Goal A user that corresponds to an application does not have to have privileges to use trigger functions. If it has these, then it violates the principle of least privilege.
Type Problem detection (Each row in the result could represent a flaw in the design)
Reliability High (Few or no false-positive results)
License MIT License
Fixing Suggestion Revoke unnecessary privileges.
Data Source INFORMATION_SCHEMA+system catalog
SQL Query
WITH privs AS (SELECT rp.routine_schema, rp.routine_name, 
pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters,
rp.grantee, rp.privilege_type, rp.is_grantable
FROM information_schema.routine_privileges AS rp,
information_schema.routines AS r
WHERE rp.routine_schema NOT IN (SELECT schema_name
FROM INFORMATION_SCHEMA.schemata
WHERE schema_name<>'public' AND
schema_owner='postgres' AND schema_name IS NOT NULL)  AND
rp.routine_schema=r.routine_schema AND 
rp.specific_name=r.specific_name AND
r.data_type='trigger' AND 
grantee<>'PUBLIC' AND
NOT EXISTS (SELECT 1
FROM pg_catalog.pg_roles r
WHERE rolsuper=TRUE AND rp.grantee=r.rolname))
SELECT routine_schema, routine_name, parameters, grantee, privilege_type
FROM privs
ORDER BY routine_schema, routine_name, parameters, privilege_type;

SQL statements that help generate fixes for the identified problem.

SQL Query to Generate FixDescription
WITH privs AS (SELECT rp.routine_schema, rp.routine_name, 
pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters,
rp.grantee, rp.privilege_type, rp.is_grantable
FROM information_schema.routine_privileges AS rp,
information_schema.routines AS r
WHERE rp.routine_schema NOT IN (SELECT schema_name
FROM INFORMATION_SCHEMA.schemata
WHERE schema_name<>'public' AND
schema_owner='postgres' AND schema_name IS NOT NULL)  AND
rp.routine_schema=r.routine_schema AND 
rp.specific_name=r.specific_name AND
r.data_type='trigger' AND 
grantee<>'PUBLIC' AND
NOT EXISTS (SELECT 1
FROM pg_catalog.pg_roles r
WHERE rolsuper=TRUE AND rp.grantee=r.rolname))
SELECT format('REVOKE %1$s ON FUNCTION %2$I.%3$I(%4$s) FROM %5$I;', privilege_type, routine_schema, routine_name, parameters, grantee) AS statements 
FROM privs
ORDER BY routine_schema, routine_name;
Revoke unnecessary privileges.
Collections

This query belongs to the following collections:

NameDescription
Find problems automaticallyQueries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not .
Categories

This query is classified under the following categories:

NameDescription
SecurityQueries of this category provide information about the security measures.
Triggers and rulesQueries of this category provide information about triggers and rules in a database.
User-defined routinesQueries of this category provide information about the user-defined routines