditors usually mean something narrower: prove that production changes were controlled, traceable, and reviewed.

For a Supabase app, that includes things like migrations, SQL functions, RLS policy changes, auth configuration, storage rules, and any frontend change that affects how secrets or privileged flows are handled. For Firebase, it includes Firestore rules, Cloud Functions, Remote Config, environment settings, and release workflows. The stack is modern. The control questions are old and still reasonable.

What auditors are actually asking

They're not asking whether your team uses enterprise jargon. They're asking whether your team can answer a few basic questions with evidence:

Who requested it: Was the change intentional, linked to a ticket, issue, or incident?
Who approved it: Did someone other than the implementer review or authorise it where appropriate?
What changed: Can you point to the pull request, migration, rules update, or deployment record?
Was it tested: Did anyone verify the change before or after release?
Who deployed it: Can you trace production execution to approved people or approved automation?
Did it work: Did the change achieve the expected result without degrading service or trust?

That's the audit in plain English.

Practical rule: If a change can reach production but you can't show its approval path, test evidence, and deployment trail, you don't have a tooling problem. You have a control gap.

Why traditional language feels off in agile teams

A lot of audit material still assumes slow releases and manual checkpoints. That's why developers often bounce off it. In reality, agile teams can meet the same control intent with better developer-native artefacts: Git history, pull request approvals, CI logs, migration files, issue trackers, incident tickets, and release records.

The biggest mindset shift is this. A change management audit isn't there to punish speed. It's there to check that speed hasn't removed accountability.

If your team is also aligning this work with broader governance expectations such as ISO 27001, it helps to see how change control fits into a wider management system. This short guide to ISO 27001 and related standards is useful context when audit requests start expanding beyond one control area.

What works and what doesn't

What works in modern stacks is lightweight discipline:

Use pull requests for production-bound changes
Require at least one meaningful review for risky changes
Tie emergency fixes to an incident or ticket
Keep deployment logs and CI output
Record what success looked like before release

What doesn't work is fake ceremony. A CAB document created after the fact won't help much if production logs show an engineer deployed directly with no traceable approval. Auditors can usually tell the difference between a real operating process and a stack of reconstructed paperwork.

Defining Your Audit Scope and Objectives

A weak scope creates chaos fast. Teams start collecting random screenshots, auditors keep asking follow-up questions, and nobody agrees on what was under review. The fastest way through a change management audit is to define the boundary early and write it down in plain language.

A diagram outlining the key components for defining a change management audit scope and objectives.

Draw the line around the real production path

For a Supabase or Firebase application, scope should follow the route by which a change can affect production. That usually means you include:

Database and policy changes: Schema migrations, SQL functions, triggers, RLS policies, Firestore rules, Storage rules.
Application logic changes: Edge Functions, Cloud Functions, backend jobs, RPC updates, auth flows.
Deployment and config changes: CI/CD workflows, environment variables, secrets handling, release configuration.
Sensitive frontend changes: Code that exposes keys, modifies privileged client behaviour, or changes authentication and authorisation flows.

It often makes sense to exclude purely cosmetic frontend updates that can't affect security, data exposure, or regulated service behaviour. The key is to write the exclusion explicitly.

Set objectives that go beyond approval

Many teams frame the audit objective too narrowly. They aim to prove that every change had an approval. That's necessary, but it's not enough.

The stronger objective is effectiveness. The audit framework in the auditing information systems text on post-implementation evaluation is clear that the strongest audit objective is to verify whether the change delivered the intended outcome, using end-user feedback, KPIs, and lessons-learned workshops. It also supports a point that matters in real projects: a technically compliant change can still fail the audit if it degrades service quality or user satisfaction.

That lands hard in product teams because it's true. You can have a perfectly approved migration that slows the app, breaks sign-in for a subset of users, or weakens access control. The paperwork may look clean. The outcome is still poor.

A change isn't successful because the PR was approved. It's successful because production stayed controlled and users didn't pay the price for your release process.

