How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

A Developer's Guide to Mastering the Open Source Audit

An open source audit is simply a deep dive into all the third-party code your project relies on. The goal? To hunt down security vulnerabilities, check for licence conflicts, and spot any exposed secrets. It's a fundamental part of securing your software supply chain against the kind of hidden risks that lead to data breaches or nasty legal surprises.

Why Open Source Audits Are a Developer's Best Defence

A silhouette holds a shield with a checkmark, protecting a large stack of boxes from falling.

Here’s a scene that plays out all the time: a developer is ready to push a new feature just before a big release. The code is clean, all the tests are green, and everything seems perfect. But buried deep inside a transitive dependency—a library pulled in by another library—is a critical vulnerability. This is exactly the kind of scenario that keeps engineering leads awake at night.

Modern applications aren't built from scratch; they're assembled from countless open source components. In fact, most reports show that open source software makes up between 70% and 90% of any given application. While this is great for development speed, it creates a massive, often invisible, attack surface. An open source audit is your first and most important line of defence against these inherited risks.

More Than Just a Quick Code Scan

A proper audit goes way beyond just scanning your direct dependencies. It’s a full-spectrum analysis of your application's DNA, designed to answer tough questions and protect your business, your users, and your reputation.

At its core, an audit is about:

Finding Vulnerabilities: Uncovering known security flaws (CVEs) in any component, whether it’s a direct dependency or one that’s nested several layers deep.
Ensuring Licence Compliance: Making sure the licences of all your open source packages play nicely with your project's goals. This helps you avoid legal traps, like being forced to open-source your own code because of a restrictive licence like the GPL.
Detecting Secret Leaks: Hunting down any hardcoded API keys, tokens, or credentials that someone might have accidentally committed to the codebase.

An open source audit isn't about pointing fingers. It's about building a culture of proactive security. When you systematically review your dependencies, you turn an unknown risk into a manageable task. You empower your team to build tougher, more resilient software.

The Real-World Cost of Ignoring Audits

Failing to run regular audits can have serious consequences. A single vulnerable package can become a backdoor for attackers. A non-compliant licence could put your intellectual property at risk. It’s no surprise, then, that proactive open source auditing has become a non-negotiable part of modern software development.

Tools like AuditYour.App are built to automate this otherwise complex and time-consuming job, making it a seamless part of your workflow. By catching these issues early and often, you stop them from ever becoming a real problem. If you’re looking to get a broader perspective on security, our guide on the fundamentals of a website security audit is a great place to start. In an ecosystem built on shared code, this kind of systematic approach is the only way to ship with confidence.

Get a Map of Your Software Supply Chain

Diagram illustrating a central project connected to various dependencies, component inspection, and an SBOM document.

Before you can secure anything, you first need a clear map of what you're protecting. In software, this means getting a handle on your entire supply chain. It’s not just about the libraries you directly pull into your project; it’s about the massive, tangled web of dependencies they bring along with them.

This is where the real risk often hides, buried deep in packages you didn’t even know you were using.

An effective audit always starts with a complete inventory of every single component. Think of it as a stocktake for your code. You need to identify not only your direct dependencies but also the transitive ones—the packages that your dependencies depend on. This hidden network can easily be ten times larger than your direct package list.

Your First Step: Building an Initial Component Inventory

The good news is that you can get a quick, raw list using your package manager's built-in tools. These commands give you a foundational overview of your application's components.

For instance, you can run commands like:

npm ls for Node.js projects to see the full dependency tree.
pip freeze for Python to get a flat list of every installed package.
mvn dependency:tree for Maven-based Java projects.

These are a great starting point, but they only give you a basic snapshot. What you're missing is the crucial metadata—like licence information or known vulnerabilities—that you need for a proper security and compliance review.

The Power of a Software Bill of Materials (SBOM)

This is exactly where a Software Bill of Materials (SBOM) comes in. An SBOM is a formal, machine-readable inventory of all your software components and their supply chain relationships. It’s the definitive ingredients list for your application.

