Sample report

What an inspection report looks like.

Run against a deliberately-vulnerable demo app. The credentials are pattern-shaped placeholders — none authenticate to anything real — but they trip every detector exactly the way real leaks do.

F

https://vibecheck-32f.pages.dev/test-fixture/leaky-app.html

Critical 0.1s · 0 JS bundles · 5 findings

Supabase

Case VC-001 · https://fixtureproj01.supabase.co

Keys exposed in client: anon, service_role

service_role key in client code. Bypasses Row-Level Security entirely.

2 tables readable without authentication:

  • VC-001a
    users · 6 columns (id, email, full_name, created_at, last_login, ip_address) PII: email, full_name, ip_address
  • VC-001b
    posts · 5 columns (id, user_id, title, body, is_public)
Suggested RLS fix · review before applying 
-- Auto-generated by vibecheck. Review every policy before applying.
-- Project: https://fixtureproj01.supabase.co
BEGIN;

-- Table: users
-- Inference: table named `users` with id column (profile pattern)
ALTER TABLE public.users ENABLE ROW LEVEL SECURITY;

CREATE POLICY "users_select_all" ON public.users
  FOR SELECT TO authenticated USING (true);

CREATE POLICY "users_update_self" ON public.users
  FOR UPDATE TO authenticated
  USING (auth.uid() = id) WITH CHECK (auth.uid() = id);

CREATE POLICY "users_insert_self" ON public.users
  FOR INSERT TO authenticated
  WITH CHECK (auth.uid() = id);

-- Table: posts
-- Inference: owner column `user_id` + visibility column `is_public`
ALTER TABLE public.posts ENABLE ROW LEVEL SECURITY;

CREATE POLICY "posts_select_public" ON public.posts
  FOR SELECT TO anon, authenticated
  USING (is_public = true OR auth.uid() = user_id);

CREATE POLICY "posts_insert_own" ON public.posts
  FOR INSERT TO authenticated
  WITH CHECK (auth.uid() = user_id);

CREATE POLICY "posts_update_own" ON public.posts
  FOR UPDATE TO authenticated
  USING (auth.uid() = user_id) WITH CHECK (auth.uid() = user_id);

CREATE POLICY "posts_delete_own" ON public.posts
  FOR DELETE TO authenticated
  USING (auth.uid() = user_id);

COMMIT;

Other secrets in the bundle

  • VC-002
    Critical   stripe_secret_key · sk_liv…AAAA Stripe live secret key in client code. Full account access.
  • VC-003
    Critical   openai_key · sk-pro…AAAA OpenAI API key in client code. Account drains via inference calls.
  • VC-004
    Critical   github_token · ghp_AA…AAAA GitHub token in client code.
  • VC-005
    Critical   slack_bot_token · xoxb-A…AAAA Slack bot or app token in client code.

What you do with this

  1. Rotate the service_role key immediately. Supabase Dashboard → Settings → API → "Reset service_role". Every consumer of the old key will fail until updated. That is the point.
  2. Apply the suggested RLS SQL. Review every policy first; the inference is a starting point, not a guarantee.
  3. Move the service_role key to server-side only — Edge Functions, your API routes, never anywhere a bundler will see it.
  4. Rotate the Stripe / OpenAI / GitHub / Slack keys in the same way. The redacted matches above are the exact strings vibecheck found in the bundle.
Inspect your app