Report

Webapp Security Audit

acme/webapp·main·a3f8c91

April 10, 2026·198 files analyzed·720.0s

34/ 100

Critical risk

Executive summary

This codebase has a solid foundation (Stripe signatures verified, Zod schemas everywhere, RLS enabled on every table), but contains several high-severity issues concentrated in the payment, auth, and worker-dispatch paths. The most urgent findings are a missing idempotency check on the Stripe webhook (duplicate deliveries credit users twice), a GitHub OAuth access token exposed to client-side code via the NextAuth session callback, and Supabase RLS that allows anonymous writes against the `payments` table because no INSERT/UPDATE/DELETE policies were defined. A TOCTOU race in the daily scan limit and a path-traversal vector in the repo-clone branch parameter round out the critical set. Without intervention, an attacker can mint free credits, exfiltrate user GitHub tokens, or write directly to financial tables from a browser bundle.

What this codebase is doing right

Stripe webhook signatures verified via stripe.webhooks.constructEvent
All API routes consistently call a requireAuth() helper before processing
Supabase RLS is enabled on every user-facing table
TypeScript strict mode + Zod schemas at every API boundary
Cryptographically secure RNG (crypto.randomBytes) used for referral codes
Session cookies are httpOnly with sameSite=lax

Findings

12 issues, ranked by priority

This is what your report would look like.

Connect your GitHub repo and get the same depth of audit on your own codebase. Read-only access, deleted after the scan.

Scan your codebase Try the lite scan free

Webapp Security Audit

Executive summary

What this codebase is doing right

Findings

Stripe Webhook Has No Idempotency Check

GitHub OAuth Access Token Exposed via useSession()

Supabase RLS Allows Anonymous Writes on payments Table

TOCTOU Race Bypasses Daily Scan Limit

Path Traversal via Crafted Branch Name in Repo Clone

This is what your report would look like.