To get a clear picture of what an effective audit entails, here’s a breakdown of the key components.

Key Components of a Modern Open Source Audit

An SBOM provides the transparency and single source of truth needed for a thorough audit, making it a cornerstone of modern software supply chain security.

Automating Discovery to Stay Ahead

Let's be honest: manually creating and updating an SBOM is a massive headache, especially for larger projects. This is where automated tools really shine. Modern platforms can connect directly to your code repository and map your entire dependency graph instantly, saving you countless hours and preventing human error.

You can't patch what you don't know you have. Automating dependency discovery ensures your inventory is always current, so you can react fast when a new vulnerability is disclosed—even if it's in a deeply nested dependency.

This automated approach is central to what we do at AuditYour.App. By analysing your project, we instantly build a live inventory that serves as the foundation for all our vulnerability and licence scans.

The need for this visibility has never been more urgent. Open source contributions to the UK economy have hit an astonishing £105 billion in value. But this growth comes with risk. The latest OSSRA report reveals that 87% of audited codebases contain at least one open source vulnerability, with an average of 581 per codebase. You can dig into the findings in the latest Black Duck open source trends report.

These numbers show why a complete and accurate component map isn't just a "nice-to-have"—it's your most critical security asset.

Scanning for Vulnerabilities and Licence Risks

Okay, you’ve mapped out all your software components. That’s a massive first step, but an inventory is just a list. Now it's time to find out what's actually lurking inside that list.

This is where automated scanning becomes indispensable. We’re going to use specialised tools to cross-reference every dependency against huge, constantly updated databases. The goal is simple: turn your inventory into a clear, actionable list of risks.

We're hunting for three specific kinds of trouble: known security vulnerabilities, tricky software licences, and hardcoded secrets. Each one poses a unique threat to your project's security, legal standing, and overall integrity.

Uncovering Known Security Vulnerabilities

The most obvious and immediate danger in open source code is a known security vulnerability. These are documented weaknesses—often logged as Common Vulnerabilities and Exposures (CVEs)—that malicious actors are actively looking to exploit. If you’re not familiar with them, the types of threats catalogued in the OWASP Top 10 are a great place to start.

So, how does scanning help? Your scanner takes the dependency list (or SBOM) and checks the version of each component against databases like the National Vulnerability Database (NVD) and the GitHub Advisory Database.

When it finds a match, it flags it, almost always with a severity score (Critical, High, Medium, etc.) to help you prioritise. This is a continuous battle; a library that was perfectly safe yesterday could have a critical vulnerability discovered today.

A good scan doesn't just throw an error at you. It provides crucial context, explaining the potential impact and, most importantly, pointing you to the version of the package that contains the fix. This turns a vague alert into a concrete task for your development team.

Navigating the Maze of Licence Compliance

Licence compliance can feel less urgent than a security flaw, but getting it wrong can have catastrophic consequences for a business. Every single open source component you use is governed by a licence that dictates how it can be used, modified, and shared.

You'll mostly run into two main categories:

Permissive Licences: Think MIT or Apache 2.0. These give you a lot of freedom and are generally safe to use in commercial, proprietary projects without forcing you to share your own code.
Copyleft Licences: These are far more restrictive. The most famous is the GNU General Public Licence (GPL). If you use a GPL-licensed component, you could be legally obligated to release your entire application's source code under the same terms.

Imagine a startup builds an incredible new product. Deep inside, they've unknowingly used a tiny library with a GPL licence. Post-launch, they could face a legal demand to either open-source their entire proprietary codebase or re-engineer the product from the ground up.

This isn’t just a theoretical scare story; it happens. This is precisely why automated licence scanning is non-negotiable. A scanner will identify every licence in your project and flag any that clash with your company's policies, saving you from a potentially ruinous mistake.

