diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out
new file mode 100644
index 000000000..58207b605
--- /dev/null
+++ b/nix/tests/expected/security.out
@@ -0,0 +1,30 @@
+-- get a list of security definer functions owned by supabase_admin
+-- this list should be vetted to ensure the functions are safe to use as security definer
+select
+    n.nspname, p.proname
+from pg_catalog.pg_proc p
+    left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
+        and p.prosecdef = true
+order by 1,2;
+ nspname  |            proname             
+----------+--------------------------------
+ graphql  | get_schema_version
+ graphql  | increment_schema_version
+ pgsodium | disable_security_label_trigger
+ pgsodium | enable_security_label_trigger
+ pgsodium | get_key_by_id
+ pgsodium | get_key_by_name
+ pgsodium | get_named_keys
+ pgsodium | mask_role
+ pgsodium | update_mask
+ public   | dblink_connect_u
+ public   | dblink_connect_u
+ public   | pgaudit_ddl_command_end
+ public   | pgaudit_sql_drop
+ public   | st_estimatedextent
+ public   | st_estimatedextent
+ public   | st_estimatedextent
+ repack   | repack_trigger
+(17 rows)
+
diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql
new file mode 100644
index 000000000..fb72f0e69
--- /dev/null
+++ b/nix/tests/sql/security.sql
@@ -0,0 +1,9 @@
+-- get a list of security definer functions owned by supabase_admin
+-- this list should be vetted to ensure the functions are safe to use as security definer
+select
+    n.nspname, p.proname
+from pg_catalog.pg_proc p
+    left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
+        and p.prosecdef = true
+order by 1,2;