Use a scope template that reflects your stack

A practical scope note should answer five things:

Systems in scope
Name the Supabase project, Firebase project, repositories, CI pipelines, and environments covered.
Change types in scope
List schema changes, policy updates, function deployments, secret or config changes, and emergency fixes.
Teams and roles
Identify who raises changes, who reviews them, who can deploy, and who owns post-release verification.
Time period
Define the review window clearly.
Outcomes to verify
State what “worked” means. This might include successful rollout, no unauthorised production activity, and evidence that the intended service result was achieved.

If your team is still struggling to frame scope by risk, this risk assessment framework is a useful way to decide which change types deserve deeper scrutiny and which can stay lightweight.

Handle fast-moving teams without over-scoping

Agile teams often make the opposite mistake. They put everything in scope because they think that sounds thorough. It usually backfires. You don't need to review every tiny change with the same depth. You need a defensible method for deciding what matters most.

That's where well-defined categories help. Normal changes, standard low-risk changes, and emergency changes can all sit under one audit, but they shouldn't all be tested the same way. Teams experimenting with AI-powered change management often find this helpful because the challenge isn't documenting every action. It's deciding which actions need stronger evidence and which can be controlled through guardrails.

A scoped audit feels smaller, but it's stronger. It tells the auditor you know where risk lives in your stack.

Building Your Evidence Collection Checklist

An audit runs on artefacts you already generate. The trick is collecting them in an order that makes sense. For UK-focused practice, the most useful sequence is the three-layer approach described in this guidance on IT change management audits: first verify formal authorisation and documentation, second sample changes for evidence of testing and rollback planning, third reconcile those samples against production logs to confirm only approved personnel deployed to production.

That sequence works well for Supabase and Firebase because it mirrors how modern teams ship.

Layer one checks authorisation and documentation

Start broad. Build a population of production changes in your audit window, then gather the evidence that proves each change existed in a controlled process.

Good evidence often includes:

Ticket or issue record: The request, incident, bug, or feature reference.
Pull request trail: Reviewer names, comments, approvals, and merge history.
Linked migration or rules file: The actual artefact that changed.
Release note or deployment record: Enough to show the change moved from code to production intentionally.

What you're checking here is completeness. Missing links are often more revealing than failed tests. A merged PR with no ticket may be fine in a small team, but if that PR changes RLS or auth behaviour, an auditor will want a stronger reason for why it bypassed normal traceability.

Layer two tests whether the change was prepared properly

Now take a sample and go deeper. For each sampled change, ask whether the team can show testing, rollback planning, and a post-release review.

For modern apps, useful evidence might be:

Test output: CI checks, unit tests, policy tests, emulator results, staging verification notes.
Rollback plan: Reversible migration, feature flag, restore path, or documented recovery step.
Post-implementation check: Validation that the bug was fixed, the release behaved as expected, and no user-facing regression appeared.

Emergency fixes need a little tolerance and a little discipline. You may not have a neat pre-approval trail for a hotfix. You still need a record of the problem, the production action taken, and the retrospective clean-up afterwards.

Layer three reconciles with production reality

This is the part teams skip, and it's often where the audit gets real. Don't stop at documents. Match your sampled changes against deployment logs, platform activity logs, or CI release records.

You're trying to answer questions like:

Did the deployment happen through the approved pipeline?
Was production access limited to the expected people or service accounts?
Did someone deploy manually outside the path the team described?

If your written process says only CI deploys to production, but a platform log shows direct manual changes, that gap matters more than a missing screenshot.

For RLS-heavy apps, this is also where focused technical review helps. If you need a sharper checklist for policy-related controls, the Supabase RLS audit checklist is a useful reference for what to verify around access rules and change evidence.

