Skip to main content

What You'll Build

A security audit workflow that uses Continue CLI with Supabase MCP to identify RLS vulnerabilities, generate secure policies, fix permission issues, and ensure your database follows security best practices.

What You’ll Learn

This cookbook teaches you to:
  • Use Supabase MCP to audit database security
  • Identify tables without Row Level Security (RLS) enabled
  • Find and fix overly permissive or missing RLS policies
  • Generate secure RLS migrations following best practices
  • Automate security audits with GitHub Actions

Prerequisites

Before starting, ensure you have:
  • Supabase account with an active project
  • Node.js 18+ installed locally
  • Continue CLI with active credits (required for API usage)
  • Basic understanding of SQL and database concepts
1

Install Continue CLI

npm i -g @continuedev/cli
2

Set up Continue CLI Account & API Key

  1. Visit Continue Organizations
  2. Sign up or log in to your Continue account
  3. Navigate to your organization settings
  4. Click “API Keys” and then ”+ New API Key”
  5. Copy the API key immediately (you won’t see it again!)
  6. Login to the CLI: cn login
Continue CLI can analyze your database schema and generate complex SQL queries - you just need to describe what you want in plain language!

Step 1: Set Up Your Credentials

First, you’ll need to set up access to your Supabase project.
  • Configure Supabase MCP
  • Supabase Project Setup
Security First: Follow Supabase’s security best practices when using MCP:
  • Never connect to production databases directly
  • Use development or staging environments
  • Enable read-only mode when possible
  • Scope MCP access to specific projects
The Supabase MCP supports OAuth authentication for secure access:OAuth Configuration (Recommended)The Supabase MCP will prompt for OAuth authentication when first used. Simply follow the authorization flow.Remote MCP URL
https://mcp.supabase.com/mcp
The MCP server can be scoped to a specific project for better security. Configure this during setup.

Supabase Database Workflow Options

Fastest Path to Success

Skip the manual setup and use our pre-built Supabase Continuous AI agent that includes optimized prompts, rules, and the Supabase MCP for intelligent database management.
How Supabase MCP Works:
  • Connects to your Supabase project via OAuth
  • Provides tools for database queries, schema inspection, and migrations
  • Supports read-only mode for safer operations
  • Can be scoped to specific projects for security
To use the pre-built agent, you need either:
  • Continue CLI Pro Plan with the models add-on, OR
  • Your own API keys added to Continue Hub secrets
The agent will automatically detect and use your configuration. For Supabase MCP:
  • Supabase account with at least one project
  • OAuth authentication (handled automatically)
  • Development or staging environment (not production)
Security Best Practices:
  • Never use MCP with production databases - Always use development or staging environments
  • Enable read-only mode when analyzing data to prevent accidental modifications
  • Scope to specific projects to limit access
  • Use branch databases for testing schema changes

Step 2: Analyze Your Database with AI

Use Continue CLI to perform intelligent database analysis. Enter these prompts in the Continue CLI TUI:
  • Schema Analysis
  • RLS Security Audit
  • Fix RLS Policies
Prompt:
Analyze my Supabase database schema and provide:
- Complete table structure with data types
- Relationships between tables
- Missing indexes that could improve performance
- Unused or redundant columns
- Suggestions for normalization improvements
Available Supabase MCP Capabilities:
  • Database Queries: Execute SQL queries and analyze results
  • Schema Inspection: View table structures, relationships, and constraints
  • Performance Analysis: Identify slow queries and optimization opportunities
  • Security Review: Check RLS policies and access controls
  • Migration Generation: Create SQL migrations for schema changes

Step 3: Generate Database Migrations

Create and apply database migrations based on AI recommendations. Enter this prompt in the Continue CLI TUI: Example: Complete RLS Security Fix 
I need to secure my Supabase database. Please:

1. First, audit all tables for RLS security issues
2. Generate a complete migration to fix all issues found
3. Create a security report I can share with my team

Here's what I need fixed:
- Enable RLS on all tables
- Create policies so users can only access their own data
- Ensure admins (role = 'admin') have full access
- Add policies for service accounts (role = 'service')
- Include audit logging for sensitive operations

For the users table specifically:
- Users can read their own profile
- Users can update their own profile (except role field)
- Only admins can view all users
- Only admins can delete users
- New users can insert their own record during signup

Generate the complete migration with:
- All SQL statements
- Clear policy names and comments
- Rollback statements
- A summary of what each policy does
Expected Output: The AI will generate a complete SQL migration file that:
  • Enables RLS on all tables
  • Creates secure, well-documented policies
  • Follows Supabase security best practices
  • Includes rollback capabilities
  • Provides a security summary for your team
Best Practice: Always review AI-generated migrations before applying them. Test in a development branch first using Supabase’s branching feature.

