How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

A Complete Guide to CI CD Security in Modern Development

At its heart, CI/CD security is about weaving protective measures directly into your software delivery process, from the first line of code to the final deployment. It’s a shift from bolting security on at the end to making it an integral part of the automated system that builds, tests, and ships your applications. The goal is simple: stop attackers from hijacking this high-speed pipeline to inject malicious code or make off with your secrets.

Why Your CI/CD Pipeline Is a Prime Target

A CI/CD pipeline with Commit, Test, Deploy boxes, security locks, and a key, set against a cloud background.

Think of your CI/CD pipeline as the digital factory floor for your software. It’s an incredibly efficient, automated assembly line that turns raw code into a finished product. That speed and automation are what drive business forward, allowing for rapid feature releases and quick fixes. But for an attacker, this system represents a golden opportunity.

A compromised pipeline doesn’t just put one application at risk—it can poison every single piece of software that moves through it. It’s the ultimate supply chain attack. Instead of a counterfeit part in a physical product, an attacker injects a few lines of malicious code, steals credentials, or silently alters the final build artefacts.

The Problem with Automation

The very thing that makes CI/CD so effective—its automated, trusted nature—is also its biggest weakness. Attackers know that pipelines often hold privileged access to a company’s most critical resources. A single breach can be all it takes to get the "keys to the kingdom".

This opens the door to several classic attacks:

Pipeline Poisoning: An attacker finds a way to inject malicious code into a build. Because the pipeline is trusted, that code is automatically tested, packaged, and deployed straight into production.
Secret Sprawling: API keys, database credentials, and other sensitive secrets are often carelessly stored in pipeline configurations or logs, making them low-hanging fruit for theft.
Dependency Hijacking: The pipeline is tricked into fetching a malicious version of an open-source library. Suddenly, an attacker's code is embedded deep inside your application, all without a single line of your team’s code changing.

This isn’t just theoretical. With modern cloud platforms like Supabase or Firebase, a misconfigured deployment script could easily neuter vital Row-Level Security (RLS) policies or bundle backend secrets directly into the user-facing app.

A Challenge Facing Most UK Businesses

The reality is that many organisations are playing catch-up. Recent cybersecurity research paints a sobering picture, with one report finding that only 9% of UK organisations have what could be considered a 'Mature' security posture.

Even with increased security spending, simple misconfigurations remain a top concern for 56% of businesses, a problem that only gets worse as cloud adoption expands the potential attack surface. As highlighted in the 2025 Cisco Cybersecurity Readiness Index, this gap makes a strong case for robust CI/CD security. Automated, continuous scanning is no longer just a nice-to-have; it’s an essential line of defence.

Leaving your pipeline unsecured is like leaving your factory doors wide open overnight. You might be churning out products at an incredible rate, but you have no idea who’s tampering with them on the way out. Securing the pipeline is fundamental to shipping software you can actually trust.

Understanding the Core CI CD Security Threats

Before you can properly secure your CI/CD pipeline, you have to learn to think like an attacker. Your delivery pipeline isn't just one thing; it's a whole system of interconnected tools and processes. A single weak link anywhere along that chain can put your entire application, and your business, at risk.

The best way to grasp this is to picture your pipeline as a high-tech factory. It pulls in raw materials (your source code), runs them through an automated assembly line (the build server), incorporates parts from external suppliers (dependencies), and ships a finished product (your application). An attacker’s job is to find the one unguarded entry point into that factory.

Poisoned Source Code Repositories

The most direct route for an attack is to tamper with the source code itself. Your Git repository holds the blueprints for your application. If an attacker can get in and change those blueprints, your pipeline will faithfully build and deploy whatever malicious code they’ve added.

This isn’t always about a hacker breaking in from the outside. The threats are often much closer to home:

Hardcoded Secrets: A developer, often in a hurry, commits an API key or database password straight into the codebase. That secret is now permanently etched into the Git history, just waiting to be found. It's a huge problem, especially when you consider it can take an average of 292 days to spot and contain a breach from stolen credentials.
Unauthorised Commits: A developer’s account gets compromised, or a repository has lax permissions. Suddenly, an attacker can push malicious code directly to a critical branch, completely sidestepping all your code review and safety checks.
Insider Threats: You can't ignore the human element. A disgruntled employee or contractor might deliberately plant a backdoor. It sounds like something out of a film, but internal data shows that malicious insiders are behind a surprising number of breaches—around 20% of businesses have pointed to them as a cause.

