Security report for rillcod/rillcodwebsite
Scanned by Merge Risk — the free A–F security grade for AI-built apps.
Private key block committed in a public repo. Right now anyone reading this can too. Rotate it before you finish this sentence — the roast is free, the breach isn't.
A Private key block appears in `.env.example`. Anyone with the repo can read it — rotate it now and move it to an untracked env var.
A policy in `scripts/create-prospective-students.mjs` uses `(true)` as its condition, so Row Level Security is enabled but grants access to every row for everyone. Scope the policy to the current user (e.g. `user_id = auth.uid()`).
A policy in `scripts/migrate.mjs` uses `(true)` as its condition, so Row Level Security is enabled but grants access to every row for everyone. Scope the policy to the current user (e.g. `user_id = auth.uid()`).
Is your repo leaking too?
Free, unlimited, every finding. No signup, no card, and we never store your code.
Scan my repo free