supabase-mcp
v1.5.0MCP server for Supabase CRUD operations
33
Total
31
Critical
0
High
2
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: // Initialize the Supabase client with service role key for full access
8: const url = process.env.SUPABASE_URL;
>>> 9: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
10: if (!url || !serviceRoleKey) {
11: throw new Error('Missing required Supabase credentials');Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
11: export const mcpConfig = {
12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
>>> 13: host: process.env.MCP_SERVER_HOST || 'localhost',
14: apiKey: process.env.MCP_API_KEY || '',
15: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
13: host: process.env.MCP_SERVER_HOST || 'localhost',
>>> 14: apiKey: process.env.MCP_API_KEY || '',
15: };
16: // Validate required configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
43: authentication: {
44: type: "api_key",
>>> 45: instructions: "Set the MCP_API_KEY environment variable in the .env file"
46: },
47: tools: [Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: constructor() {
7: // Initialize the Supabase client with service role key for full access
>>> 8: const url = process.env.SUPABASE_URL;
9: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
10: if (!url || !serviceRoleKey) {Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: // Initialize the Supabase client with service role key for full access
8: const url = process.env.SUPABASE_URL;
>>> 9: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
10: if (!url || !serviceRoleKey) {
11: throw new Error('Missing required Supabase credentials');Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: constructor() {
7: // Initialize the Supabase client with service role key for full access
>>> 8: const url = process.env.SUPABASE_URL;
9: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
10: if (!url || !serviceRoleKey) {Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
45: ## Configuration
46:
>>> 47: Create a `.env` file with your Supabase credentials:
48:
49: ```Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
106: ```
107:
>>> 108: This will start the MCP server at http://localhost:3000 (or the port specified in your .env file).
109:
110: ## Usage in Your CodeReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
132:
133: #### 1. "Port XXXX is already in use"
>>> 134: The HTTP server attempts to find an available port automatically. You can manually specify a different port in your `.env` file by changing the `MCP_SERVER_PORT` value.
135:
136: #### 2. "Missing required environment variables"Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
135:
136: #### 2. "Missing required environment variables"
>>> 137: Make sure you have a proper `.env` file with all the required values or that you've set the environment variables in your system.
138:
139: #### 3. "TypeError: Class constructor Server cannot be invoked without 'new'"Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
11: // Supabase configuration
12: exports.supabaseConfig = {
>>> 13: url: process.env.SUPABASE_URL || '',
14: anonKey: process.env.SUPABASE_ANON_KEY || '',
15: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: exports.supabaseConfig = {
13: url: process.env.SUPABASE_URL || '',
>>> 14: anonKey: process.env.SUPABASE_ANON_KEY || '',
15: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
16: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
13: url: process.env.SUPABASE_URL || '',
14: anonKey: process.env.SUPABASE_ANON_KEY || '',
>>> 15: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
16: };
17: // MCP server configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
17: // MCP server configuration
18: exports.mcpConfig = {
>>> 19: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
20: host: process.env.MCP_SERVER_HOST || 'localhost',
21: apiKey: process.env.MCP_API_KEY || '',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
18: exports.mcpConfig = {
19: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
>>> 20: host: process.env.MCP_SERVER_HOST || 'localhost',
21: apiKey: process.env.MCP_API_KEY || '',
22: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
19: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
20: host: process.env.MCP_SERVER_HOST || 'localhost',
>>> 21: apiKey: process.env.MCP_API_KEY || '',
22: };
23: // Validate required configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
50: authentication: {
51: type: "api_key",
>>> 52: instructions: "Set the MCP_API_KEY environment variable in the .env file"
53: },
54: tools: [Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: constructor() {
13: // Initialize the Supabase client with service role key for full access
>>> 14: const url = process.env.SUPABASE_URL;
15: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
16: if (!url || !serviceRoleKey) {Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
13: // Initialize the Supabase client with service role key for full access
14: const url = process.env.SUPABASE_URL;
>>> 15: const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
16: if (!url || !serviceRoleKey) {
17: throw new Error('Missing required Supabase credentials');Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
4: // Supabase configuration
5: export const supabaseConfig = {
>>> 6: url: process.env.SUPABASE_URL || '',
7: anonKey: process.env.SUPABASE_ANON_KEY || '',
8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
5: export const supabaseConfig = {
6: url: process.env.SUPABASE_URL || '',
>>> 7: anonKey: process.env.SUPABASE_ANON_KEY || '',
8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
9: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: url: process.env.SUPABASE_URL || '',
7: anonKey: process.env.SUPABASE_ANON_KEY || '',
>>> 8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
9: };
10: // MCP server configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
10: // MCP server configuration
11: export const mcpConfig = {
>>> 12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
13: host: process.env.MCP_SERVER_HOST || 'localhost',
14: apiKey: process.env.MCP_API_KEY || '',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
11: export const mcpConfig = {
12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
>>> 13: host: process.env.MCP_SERVER_HOST || 'localhost',
14: apiKey: process.env.MCP_API_KEY || '',
15: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
13: host: process.env.MCP_SERVER_HOST || 'localhost',
>>> 14: apiKey: process.env.MCP_API_KEY || '',
15: };
16: // Validate required configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
43: authentication: {
44: type: "api_key",
>>> 45: instructions: "Set the MCP_API_KEY environment variable in the .env file"
46: },
47: tools: [Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
4: // Supabase configuration
5: export const supabaseConfig = {
>>> 6: url: process.env.SUPABASE_URL || '',
7: anonKey: process.env.SUPABASE_ANON_KEY || '',
8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
5: export const supabaseConfig = {
6: url: process.env.SUPABASE_URL || '',
>>> 7: anonKey: process.env.SUPABASE_ANON_KEY || '',
8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
9: };Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: url: process.env.SUPABASE_URL || '',
7: anonKey: process.env.SUPABASE_ANON_KEY || '',
>>> 8: serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
9: };
10: // MCP server configurationReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
10: // MCP server configuration
11: export const mcpConfig = {
>>> 12: port: parseInt(process.env.MCP_SERVER_PORT || '3000', 10),
13: host: process.env.MCP_SERVER_HOST || 'localhost',
14: apiKey: process.env.MCP_API_KEY || '',Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveScan History
| Date | Risk | Findings | Files | Duration |
|---|---|---|---|---|
| Feb 25, 2026 | critical | 33 | 130 | 0.00s |
| Feb 23, 2026 | critical | 33 | 130 | 0.00s |
| Feb 22, 2026 | critical | 33 | 130 | 0.00s |