A poisoned source code repository is like an architect secretly adding a hidden, unlocked door to a building's blueprints. The construction crew will build it exactly as specified, creating a security flaw that's invisible until it's exploited.

Compromised Build Environments

The build server is the engine room of your entire CI/CD operation. This is where your code gets compiled, your tests are run, and your application is packaged up. Because it sits at the centre of everything, it naturally holds highly privileged access to secrets, code, and even production environments. It’s a goldmine.

If an attacker gets a foothold on the build agent, it’s effectively game over. They can steal credentials, inject malware directly into the final application build, or use the server’s trusted position to pivot and attack other parts of your network. This is precisely why hardening your build environment is non-negotiable for real CI/CD security.

Supply Chain and Dependency Attacks

Hardly anyone builds software from scratch these days. We assemble applications using dozens, sometimes hundreds, of open-source libraries and third-party packages. While this is great for productivity, it introduces a massive risk: you're placing your trust in the security of every single dependency you pull in.

This is the breeding ground for software supply chain attacks.

Dependency Confusion: An attacker publishes a malicious package to a public registry like npm or PyPI with the exact same name as one of your internal, private packages. If your build system is misconfigured, it might accidentally fetch the public, malicious version instead of your own.
Typosquatting: This one preys on simple human error. Attackers create packages with names that are common misspellings of popular ones (think reqeusts instead of requests), hoping a developer types it wrong and installs their malware.
Hijacked Dependencies: A legitimate open-source project, maybe maintained by a single person, gets compromised. The attacker takes over and pushes a new version containing malicious code. Your pipeline, seeing a simple "update," pulls it in automatically, and just like that, you've been breached.

These attacks are so effective because they turn the very process of modern development against you. Your team didn't do anything wrong, but by trusting a compromised dependency, you’ve essentially rolled out the red carpet for an attacker. It’s like your factory unknowingly accepting counterfeit parts from a trusted supplier and building them into every single product that leaves the assembly line.

How to Design a Secure CI/CD Pipeline

Thinking you can secure a CI/CD pipeline by just bolting on a security tool at the end is a common mistake. A truly secure pipeline isn't an afterthought; it's architected with security woven into its very DNA from day one. It’s the difference between building a fortress with multiple defensive walls and simply adding a padlock to an existing shed.

This approach means treating every single stage—from a developer committing code to the final deployment—as a security checkpoint. The goal is to catch vulnerabilities early, when they’re far cheaper and easier to fix. It’s about building a resilient process from the ground up, not just running a final inspection.

Diagram illustrating the CI/CD threat process flow, highlighting potential risks at each stage.

As you can see, threats aren't just one-dimensional. They can target your source code, the build agents that compile it, or even the third-party dependencies you pull in. A single weak link can poison the entire delivery chain, which is why a layered defence is absolutely critical.

Adopting a Layered Defence Model

So, what does a layered defence actually look like in a pipeline? It means implementing specific security controls at each distinct stage. Think of it as a series of security gates; each gate is designed to check for different types of threats before allowing the code to move forward.

This multi-layered approach is fundamental. If one layer fails or a vulnerability slips through, another layer is there to catch it. This moves security from being one team's problem to a shared responsibility baked into the entire development workflow.

The Four Pillars of Secure Pipeline Design

When you break it down, a well-defended pipeline stands on four key pillars, each corresponding to a stage in the development lifecycle.

The Secure Commit Phase: Security really does start the moment a developer writes code. Pre-commit hooks are your first line of defence here. These are simple scripts that run on a developer's local machine before code is ever committed. They can automatically scan for and block things like accidentally committed API keys or passwords—a surprisingly common and dangerous oversight.
The Secure Build Phase: The build environment is a prime target for attackers, so you have to treat it like a production system. The best practice here is to use isolated, ephemeral build agents. This means each build runs in a fresh, clean environment that is spun up on demand and completely destroyed afterwards. This prevents any potential compromise from lingering and poisoning future builds.
The Secure Test Phase: This is where you unleash your automated security scanners. By integrating multiple tools, you create what we call "security gates." These are automated checkpoints that will literally stop a build if a critical vulnerability is found. This is where you’ll run SAST scans on your source code and SCA scans to check for known vulnerabilities in your dependencies.
The Secure Deploy Phase: When it's time to deploy, one principle must rule them all: the principle of least privilege. The pipeline should have the absolute minimum permissions needed to deploy the application and nothing more. Using short-lived, role-specific credentials ensures that even if a pipeline is compromised, the attacker's access is severely limited and temporary.

