Free check for Lovable apps: are your Supabase tables open to the public?

A really common thing with Lovable apps is that Row Level Security never gets turned on, which means anyone with your public key (it's right there in the page) can read your whole database. Easy to miss, easy to fix.

I built a free scanner that checks this and a few other common leaks (exposed keys, reachable .env, source maps). Paste your app URL and it tells you in a few seconds. Read-only, never logs in.

task-bounty.com/scan. Run it on your own app and let me know what it finds, happy to walk you through fixing anything.

reddit.com
u/elidanipipe — 6 days ago
▲ 1 r/redteamsec+3 crossposts

If you built your app with a no-code or AI tool, it might be leaking your database. Free check.

No-code and AI builders are great for shipping fast, but they make it really easy to accidentally leave your database open or put a secret key where anyone can grab it. Most people never find out until something goes wrong.

I made a free tool that checks for you. You paste your app link and it shows, in plain English, what your live app is exposing to any visitor. No login, it just looks at what your app already shows the world.

task-bounty.com/scan if you want to try it on your own app. Glad to explain anything it flags.

u/elidanipipe — 4 days ago
▲ 1 r/mcp

I built a local-only GitHub Actions checker with an MCP server (0.1.6)

Disclosure: I built this.

TaskBounty Check is an open-source, local-only maintenance checker for GitHub Actions and update automation. I added a stdio MCP server so Cursor, Claude Code, and Codex can scan a local repo, explain a finding, and generate a text-only fix plan.

The default path has no network access, no telemetry, zero runtime dependencies, and uploads nothing. It reads only workflow files plus Dependabot/Renovate config; it does not read application source or modify files.

Run the MCP server:

npx -y taskbounty-check@0.1.6 mcp

Available tools:

  • scan_repo
  • explain_finding
  • generate_fix_plan

I also ran the published CLI against its own real repository. The current result is 2 workflow files, 0 maintenance candidates, and 0 private-review items. That self-check initially exposed a false positive where YAML-looking shell fixtures were mistaken for live workflow keys; 0.1.6 fixes it and adds regression tests.

Real-repository walkthrough and agent setup: https://github.com/eliottreich/taskbounty-check/blob/main/docs/real-repo-quickstart.md?utm_source=reddit&utm_medium=mcp_showcase&utm_campaign=taskbounty_check_quickstart

I would value feedback on two things: whether the MCP tool boundaries are narrow enough, and whether returning a text-only fix plan (rather than editing files) is the right default.

u/elidanipipe — 15 days ago

How would you make a public coverage index less misleading?

I’m building TaskBounty, a service that helps JS/TS teams raise coverage by delivering behavior tests as a PR.

We just launched a public JS/TS Coverage Index:

[https://www.task-bounty.com/coverage-index\](https://www.task-bounty.com/coverage-index)

I’m not trying to pretend coverage equals quality. It does not. The framing is: coverage is a map, not a grade.

Current index:

* 98 JS/TS repos tracked
* 51 with measured public signals
* 47 with no obvious public signal
* per-repo pages
* README badges
* result challenge flow

Question for testing people:

What would make this less misleading?

Ideas I’m considering:

* show mutation score where available
* label line coverage and branch coverage separately
* distinguish provider coverage from sandbox-measured coverage
* add “methodology warnings” on each result page
* avoid ranking language entirely

What else should be included before you would trust a public coverage signal?

reddit.com
u/elidanipipe — 30 days ago

How would you make a public coverage index less misleading?

I’m building TaskBounty, a service that helps JS/TS teams raise coverage by delivering behavior tests as a PR.

We just launched a public JS/TS Coverage Index:

https://www.task-bounty.com/coverage-index

I’m not trying to pretend coverage equals quality. It does not. The framing is: coverage is a map, not a grade.

Current index:

  • 98 JS/TS repos tracked
  • 51 with measured public signals
  • 47 with no obvious public signal
  • per-repo pages
  • README badges
  • result challenge flow

Question for testing people:

What would make this less misleading?

Ideas I’m considering:

  • show mutation score where available
  • label line coverage and branch coverage separately
  • distinguish provider coverage from sandbox-measured coverage
  • add “methodology warnings” on each result page
  • avoid ranking language entirely

What else should be included before you would trust a public coverage signal?

reddit.com
u/elidanipipe — 1 month ago

Coverage target question: is 80% useful or cargo cult?

I’m working on a service that helps teams raise test coverage, and I’m trying to sharpen the positioning.

The offer is currently:

“Test coverage to 80%, delivered as a PR.”

I know 80% is imperfect. It’s not a substitute for meaningful tests, risk-based testing, mutation testing, etc.

But for SaaS teams with very low coverage, it seems like a useful commercial threshold:

- high enough to force real work

- understandable to buyers

- common enough to be familiar

- measurable enough to verify

Question for QA folks:

Would “to 80%” make you more or less likely to trust the service?

What would be a better promise?

- risk coverage?

- critical-path tests?

- file-level gap report?

- coverage + mutation score?

reddit.com
u/elidanipipe — 1 month ago

What makes AI-written tests unacceptable to you?

I’m building a coverage service and want to sanity-check our quality bar with testing people.

The product promise is:

“We raise coverage to 80% by delivering tests as a PR.”

But obviously coverage can be gamed, so we’re trying to make the guarantee stricter:

- no tests that only assert mocks were called

- no snapshot spam unless requested

- no lowered coverage thresholds

- no excluded files without approval

- existing tests must stay green

- before/after coverage report

- customer can reject low-quality tests

Question:

What else belongs in the quality bar?

