supabase-security

Audit and harden any Supabase project. Local-only, no SaaS, your token never leaves your machine. v0.3 ships with active anon-key probe — confirms each leak live, not just inferred.

⚡ Want me to run it for you and send back a written report? $99, 24h delivery → https://perufitlife.github.io/supabase-security-skill/ (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)

$ supabase-security <project-ref> --html report.html
HTML report written to report.html
Findings: 0 critical, 5 high, 2 medium

Why

On May 30, 2026 Supabase changes its default for new projects: tables in public no longer auto-expose to the Data API. On October 30, 2026 that becomes the enforced default for all existing projects.

If you've been on Supabase for more than a few months, you almost certainly have:

Tables granted CRUD to anon by default (because that was the default).
One or two tables where RLS got missed.
SECURITY DEFINER functions that are technically callable by anon.

This tool surfaces all of that in a single HTML report you can share with your team, plus copy-paste SQL to fix each issue.

What it finds (real example)

I ran this against my own apps. Two projects, similar size:

Project	Tables	Critical	High	Medium
Internal CRM (auth-only)	55	0	11	2
Public web app	139	17 before fix	5	2

The public app had 17 tables with RLS disabled and full CRUD to anon. They were leaking to anyone who pulled the anon key out of the JS bundle. Fixed in one SQL transaction generated by this tool.

Install

No install needed — clone and run:

git clone https://github.com/Perufitlife/supabase-security-skill
cd supabase-security-skill
SUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js YOUR_PROJECT_REF --html report.html

Or as an Agent Skill for Claude Code, Cursor, Cline:

# (when published to skills marketplace)
npx skills add Perufitlife/supabase-security-skill

Then say: "audit my Supabase project ref xxx".

Get a Personal Access Token

https://supabase.com/dashboard/account/tokens → "Generate new token". Read access is sufficient.

Checks performed

#	Check	Severity
1	Table has RLS disabled and anon grants	CRITICAL
2	SECURITY DEFINER function (non-trigger) executable by anon	HIGH
3	Public storage bucket	HIGH
4	Default privileges still grant CRUD to anon (future-table risk)	MEDIUM
5	Auth signups enabled without email confirmation	MEDIUM
6	RLS-locked table still has direct anon grants (defense-in-depth)	LOW

Every finding ships with copy-paste fix SQL. The HTML report has a "Copy all SQL" button to apply everything in one go.

How it differs from the alternatives

	This	SupaExplorer	AuditYourApp
Where your project ref goes	Your machine	Their SaaS	Their SaaS
Cost	Free, MIT	$6.75–$187	$29/mo–$499
Source code	Public	Closed	Closed
Generates fix SQL	Yes	Pro tier	Pro tier
Runs in CI	Trivially	API tier	API tier

This is fewer features than the SaaS players. The trade-off is full control of the data and zero recurring cost.

Run in CI

# .github/workflows/supabase-security.yml
- run: |
    npx -y github:Perufitlife/supabase-security-skill \
      ${{ secrets.SUPABASE_PROJECT_REF }} \
      --html report.html
- uses: actions/upload-artifact@v4
  with: { name: supabase-security-report, path: report.html }

Limits — read these before trusting it

Doesn't audit per-object Storage RLS (would mean iterating every file).
Can't revoke supabase_admin default privileges via SQL — that needs the Dashboard toggle. The report tells you so.
App APIs that are intentionally exposed to anon (e.g. a get_public_stats() RPC) will appear as findings. You decide which are intentional.
Alpha. If you find a false positive or missed check, open an issue with the SQL output of the relevant pg_* query and I'll fix it.

Roadmap

Storage object-level scan
pg_cron scheduled-job audit
Edge Function secrets scan (env var leak detection)
Apify actor wrapper (one-click HTML report, no install)
MCP server with audit and apply-fix tools (preview + rollback)

License

MIT.