This table clearly maps out which security actions to take at each pipeline stage and the specific threats they help neutralise.

CI/CD Pipeline Stage vs Security Action

Following this framework provides a clear and actionable path to embedding robust security throughout your development lifecycle.

The Importance of a "Secure by Default" Mindset

Designing a secure pipeline is as much about culture as it is about tools. A "secure-by-default" approach assumes threats are always present and builds defences in from the start. Crucially, it makes the secure path the easiest path for developers.

A secure-by-default pipeline doesn't just add security checks; it makes secure practices the standard, default way of working.

This isn't just theory. Recent findings from the Bank of England's 2025 CBEST thematic reviews of UK financial firms showed attackers repeatedly exploiting inconsistently configured systems and unpatched software—exactly the kind of risks that a poorly managed CI/CD pipeline creates.

This is especially true for teams using platforms like Supabase or Firebase, where simple misconfigurations can lead to major data exposure. While tools like AuditYour.App are built to find these flaws, getting your pipeline architecture right is your first and best line of defence. For a deeper look at how security fits into modern automation, check out our thoughts on the intersection of Security and DevOps. And as you plan your pipeline, getting the configuration files right is essential; guides like A Developer's Guide to GitLab CI YML can be an invaluable resource.

Automating Security Scanning in Your Pipeline

In a world of agile development, manual security reviews are a non-starter. They just can't keep up. When your code is meant to go from a developer’s laptop to a live environment in minutes, security automation isn't a nice-to-have; it's the only way to build securely at speed. By plugging automated security tools directly into your pipeline, you can turn security from a roadblock into a constant, helpful feedback loop.

Think of it like adding automated quality control stations along a factory assembly line. Instead of waiting until the car is fully built to check for faults, you're inspecting each part at every stage. This "shift left" approach means you spot vulnerabilities much earlier in the process, making them dramatically cheaper and easier to fix.

Integrating Key Scanning Tools

To build a really solid automated defence, you need to layer different kinds of security scanning. No single tool can do it all. Each is specialised to find specific types of vulnerabilities, and when used together, they provide a much stronger safety net.

There are three core types of scanning you'll want to integrate:

Static Application Security Testing (SAST): These tools analyse your source code before it's even compiled. Think of them as incredibly powerful spell-checkers for security flaws, finding everything from SQL injection risks and poor cryptography use to hardcoded secrets.
Software Composition Analysis (SCA): Let's be honest, modern apps are mostly built from open-source dependencies. SCA tools are designed to scan all those third-party libraries for known vulnerabilities, so you don't unknowingly inherit security problems from someone else.
Infrastructure as Code (IaC) Scanning: If you define your cloud infrastructure in files (using tools like Terraform or CloudFormation), IaC scanners check these configurations for security blunders before they go live. This is your best defence against deploying an insecure server setting or a publicly exposed database.

The demand for these capabilities is surging. The UK's 2026 Cyber Security Sectoral Analysis points to huge industry growth, noting that of the 2,165 active firms, 80% now offer Information Risk Assessment and 44% provide Threat Intelligence. This isn't just a trend; it's a direct response to the urgent need for automated security in modern software delivery. For a deeper look, you can check out the full findings from the UK government's analysis.

A Practical Example with GitHub Actions

Let's make this real. Say your team is building a mobile app with a Supabase backend. A huge concern is an accidental leak of API keys or exposing sensitive data because someone misconfigured a Row Level Security (RLS) policy.

You can set up an automated check for this right inside your GitHub Actions workflow. This makes sure every single piece of code a developer pushes gets a security audit before it can go any further.

Here’s a simple breakdown of how it works:

Trigger on Push: You configure the workflow to run automatically every time code is pushed to the main branch or when a new pull request is opened.
Build the App: The first job step is to build your application, creating the final mobile APK file.
Run the Security Scan: Next, you add a step that calls a specialised scanner. This tool is pointed at both the new APK and your Supabase project.
Check for Vulnerabilities: The scanner gets to work, inspecting the APK for hardcoded API keys and auditing your Supabase instance for common but critical errors, like disabled RLS or public database functions that shouldn't be.
Fail the Build: This is the most important part. You configure the step to fail the entire build if any high-severity issues are found. This acts as an automated security gate, preventing the vulnerable code from being merged or deployed.

By integrating scanning directly into the CI process, you make security a tangible and non-negotiable part of development. A build with a critical vulnerability is treated the same as a build with a failing unit test—it simply doesn't proceed.