If you were reviewing a PR that claimed to increase coverage, what would immediately make you reject it?

Context: we also have a free coverage gap checker, but I’m mostly looking for QA/testing feedback here rather than promotion.

reddit.com
u/elidanipipe — 1 month ago

I built a free coverage gap checker for GitHub repos- roast the positioning?

I’m building TaskBounty, a service that takes SaaS repos to 80% test coverage by delivering the tests as a finished PR.

The free entry point is Coverage Check:

https://task-bounty.com/coverage-check

What it does:

- public repos: reads public coverage from Codecov / Coveralls / SonarCloud if available

- private repos: runs a read-only sandbox scan and sends back current coverage, gap to 80%, and top files to test first

I’m trying to figure out if the positioning is clear enough.

The intended buyer is not really OSS maintainers. It’s founders / CTOs with private repos who know their coverage is too low but don’t want to pull engineers off product work.

Questions:

  1. Is the public/private split clear?

  2. Would you trust the private scan flow?

  3. Is “coverage to 80%, delivered as a PR” specific enough?

  4. What would make you bounce?

Happy to run a free teardown for the first few repos people drop here.

reddit.com
u/elidanipipe — 1 month ago

Is this a good wedge for a devtool, or too narrow?

I’m working on TaskBounty and would appreciate founder-level feedback.

We originally positioned it as a broader AI code-fix platform. That was too vague.

We narrowed the wedge to:

“Test coverage to 80%, delivered as a finished PR.”

The lead magnet is a free Coverage Check:

https://task-bounty.com/coverage-check

For private repos, the idea is:

- install read-only access to one repo

- we run the suite in a sandbox

- send back current coverage, gap to 80%, and top files to test first

- if useful, we can deliver the tests as a PR

The buyer we’re aiming for:

Seed-Series B SaaS teams, especially before SOC2, enterprise sales, diligence, or reliability pushes.

Question:

Is this narrow enough to be a strong wedge, or does “test coverage” still feel like a vitamin?

I’m especially interested in feedback from people who have sold devtools or run engineering teams.

reddit.com
u/elidanipipe — 1 month ago
▲ 1 r/SaaS

Trying a different SaaS lead magnet: free coverage gap reports instead of a demo

I’m testing a lead magnet for a B2B devtool and would love feedback from other SaaS founders.

The product:

TaskBounty takes a repo to 80% test coverage and delivers the tests as a finished PR. Flat price, refund if we miss the target.

The old funnel was too product-led:

“Here is an AI code tool.”

The new funnel is more diagnostic:

“Run a free coverage gap report on one repo.”

The report gives:

- current line coverage

- gap to 80%

- top files where tests reduce the most risk

- whether a fixed-price sprint makes sense

Public version:

https://task-bounty.com/coverage-check

Private repo version:

read-only scan, sandboxed, no card.

My thesis is that founders don’t want “AI test generation.” They want to know:

“how bad is coverage, what should we test first, and can someone make this problem go away?”

Curious:

- Would this lead magnet work on you if you had a messy repo?

- What would make you trust or distrust the private scan?

- Is 80% a strong promise or too arbitrary?

reddit.com
u/elidanipipe — 1 month ago

Built a tool that runs any public repo's test suite in a sandbox and reports real coverage (free)

Paste a public GitHub repo, it clones the repo, runs the suite in an isolated sandbox, and returns the real line-coverage number. No CI integration, no signup for the instant read.

\[https://www.task-bounty.com/coverage-check\\\](https://www.task-bounty.com/coverage-check)

The harder half: it can also raise coverage. We just took a live OSS repo (marella/shr) from 64% to past 80%, all tests run against the project's own suite in a sandbox, no source touched, and opened a real upstream PR (disclosed as AI-assisted, human-reviewed): \[github.com/marella/shr/pull/1\](http://github.com/marella/shr/pull/1)

Built it because every coverage tool makes you wire up CI before it tells you anything. Curious what numbers people get on their own repos.

reddit.com
u/elidanipipe — 1 month ago
▲ 1 r/cicd

Built a tool that runs any public repo's test suite in a sandbox and reports real coverage (free)

Paste a public GitHub repo, it clones the repo, runs the suite in an isolated sandbox, and returns the real line-coverage number. No CI integration, no signup for the instant read.

[https://www.task-bounty.com/coverage-check\](https://www.task-bounty.com/coverage-check)

The harder half: it can also raise coverage. We just took a live OSS repo (marella/shr) from 64% to past 80%, all tests run against the project's own suite in a sandbox, no source touched, and opened a real upstream PR (disclosed as AI-assisted, human-reviewed): [github.com/marella/shr/pull/1](http://github.com/marella/shr/pull/1)

Built it because every coverage tool makes you wire up CI before it tells you anything. Curious what numbers people get on their own repos.

reddit.com
u/elidanipipe — 1 month ago

Built a tool that runs any public repo's test suite in a sandbox and reports real coverage (free)

Paste a public GitHub repo, it clones the repo, runs the suite in an isolated sandbox, and returns the real line-coverage number. No CI integration, no signup for the instant read.

https://www.task-bounty.com/coverage-check

The harder half: it can also raise coverage. We just took a live OSS repo (marella/shr) from 64% to past 80%, all tests run against the project's own suite in a sandbox, no source touched, and opened a real upstream PR (disclosed as AI-assisted, human-reviewed): github.com/marella/shr/pull/1

Built it because every coverage tool makes you wire up CI before it tells you anything. Curious what numbers people get on their own repos.

reddit.com
u/elidanipipe — 1 month ago