Step 4: Set Up Automated Database Monitoring

Automate database health checks with Continue CLI and GitHub Actions: 
name: Database Health Monitor

on:
  schedule:
    # Run daily at 2 AM UTC
    - cron: "0 2 * * *"
  workflow_dispatch: # Allow manual triggers

jobs:
  monitor-database:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "22"

      - name: Install Continue CLI
        run: |
          npm install -g @continuedev/cli
          echo "✅ Continue CLI installed"

      - name: Analyze Database Security
        env:
          CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
        run: |
          echo "🔍 Performing security audit..."
          
          # Use Continue CLI to audit RLS and generate fixes
          cn -p "Using Supabase MCP, perform a comprehensive RLS security audit:
                 1. Check all tables for RLS enablement
                 2. Identify tables with missing or weak RLS policies
                 3. Find overly permissive policies (e.g., 'true' conditions)
                 4. Check for common security anti-patterns:
                    - Missing user_id checks
                    - No role-based access control
                    - Unrestricted DELETE operations
                    - Missing WITH CHECK clauses
                 5. Generate fixes for all security issues found
                 6. Create a security report with:
                    - Critical vulnerabilities (tables without RLS)
                    - High-risk policies that need immediate fixes
                    - SQL migrations to fix all issues
                    - Best practice recommendations
                    - Compliance checklist (GDPR, SOC2, etc.)
                 
                 If critical security issues are found:
                 - Generate the complete fix migration
                 - Create a GitHub issue with severity labels
                 - Tag security team members for review"

      - name: Save Health Report
        run: |
          echo "## 📊 Database Health Report" >> $GITHUB_STEP_SUMMARY
          echo "Generated at $(date)" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Check the 'Analyze Database Security' step for the full report" >> $GITHUB_STEP_SUMMARY

      - name: Upload Health Report
        uses: actions/upload-artifact@v4
        with:
          name: database-health-report
          path: |
            *.md
            *.sql
Required GitHub Secrets:Add this at: Repository Settings → Secrets and variables → Actions

What You’ve Built

After completing this guide, you have a complete AI-powered database management system that:
  • Analyzes schema design - Identifies optimization opportunities and best practices
  • Optimizes queries - Suggests indexes and query rewrites for better performance
  • Generates migrations - Creates SQL code for schema improvements
  • Monitors health - Runs automated checks for performance and security issues
  • Provides insights - Delivers actionable recommendations based on data patterns

Continuous AI Database Management

Your system now operates at Level 2 Continuous AI - AI handles routine database analysis and optimization with human oversight for migration approval.

Advanced Database Prompts

Enhance your workflow with these advanced Continue CLI prompts:

Real-time Performance

Monitor query performance in real-time and get alerts for slow queries exceeding threshold times

Data Quality Checks

Automatically validate data integrity, find duplicates, and ensure consistency across related tables

Access Pattern Analysis

Analyze API logs to understand data access patterns and optimize indexes accordingly

Cost Optimization

Review database usage and suggest ways to reduce costs while maintaining performance

Security Best Practices

Database Security Guidelines:
  • Always use development/staging environments with MCP
  • Enable read-only mode for analysis tasks
  • Never store production credentials in code
  • Review all AI-generated SQL before execution
  • Use RLS policies to enforce access control
  • Regularly audit database permissions

Troubleshooting

Supabase MCP Connection Issues

If you encounter connection issues:
  1. Verify OAuth authentication is complete
  2. Check your Supabase project is accessible
  3. Ensure you’re not connecting to a production database
  4. Verify the MCP URL is correct: https://mcp.supabase.com/mcp

Common Database Analysis Issues

IssueSolution
No tables foundVerify your database has tables created
Permission deniedCheck OAuth scopes and project permissions
Slow query analysisEnsure your database has query logs enabled
Migration failuresTest migrations in a branch database first

Next Steps

Resources

I