This setup gives immediate feedback right where developers are working, letting them fix the problem on the spot. It makes security a shared responsibility, not a task for some other team down the hall. If you want more detailed instructions, our automated security scanning guide provides step-by-step examples for different platforms.

By embedding these checks, you'll be building a pipeline that doesn't just ship code faster—it ships it more securely.

Securing Your Secrets and Software Supply Chain

Two of the quickest ways to see a CI/CD pipeline compromised are through exposed secrets and dodgy dependencies. A single leaked API key or a malicious open-source package can completely undermine your security. Getting these two areas right is non-negotiable for any team serious about CI/CD security.

Think of your secrets—API keys, database passwords, private certificates—as the actual keys to your company's front door. You’d never leave them taped to the outside for anyone to grab. Yet, that's exactly what hardcoding them into source code or config files amounts to. It leaves a permanent record in your Git history and exposes them in plain text in pipeline logs.

A security diagram illustrating the flow of secrets, dependencies, and private registries with secure components and SBOM.

The goal is simple: make sure credentials are never stored in plain sight and are only ever accessed by the right service, at the right moment.

Modern Secrets Management

This is where a dedicated secrets management tool becomes essential. These platforms act as a digital fortress for your sensitive credentials, allowing your pipeline to fetch them securely only when a job is running.

There are some great options out there, and the right choice often depends on your existing tech stack:

Cloud-Native Solutions: If you're already deep in a specific cloud ecosystem, services like AWS Secrets Manager or Google Secret Manager are fantastic. They integrate beautifully with other services in their environment.
Third-Party Vaults: For a more platform-agnostic approach, something like HashiCorp Vault is the gold standard. It gives you a powerful, centralised vault that can serve secrets to any application, anywhere.

With these tools in place, your pipeline jobs authenticate with the vault using short-lived, temporary tokens. They retrieve the credentials they need directly into memory, use them, and then the credentials vanish once the job is done. Nothing is ever written to disk or exposed in logs. For an extra layer of internal security, learning how to generate self-signed certificates for secure communication is a key skill for locking down traffic between your own microservices.

Defending Your Software Supply Chain

These days, modern applications are assembled more than they are written from scratch. We all stand on the shoulders of giants, pulling in countless open-source packages to speed up development. This is brilliant for productivity, but it also means we inherit the security flaws of every single dependency we use. Securing the software supply chain is all about getting ahead of that risk.

A compromised dependency is like a trusted supplier secretly slipping a faulty part onto your factory's assembly line. The final product might look and work fine, but it has a ticking time bomb built right into its core.

The very first step is getting a clear view of what you're using. You can't protect what you can't see. This is exactly what a Software Bill of Materials (SBOM) is for. An SBOM is a detailed, machine-readable inventory of every single component, library, and module that goes into your software. Generating one with every build gives you a complete manifest to work from.

Once you have that visibility, you can start enforcing some crucial controls:

Pin Your Dependencies: Lock your project to specific, audited versions of each package. This is critical. It stops your build from automatically fetching a newer, potentially malicious version of a library without a proper review.
Use a Private Registry: If you create your own internal libraries, host them in a private artifact registry. This defends against "dependency confusion" attacks, where a threat actor uploads a public package with the same name as your internal one to trick your pipeline into downloading it.
Automate Dependency Scanning: Integrate Software Composition Analysis (SCA) tools directly into your pipeline. These tools continuously scan your SBOM against massive databases of known vulnerabilities, alerting you to any risks.

By combining disciplined secrets management with a fortified software supply chain, you shut down two of the most common attack vectors targeting CI/CD pipelines. For a deeper dive, you can learn more about strengthening your software supply chain security in our dedicated guide.

Alright, let's turn all that theory into action. Knowing the risks is one thing, but actively defending against them is what really counts.

This checklist is designed to be your practical guide. It’s a series of straightforward checks you can run through to see where your pipeline is strong and, more importantly, where it needs a bit of work. We’ve organised it to help you get quick wins and prioritise the most critical fixes.

Source Code and Commits

Everything starts with your code. If the source repository isn't secure, nothing downstream can be trusted. This is your first and most fundamental line of defence.

Enforce Branch Protection: Make code reviews mandatory for your critical branches, like main or develop. It's a simple rule that stops unvetted or malicious code from ever getting into your core product.
Scan for Secrets Before Commits: Set up pre-commit hooks to automatically block any developer from accidentally pushing secrets like API keys or database passwords. This catches mistakes before they even become a problem.
Sign Your Commits: Get your team to use GPG or SSH keys to sign their commits. This proves who wrote the code and protects you from anyone trying to sneak in changes under a fake identity.