Evidence mapping for Supabase and Firebase audit

| Control Area | Evidence Source | Review Procedure | |---|---|---| | Authorisation | Ticket, PR approval, incident record | Confirm the change had a traceable request and reviewer or approver | | Documentation | Migration file, rules file, deployment note | Check that the artefact matches the change description | | Testing | CI logs, staging notes, policy tests | Verify the team tested the change in a way that fits its risk | | Rollback readiness | Revert migration, feature flag, restore note | Confirm there was a practical path to recover if release failed | | Post-implementation review | Validation notes, KPI check, support feedback | Look for evidence the intended outcome was actually achieved | | Production access control | CI deploy logs, platform activity logs | Reconcile deploy events to approved users or approved automation | | Emergency change regularisation | Incident ticket, follow-up review | Verify the hotfix was documented and reviewed after the event |

Audit shortcut: Don't ask, “What document should we create?” Ask, “What digital trail already exists that proves this control operated?”

That question usually cuts the paperwork in half.

Executing the Audit with Manual and Automated Tests

Once the evidence is assembled, you need to test it. At this stage, many teams either overdo it with manual review or underdo it by trusting logs at face value. A practical audit uses both manual and automated tests, but for different purposes.

A hand-drawn illustration comparing manual audit procedures on the left with automated testing processes on the right.

What manual review is still good at

Manual review is best when judgement matters. A human can read a pull request and decide whether the approval was meaningful, whether the rollback note is realistic, or whether an emergency change was handled responsibly.

Use manual review for:

Sampling risky changes: RLS edits, auth logic, production config changes.
Review quality checks: Whether approval was substantive or just a quick click.
Exception handling: Cases where the team departed from the documented process.
Outcome review: Whether the change solved the original issue and didn't create a new one.

Engineering context proves invaluable here. A reviewer can identify a migration that appeared harmless but changed a key index, or a Firebase rules update that subtly widened access.

Where manual review breaks down

Manual review doesn't scale well in high-frequency delivery. If you ship many times a day, an auditor can't read every PR and every deployment. Worse still, humans are poor at catching pattern-level issues across lots of small releases.

That matters most for emergency and CI/CD-driven environments. The practical audit problem in modern pipelines isn't whether control matters. It's how to get evidence at speed. The IIA guidance on IT change management risks and walkthrough questions points directly at this tension. Traditional guidance centres on authorisation and logging, while modern practice is moving toward policy-as-code and automated rollback evidence to demonstrate control effectiveness in rapid deployment pipelines.

A side-by-side approach that works

The strongest audit execution model is split by task:

| Audit task | Better done manually | Better done automatically | |---|---|---| | Review whether a PR approval was meaningful | Yes | No | | Check if every production deployment has a matching CI record | Sometimes | Yes | | Detect leaked secrets in web or mobile bundles | No | Yes | | Test whether access control rules permit unintended reads or writes | Limited | Yes | | Verify emergency changes were regularised after release | Yes | Partly | | Confirm rollback steps exist and were captured | Yes | Partly |

That split keeps the humans focused where reasoning is needed and lets automation handle broad coverage.

What “good enough” evidence looks like in CI/CD

In a modern pipeline, “good enough” often looks different from a legacy environment. You may not have a pre-meeting approval for every standard deployment. You may have branch protection, required reviewers, policy checks, CI status gates, deployment history, and automatic rollback signals.

That's acceptable if the chain is coherent. An auditor should be able to see that your process enforces control through code and automation, not through ritual.

If your team deploys continuously, the audit test should follow the pipeline. It shouldn't force you back into a release model you don't actually use.

For Supabase and Firebase teams, the practical win is to treat the pipeline itself as evidence. Protected branches, deployment bots, environment-scoped permissions, and machine-generated logs often form a stronger control record than hand-filled change forms.

Reporting Findings and Driving Remediation

A weak audit report creates more work than it saves. It says something like “change control weakness identified” and leaves everyone else to decode the impact. A useful report does the opposite. It gives the risk, the evidence, the consequence, and the next action in language both engineers and stakeholders can use.

A hand holding an audit report pointing towards gear mechanisms and a growth chart showing process improvement.

Write findings so engineers can act on them

The most helpful finding format is simple:

What happened
State the control gap plainly.
Evidence observed
Point to the actual artefacts, such as the PR, log, rule, or deployment record.
Why it matters
Explain the operational or security risk.
What to change
Give a specific remediation step.