Hunting for Hardcoded Secrets

Finally, we need to talk about secrets. Under pressure, it’s all too easy for a developer to accidentally commit sensitive information directly into the codebase. We’re talking about API keys, database passwords, private certificates—the keys to the kingdom.

The moment a secret is committed to a repository, even a private one, you have to assume it's compromised.

Automated tools are brilliant at this. They scan your code for patterns that look like secrets, searching for high-entropy strings and specific formats associated with:

API keys for AWS, Stripe, Google Cloud, and more.
Database connection strings.
Private keys and security tokens.

Catching these before they're exposed is a huge security win. At AuditYour.App, our platform is built to handle all three of these critical scans automatically. We provide a detailed vulnerability scanning service and also check for licence risks and hardcoded secrets within your frontend bundles. This gives you a complete, 360-degree view of your project's security posture, turning that dependency map into a clear, prioritised action plan.

Turning Scan Results into Actionable Fixes

That first scan report can be a real gut-punch. One minute you’re celebrating the fact you’ve finally got visibility into your project’s risks; the next, you’re staring down a huge list of vulnerabilities, licence headaches, and maybe even a few leaked secrets.

It’s easy to get overwhelmed and fall into ‘analysis paralysis’. But the goal isn’t to boil the ocean and fix everything overnight. The real skill is turning that raw data into a manageable, prioritised backlog that actually strengthens your security without bringing development to a standstill.

Triage Vulnerabilities with CVSS

First things first, you need to sort the signal from the noise. Not all vulnerabilities are created equal, and the Common Vulnerability Scoring System (CVSS) is the industry standard for doing just that. It assigns each vulnerability a score from 0.0 to 10.0 and a severity level: Low, Medium, High, or Critical.

But here’s a pro tip: never stop at the score. You have to dig into the CVSS metrics to understand the actual risk to your application. I always ask these questions:

Attack Vector (AV): Can this be exploited over the network from anywhere, or does the attacker need to be on the local machine? A remote vector is obviously far more worrying.
Attack Complexity (AC): Is the exploit trivial to pull off, or does it require perfect timing and special conditions? A low-complexity attack is a ticking time bomb.
User Interaction (UI): Does the attack rely on someone clicking a dodgy link? If it requires no user interaction, the risk is significantly higher.

Thinking through these factors helps you separate the theoretical problems from the clear and present dangers. For instance, a ‘High’ CVSS vulnerability might drop way down your priority list if its attack vector requires physical access to a server that’s locked down and firewalled from the internet.

A long list of vulnerabilities is just noise until you add context. Prioritisation is about focusing your team's limited time and energy on the fixes that will have the biggest impact on your project's actual security.

This context-driven approach lets you focus on what truly matters. That critical remote code execution flaw in your public-facing API? That’s an all-hands-on-deck situation. The low-level denial-of-service bug in a dev-only tool can probably wait.

Create a Remediation Decision Framework

With a prioritised list in hand, you need a consistent way to decide what to do about each issue. For any given problem, you’ve really only got a few moves.

Patch or Update: This is your go-to, nearly every time. If a patched version of the library exists, update it. This is the cleanest, simplest fix.
Replace the Library: Sometimes a patch isn't coming, maybe because the project is abandoned. Your next best bet is to find a well-maintained, secure alternative that does the same job.
Mitigate the Risk: If you can't update or replace right away, look for a workaround. Can you disable the specific function with the flaw? Or maybe block the exploit path with a web application firewall (WAF) rule?
Accept the Risk: This should be your absolute last resort, and it needs to be documented properly. If a vulnerability is genuinely low-risk and the cost of the fix is astronomical, you might formally decide to accept it, but make sure that decision gets reviewed periodically.

Having a clear framework like this helps build a reliable security workflow. It’s exactly this kind of process that tools like AuditYour.App are built to support, moving beyond just finding issues to providing clear, actionable advice that helps you fix them faster.

