// every check it runs
What GuardLayer checks for
Twenty checks, run on every push and tuned to stay quiet on safe, idiomatic code. Each one ships with the exact fix — not just a flag.
# supabase
5 checksWhere most Next.js + Supabase breaches actually start — the rules that decide who can read and write your data.
- criticalRLS disabled on sensitive tables
- criticalservice_role key exposed client-side
- criticalpublic storage buckets
- warningpolicies missing auth.uid()
- warningedge functions without auth
# next.js
5 checksThe framework-specific footguns — Server Actions, environment exposure, and routing that quietly skips a guard.
- criticalServer Actions without an auth check
- criticalsecrets leaked via NEXT_PUBLIC_
- warningAPI routes without input validation
- warningmiddleware that misses protected routes
- warningwildcard CORS with credentials
# general
5 checksClassic application-security mistakes the AI coding tools still ship into production.
- criticalhardcoded API keys & private keys
- warningdependencies with known CVEs
- warningstring-built SQL (injection)
- warningeval() on dynamic input
- infounsanitised dangerouslySetInnerHTML