A vague finding sounds like this: “Emergency change process was not followed.”

A useful finding sounds like this: “A production rules update was deployed outside the standard pipeline during an incident. The incident ticket exists, but there is no post-implementation review and no evidence that production access was later regularised. This weakens traceability and makes it harder to confirm whether the hotfix introduced secondary access issues.”

That second version gives everyone something concrete to fix.

Focus on remediations that fit the team

The wrong remediation is a bureaucratic fantasy. Telling a five-person startup to create a heavy CAB process won't land. Telling them to require a linked incident ticket for hotfixes, restrict direct production changes, and add a retrospective checkpoint probably will.

Use remediation language like this:

For direct deploys: Restrict production deployment to approved CI workflows except for documented emergency access.
For weak approvals: Require review from someone other than the author for changes affecting auth, rules, schema, or secrets.
For missing outcome checks: Add a post-release validation note to the ticket, including service behaviour and user impact.
For rollback gaps: Document a reversible path before merge for any high-risk database or rules change.

Metrics make the report credible

A report becomes much more useful when it shows whether the process is operating, not just whether the policy exists. That's one reason structured change management outperforms ad hoc practice. Prosci reports that 59% of participants using a structured methodology achieved good or excellent results, according to its change management success research. The implication for audits is straightforward: don't stop at control design. Track whether the method is being used.

That means your report should include a small set of operating indicators, such as whether sampled changes had linked approvals, whether emergency changes were regularised, and whether post-release validation was recorded. Keep it tight. The point is to make the report actionable, not decorative.

A good audit report doesn't just say what failed. It makes the next safe behaviour obvious.

Close the loop properly

Remediation ownership matters as much as the finding. Every issue should have:

An owner: Usually the engineering manager, platform lead, or product engineer closest to the workflow
A target fix: A realistic action, not a broad aspiration
A verification step: What evidence will prove the fix is in place
A revisit point: When you'll confirm it stayed fixed

Teams often show maturity without much extra effort. Even if your initial audit uncovers rough edges, a clear remediation process tells clients and auditors that your controls are learnable and improving, not accidental.

From One-Off Audit to Continuous Assurance

The best outcome from your first change management audit isn't a neat folder of evidence. It's a calmer release process the next time someone asks for proof.

That happens when you move the control checks closer to daily engineering work. Approval trails sit in pull requests. Deployment restrictions live in CI. High-risk changes trigger stronger review automatically. Post-release verification becomes part of done, not an afterthought.

Turn audit evidence into pipeline behaviour

The simplest pattern is to convert common findings into enforceable defaults:

Branch protection for risky code paths
Required reviewers for schema, rules, auth, and secrets changes
Automated deployment logs retained as audit evidence
Incident-linked hotfixes with mandatory follow-up review
Release validation notes captured in the same workflow as delivery

That's how the audit stops being a quarterly scramble and becomes a normal by-product of shipping.

Keep human judgement where it matters

Continuous assurance doesn't mean automating everything. It means automating the routine evidence and reserving human attention for exceptions, sensitive changes, and odd production behaviour.

That balance is one reason practical DevOps guidance remains useful. If you want a grounded view of how security controls fit into fast-moving delivery, Wonderment Apps' security blueprint is a solid reference for embedding security into engineering flow instead of bolting it on afterwards.

What mature teams end up with

Mature teams don't necessarily have more paperwork. They have fewer surprises. They can answer basic audit questions quickly because their process leaves a reliable trail. They know which changes need heavyweight review and which can move through standard guardrails. They also treat post-release validation as part of the control, not a nice extra.

That's the practical end state. You still move quickly. You just stop asking auditors to take your word for it.

If you want a faster way to check the kinds of change risks that often surface in Supabase, Firebase, and mobile release audits, AuditYour.App helps you scan for exposed RLS rules, insecure RPCs, leaked secrets, and other misconfigurations before they become audit findings. It's a straightforward way to turn one-off audit prep into evidence you can keep reusing as your app changes.