Resolving Licence Compliance Issues

Licence conflicts are a different beast altogether. The risk isn’t technical—it’s legal and commercial. You need a methodical approach here to avoid accidentally putting your company’s intellectual property on the line.

This simple decision tree is a great way to think about the licence risks you uncover.

Flowchart showing a license risk assessment process, starting with 'Is it permissive?' leading to 'OK' or 'Check Usage'.

As the chart shows, the logic is pretty straightforward. Permissive licences are usually fine, but non-permissive ones demand a much closer look at how you're using that component.

If a licence gets flagged as non-compliant—for example, using a library with a strong copyleft licence like the GPL in your proprietary commercial product—the safest path is almost always the same: replace it. Find an alternative with a permissive licence like MIT or Apache 2.0 and you eliminate the legal grey area entirely.

The pressure to get this right is only growing. In the UK, threats targeting open source are on the rise, and the government is taking notice. A recent report notes that online services could face fines of up to £18 million or 10% of revenue for non-compliance starting in March 2025, which has huge implications for developers. You can explore the official DSIT performance report to see the details. This regulatory shift makes one thing crystal clear: a systematic approach to fixing what you find in an open source audit is no longer just a good idea—it’s essential.

Automating Audits in Your CI/CD Pipeline

Software development pipeline with an automated scanner, showing high-severity issues detected post-deployment.

Manual audits have their place, but let's be realistic—they can't keep up with the pace of modern software development. A one-off check is just a snapshot in time, and your codebase is constantly evolving with every single commit. To build genuinely secure software, you have to shift from periodic checks to continuous, automated security.

This is where integrating your open source audit directly into your Continuous Integration/Continuous Deployment (CI/CD) pipeline is a complete game-changer. The whole idea is to 'shift left', which really just means finding and fixing security problems as early as possible. It's about catching issues during development, not after they've been deployed to production.

By embedding security scans into your automated workflows, you turn your pipeline from a simple build-and-deploy tool into a tireless security guard, watching your back 24/7.

Making Security a Part of Every Pull Request

The single most effective place to introduce an automated audit is at the pull request (PR) stage. Think about it: before any new code even has a chance to be merged into your main branch, you can automatically scan it for new vulnerabilities, licence conflicts, or accidental secrets.

This approach gives developers immediate feedback right where they work. Instead of getting a surprise security report weeks down the line, they see potential issues flagged directly in their PR. It puts the problem and the context right in front of them, making security a shared responsibility, not just another department's problem.

Imagine a developer unknowingly adds a library with a critical vulnerability. An automated CI/CD check can immediately kick in:

Scan the Code: The pipeline automatically runs a security scanner against the new changes.
Spot the Risk: It instantly flags the newly introduced high-severity vulnerability.
Fail the Build: The check fails, physically preventing the PR from being merged.
Notify the Team: The developer gets an alert right in GitHub or GitLab, explaining exactly what's wrong.

This creates a powerful security gate. You are actively blocking new risks from ever reaching production, turning a potential major incident into a minor fix that takes minutes.

Implementing Your Automated Security Gate

Setting this up is probably more straightforward than you think, especially with modern platforms like GitHub Actions or GitLab CI. At its core, you're just adding a new step or job to your existing pipeline configuration file.

For instance, a basic step in a GitHub Actions workflow might look something like this:

name: Run Open Source Audit run: |
Command to run your security scanner

Example: npx your-scanner-tool --fail-on-severity high

This simple bit of code tells the pipeline to execute your chosen scanning tool. The --fail-on-severity high flag is the crucial part—it instructs the pipeline to fail the entire check if any high-severity issues are found. That's your automated gatekeeper right there.

You can, of course, customise this logic to match your team’s risk appetite. Maybe you only want to fail builds for ‘Critical’ vulnerabilities, or perhaps you want to block any packages with non-compliant licences. The control is completely in your hands. To get this right and truly streamline your development practices, expert DevOps consulting can be invaluable.

