Pricing

Pay per usage

Supabase RLS Security Scanner — Find anonymous data leaks

Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key — the #1 cause of Supabase data leaks. Returns row counts + a curl reproducer per finding. Counts only, no row data exfiltrated. -- By Renzo Madueno, https://rotatepilot.com

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Renzo Madueno

Actor stats

Bookmarked

Total users

Monthly active users

6 days ago

Last modified

Supabase RLS Security Scanner

22% of Supabase projects I've scanned leak user data anonymously to anyone on the internet. This actor checks yours in 30 seconds. No service-role key. No SSH. No installs. Just URL + anon key, get back the exact curl an attacker would use, plus the SQL to plug each hole.

Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key — the #1 cause of Supabase data leaks. Returns table-level row counts and a verbatim curl command to reproduce each finding.

💸 Found a leak? I do turnkey audits + RLS policies + key rotation for $99 (Stripe — 48h, money-back if nothing actionable). Or $29/mo weekly auto-scans at rls-monitor.vercel.app.

⭐️ Like this scanner? Solo dev competing with bigger Apify publishers. A 30-second review on my profile is the only thing that moves ranking. Thank you.

Why this exists

The Supabase anon key is meant to be public — it ships in your frontend. The only thing keeping your tables private is Row-Level Security policies. When RLS is forgotten on even one table, the data is publicly readable to anyone with your URL + anon key.

Across 100+ Supabase projects I've audited, 22% leak user data anonymously because RLS was forgotten on at least one table. This actor lets you check yours in 30 seconds.

What you actually get

A safe, count-only scan — uses Prefer: count=exact + Range: 0-0 so the scanner never pulls row data, just confirms exposure.
A copy-pasteable proof — the exact curl an attacker would run to dump your data.
A copy-pasteable fix — the SQL ALTER TABLE ... ENABLE ROW LEVEL SECURITY + a policy starter per leaky table.
A beautiful HTML report saved to your run's KV store, ready to share with your team.

Input

{
  "supabaseUrl": "https://your-project.supabase.co",
  "anonKey": "eyJ...your-anon-public-key...",
  "tableHints": ["optional", "extra", "tables", "to", "probe"],
  "outputFormat": "both"
}

supabaseUrl — your project URL from Supabase Dashboard → Project Settings → API.
anonKey — your anon/public key (NOT service_role). This is the same key you put in your frontend.
tableHints — beyond ~40 common tables (users, profiles, orders, etc.) probed by default, list any schema-specific tables you'd like checked.
outputFormat — json for programmatic use, html-report for human-readable HTML in KV store, both (default).

Output

{
  "projectRef": "abcdefgh",
  "url": "https://abcdefgh.supabase.co",
  "scannedAt": "2026-05-12T15:00:00Z",
  "tablesProbed": 47,
  "findings": [
    {
      "table": "profiles",
      "readable": true,
      "count": 1843,
      "severity": "critical",
      "columns": ["id", "email", "full_name", "..."],
      "sensitiveColumns": ["email"],
      "reproducer": "curl 'https://.../rest/v1/profiles?select=*' -H 'apikey: <anon-key>' -H 'Prefer: count=exact' -H 'Range: 0-0' -I"
    }
  ],
  "summary": {
    "total_anon_readable": 3,
    "critical_count": 2,
    "high_count": 1,
    "medium_count": 0,
    "total_exposed_records": 2074
  },
  "next_steps": ["Rotate the anon key...", "For each finding ALTER TABLE...", "Re-run this scan..."],
  "paid_fix_offer": {
    "price_usd": 99,
    "stripe_link": "https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01"
  }
}

Plus a beautiful HTML report saved to the run's key-value store as report.html.

Ethical use

Only scan projects you own or have explicit permission to scan.
Counts only, never row data: the scanner uses Prefer: count=exact + Range: 0-0 to confirm a leak exists without exfiltrating contents.
All findings remain private to the run owner unless explicitly shared.

CLI (free, runs entirely on your machine): npx @perufitlife/supabase-security --discover --url <URL> --key <KEY>
Weekly auto-scan SaaS ($29/mo): rls-monitor.vercel.app
Turnkey paid fix ($99 one-time): stripe
Sister scanners: Firebase, PocketBase, Appwrite, Nhost (search @perufitlife on npm).

Built and maintained by Renzo Madueño, founder of Rotate Pilot, aviation exam-prep software. Open source: supabase-security-skill · GitHub.

If this actor saves you from a data leak, please leave a review. That's the engine that keeps this thing free + improving.

PocketBase Security Scanner — Find public collection leaks

renzomacar/pocketbase-security-scanner

Probes a public PocketBase instance for misconfigured collection rules. Detects collections readable without auth via /api/collections/*/records. Returns counts + curl reproducer. Counts only, no data exfiltrated. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Nhost Security Scanner — Find public Hasura GraphQL leaks

renzomacar/nhost-security-scanner

Probes a public Nhost project's Hasura GraphQL endpoint for tables readable by anon role. Detects the #1 cause of Nhost data leaks: forgotten Hasura permission policies. Returns table-level counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Strapi Security Scanner — Find public collection-type leaks

renzomacar/strapi-security-scanner

Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Directus Security Scanner — Find public-role collection leaks

renzomacar/directus-security-scanner

Probes a public Directus instance for misconfigured Public-role permissions. Detects collections readable without auth via /items/{collection}. Returns counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Hasura Security Scanner — anon-role GraphQL leaks

renzomacar/hasura-security-scanner

Probes a public Hasura GraphQL endpoint for tables readable by the anon role. Works for self-hosted, Hasura Cloud, and frameworks on top. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Payload CMS Security Scanner — Find public collection leaks

renzomacar/payload-security-scanner

Probes a public Payload CMS instance for collections readable without auth. Default templates leave read access wide open during development. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Convex Security Scanner — Find public-query data leaks

renzomacar/convex-security-scanner

Probes a public Convex deployment for queries that return data without auth. Convex queries are public-by-default unless you check auth inside the handler. Returns counts + reproducer. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Supabase MCP SelfHosted

coupaul/Supabase-MCP-SelfHosted

🔒 Self-Hosted Supabase MCP Server - Enhanced Security Production-ready MCP server for self-hosted Supabase with enterprise security. Features SQL injection prevention, rate limiting, Docker optimization & direct DB access. Tools: database ops, auth, storage, types. Perfect for production!

Paul Roelens

job-scraper-supabase

raviskydive/jobscraper

Modular Apify actor that scrapes job listings from LinkedIn, Indeed, Glassdoor, and Monster, normalizes data, and optionally upserts results into Supabase for downstream use.

Ravi

Supabase Automation Toolkit

waxlike_polecat/supabase-automation-toolkit

Save hours with Supabase automation. Export, cleanup, backup with simple JSON tasks. Schedule daily reports, remove inactive users, free up storage automatically.