Build and Test Automation

The build server is where all your ingredients come together—code, libraries, and tools. Attackers know this, making it a prime target for sabotage.

Think of the build stage as your software factory floor. These checks are your quality and safety inspectors, ensuring no one's tampering with the assembly line or slipping faulty parts into the final product.

Isolate Build Environments: Never reuse build agents. Each job should run in a clean, temporary environment that gets torn down immediately after. This completely prevents a security breach in one build from spilling over into the next.
Pin All Dependencies: Don't just specify a version number for your third-party libraries; lock them to a specific version hash. This is your single best defence against an attacker hijacking a dependency you rely on.
Automate Security Gates: Your CI pipeline needs to be your security watchdog. Integrate SAST, SCA, and IaC scanning and configure them to fail the build if high-risk vulnerabilities pop up. Don't just warn; block the build.

Artefacts and Deployment

The job isn't done until your software is securely built and running in production. The final steps of storing and deploying your finished application are just as critical.

Generate an SBOM on Every Build: Make creating a Software Bill of Materials (SBOM) a standard part of every single release. It’s an exact manifest of every component in your software, which is invaluable for tracking vulnerabilities.
Scan Every Mobile Build: Before any mobile app build gets near an app store, automatically scan the APK or IPA. You're looking for hardcoded secrets, insecure settings, and other common mistakes that are easy to miss.
Use a Private Artefact Registry: Your container images, libraries, and packages should live in a secure, private registry. Lock down access so only authorised services and people can pull from it.
Deploy with Least-Privilege Credentials: Deployment jobs should use temporary, single-purpose credentials that have the absolute minimum permissions needed to do the job—and nothing more.

Frequently Asked Questions About CI/CD Security

Diving into CI/CD security often brings up some very practical questions. Let's tackle a few of the most common queries we hear from developers, team leads, and founders who are working to lock down their pipelines.

What's the Single Most Important First Step I Can Take?

Without a doubt, the first thing you need to do is hunt down and get rid of any hardcoded secrets in your source code and CI environment variables. Things like API keys, tokens, and database passwords left exposed are a massive, neon-lit target for attackers and one of the most damaging (and common) issues we see.

Get started by bringing a proper secrets management tool into your workflow. Services like AWS Secrets Manager, Google Secret Manager, or HashiCorp Vault can integrate directly with your pipeline. They work by securely injecting credentials only when they're needed at runtime. Once that's in place, run a full scan across your codebase to catch any secrets you've already committed. Taking this one step will massively shrink your attack surface.

How Can a Small Team Afford to Implement Proper CI/CD Security?

You don't need a huge budget to make a real difference. In fact, some of the most powerful CI/CD security practices are completely free to implement and give you a huge amount of protection, no matter your team's size.

A great starting point is to enable branch protection rules in your Git provider (like GitHub or GitLab). This simple action enforces code reviews and stops people from pushing unauthorised changes directly to your main branches. From there, you can explore the wealth of open-source SAST and dependency scanners available in marketplaces like GitHub Actions.

For modern backends like Supabase or Firebase, specialised tools can offer incredibly affordable one-off scans that deliver a full, detailed audit. The price of a small, automated scan is nothing compared to the potential cost of a breach, making it one of the highest-return investments any team can make.

Does Using a PaaS like Supabase or Firebase Mean Security Is Handled for Me?

No, it absolutely does not. While platforms like Supabase and Firebase do a fantastic job of securing the underlying infrastructure, they all operate on a shared responsibility model. This is a crucial concept to understand: they secure the platform, but you are still 100% responsible for securing your own application code and configuration.

This responsibility falls squarely on your shoulders and includes:

Writing correct and robust Row Level Security (RLS) policies to protect your data.
Securing your database functions (RPCs) from unauthorised access.
Managing your API keys and ensuring they aren't leaked in client-side code.
Making sure your frontend application doesn't accidentally expose sensitive information.

Misconfigurations are one of the main ways attackers get a foothold on these platforms. This is exactly why automated tools designed to check your specific setup for these kinds of flaws are an essential part of any modern security strategy.

Ready to stop guessing about your security? AuditYour.App acts like an automated red team for your Supabase, Firebase, or mobile app project. Get a one-off scan or continuous monitoring to find and fix critical misconfigurations, exposed secrets, and RLS flaws before attackers do. Run your first free scan now at https://audityour.app.