Beyond Just Blocking New Threats

Your CI/CD pipeline isn't just for stopping new problems from getting in; it's also your best defence for monitoring the code you already have. A vulnerability might be discovered tomorrow in a library you've been using safely for years. How would you even know?

An automated audit pipeline does more than just check incoming code. It continuously monitors your entire application, acting as a persistent early warning system for newly disclosed vulnerabilities in your existing dependencies.

You can set up scheduled pipeline runs—a nightly scan of your main branch, for example. If a new vulnerability is reported for a component already in your project, this scan will catch it. You can even configure it to automatically create a security ticket in Jira or fire off an alert to your team's Slack channel.

This proactive monitoring closes a huge security gap. It means that even when your code isn't changing, your security posture is constantly being checked against the latest threat intelligence. With a platform like AuditYour.App, this continuous protection is built-in, offering automated scans and alerts that make your CI/CD pipeline an incredibly powerful and intelligent defence mechanism.

Answering Your Top Open Source Audit Questions

Getting started with a proper open source audit can feel like wading into a sea of technical jargon. It’s completely normal to have questions. Let's tackle some of the most common ones we hear from development teams to clear things up and help you move forward with confidence.

How Often Should We Be Running an Audit?

The short answer? All the time.

While scheduling an audit once a quarter or even once a year is better than nothing, it’s a purely reactive approach. Modern development moves far too quickly for that. A critical vulnerability can be introduced, merged, and deployed to production in the handful of hours between manual checks.

The only effective way to stay ahead is to build automated auditing right into your CI/CD pipeline. This means every pull request gets a security scan before it ever hits the main branch, and your live codebase is continuously monitored. It’s about shifting security left, making it a constant, proactive part of how you build software, not just an infrequent event.

What's the Real Difference Between a Vulnerability and an Exploit?

This is a really important distinction, and getting it right is key to prioritising your work.

Think of it this way:

A vulnerability is a weakness in the code. It’s a flaw that could be exploited. It’s like discovering you have a poorly designed lock on your front door.
An exploit is the specific tool or technique used to take advantage of that weakness. It’s the actual skeleton key that has been crafted to open your specific, faulty lock.

Not every vulnerability has a known public exploit. When you're looking at a list of alerts, any issue that has a known, easy-to-use exploit needs to jump to the very top of your list. The risk is no longer theoretical; it’s immediate.

Can't We Just Use Our Package Manager's Built-in Audit Command?

Tools like npm audit and yarn audit are brilliant first-line-of-defence tools. You absolutely should be using them. They give you a quick check for known vulnerabilities and are infinitely better than flying blind.

But they do have their limits. These commands typically only check against one or two public databases and lack deeper context. They won't flag a problematic software licence or spot an API key that's been accidentally committed to your repository. They're a great starting point, but they don't see the whole picture.

A dedicated open source audit platform provides much deeper insight. It aggregates data from multiple threat intelligence sources, analyses complex licence risks, scans your codebase for secrets, and gives you a far more complete view of your project's overall health.

Is It Okay to Use a Package with a High-Severity Flaw if We Don't Touch the Vulnerable Function?

This is a common question, but it's based on a very risky assumption. You might be confident that your code never directly calls the vulnerable part of a library, but can you be 100% sure?

What if a transitive dependency—a dependency of your dependency—calls it under certain edge cases? Or what if a developer six months from now makes a change that inadvertently starts using that flawed function?

This kind of 'unreachable code' analysis is incredibly difficult and prone to error. Unless you can prove with absolute certainty that the vulnerable code path is impossible to reach, the safest and recommended course of action is to update the package. Deciding to accept that risk should be a conscious, documented choice, not a casual assumption.

Answering these questions really gets to the why behind a thorough platform like AuditYour.App. We automate these deep, comprehensive checks for you. Our platform goes far beyond basic package manager commands to give you continuous insight into vulnerabilities, licence compliance, and exposed secrets, turning a complex headache into a simple, actionable workflow. Get your free scan today and see the full picture of your project's health.