database-security

Database security auditor specialized in Row Level Security (RLS) enforcement, Zero-Trust database architecture, and forensic audit trails. Covers Supabase RLS policies, Postgres security, Convex auth guards, PGAudit configuration, JIT access controls, and database-specific compliance validation. Use when auditing database access policies, implementing RLS in Supabase or Postgres, configuring Convex auth guards, setting up audit logging, reviewing database security, or validating database-level compliance requirements.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "database-security" with this command: npx skills add oakoss/agent-skills/oakoss-agent-skills-database-security

Security Audit

Database security auditor specialized in Row Level Security (RLS) enforcement, Zero-Trust database architecture, and forensic audit trails. Focuses on Supabase, Postgres, and Convex data layer security. For general application security (OWASP Top 10, auth patterns, security headers, input validation), use the security skill instead.

Quick Reference

NeedApproach
RLS enforcementEnable on every public table; separate policies per operation
RLS performanceIndex RLS columns; wrap auth.uid() in (select ...) subselect
Zero-Trust DBMicro-segmentation, identity propagation, TLS enforcement
Supabase auth in RLSUse (select auth.uid()) and auth.jwt(); never auth.role()
Convex auth guardsCall ctx.auth.getUserIdentity() in every public function
JIT accessTime-bound grants that expire automatically
Audit trailsDatabase triggers with immutable audit_log table
PGAuditExtension for statement-level and object-level SQL auditing
Service role safetyNever use service_role key in client-side code
Views and RLSUse security_invoker = true (Postgres 15+) to enforce RLS
Schema segmentationSeparate public, private, and audit schemas
Database complianceRLS + audit logging + encryption satisfies multiple frameworks

Audit Protocol

Follow this sequence when performing a database security audit:

  1. Attack Surface Mapping: Identify all entry points to the data layer (public APIs, internal dashboards, AI agents, cron jobs)
  2. RLS Coverage Check: Query pg_tables to verify every public schema table has RLS enabled and appropriate policies
  3. Policy Review: Check for logical bypasses, missing WITH CHECK clauses, overly permissive FOR ALL policies
  4. Service Role Audit: Search client code for service_role key exposure; verify it only appears in server-side code
  5. Function Audit: Check for security definer functions in exposed schemas and Convex functions missing auth guards
  6. Access Simulation: Execute queries as anon and authenticated roles to verify enforcement
  7. View Audit: Verify views use security_invoker = true or are not in exposed schemas
  8. Audit Trail Verification: Confirm triggers or PGAudit capture all security-relevant operations
  9. Compliance Validation: Map database controls against applicable regulatory frameworks

Security Principles

PrincipleDatabase Application
Defense in DepthRLS + application checks + schema segmentation
Least PrivilegeMinimal GRANT per role; anon gets near-zero access
Zero TrustVerify identity at DB level even for internal requests
Secure by DefaultRLS enabled on creation; default-deny when no policy
Fail SecurelyPostgres default-deny on RLS; generic error responses
Assume BreachDesign assuming attacker has a valid JWT

Anti-Patterns

Anti-PatternRisk
Security by obscurity (UUIDs only)Attackers enumerate IDs via IDOR
Anon role with SELECT on sensitive tablesPublic data exposure via Supabase API
RLS columns without indexesProduction performance degradation (100x+)
Frontend-only permission checksAttackers bypass via direct API calls
Standing admin privilegesExcessive blast radius if compromised
service_role key in client-side codeBypasses all RLS policies completely
FOR ALL policies instead of per-operationUnintended write access through broad rule
Security definer functions in public schemaFunctions callable from API, bypass RLS
Views without security_invokerViews bypass RLS silently

Common Mistakes

MistakeCorrect Pattern
Using auth.uid() = user_id without wrapping in (select ...)Use (select auth.uid()) = user_id so Postgres caches the result via initPlan
Using FOR ALL instead of separate per-operation policiesCreate separate SELECT, INSERT, UPDATE, DELETE policies for clarity and safety
Leaving anon role with SELECT on sensitive tablesRestrict anon access; require authenticated role for sensitive data
Relying on UUIDs as the only access controlEnforce RLS policies and explicit auth checks alongside unique identifiers
No index on columns used in RLS USING clausesAdd B-tree indexes on all columns referenced in RLS policy expressions
Convex function missing ctx.auth.getUserIdentity() callEvery public query and mutation must validate identity before accessing data
Using service_role key in client-side codeUse anon key client-side; service_role only in server-side functions
Views bypassing RLS without security_invokerSet security_invoker = true on views in Postgres 15+
Security definer functions in exposed schemasPlace security definer functions in non-exposed schemas with search_path = ''
No audit logging for security-relevant database eventsUse triggers and PGAudit to capture all data access and modifications

Relationship to Security Skill

The application-security skill covers general application security: OWASP Top 10, authentication patterns, input validation, security headers, and compliance overviews. This database-security skill complements it by focusing on database-layer concerns: RLS policy design and performance, Supabase/Postgres-specific patterns, Convex auth guards, PGAudit configuration, and database-specific compliance implementations (SQL functions for GDPR erasure, HIPAA PHI audit triggers, etc.).

Delegation

  • Verify RLS enforcement with access simulations: Use Task agent to run anonymous and authenticated queries against every public table
  • Audit Convex functions for missing auth guards: Use Explore agent to scan all query and mutation handlers for getUserIdentity calls
  • Design zero-trust database architecture: Use Plan agent to map schemas, access policies, JIT grants, and audit log design
  • Generate database compliance evidence: Use Task agent to run audit queries and produce compliance reports

References

  • rls-performance.md -- RLS policy performance, initPlan caching, stable functions, separate policies, EXPLAIN benchmarking
  • zero-trust-database.md -- Micro-segmentation, identity propagation, connection security, JIT access controls
  • audit-logging.md -- Trigger-based auditing, PGAudit extension and log classes, log integrity, tamper-proof storage
  • convex-security.md -- Identity validation, manual RLS in functions, granular functions, role-based access via JWT claims
  • threat-modeling.md -- STRIDE applied to database access, RLS bypass vectors, data layer trust boundaries
  • application-security.md -- Service role management, schema exposure, security definer functions, views and RLS
  • compliance-frameworks.md -- Database-specific GDPR, HIPAA, SOC2, PCI-DSS requirements and SQL implementations

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

application-security

No summary provided by upstream source.

Repository SourceNeeds Review
-36
oakoss
Security

quality-auditor

No summary provided by upstream source.

Repository SourceNeeds Review
-23
oakoss
Automation

playwright

No summary provided by upstream source.

Repository SourceNeeds Review
-99
oakoss
database-security | V50.AI