Supabase RLS Security Scanner

Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key (the #1 cause of Supabase data leaks). Returns table-level row counts and a verbatim curl command to reproduce each finding.

Why this exists

The Supabase anon key is meant to be public — it ships in your frontend. The only thing keeping your tables private is Row-Level Security policies. When RLS is forgotten on even one table, the data is publicly readable to anyone with your URL + anon key.

Across 100+ Supabase projects I've audited, 22% leak user data anonymously because RLS was forgotten on at least one table. This actor lets you check yours in 30 seconds.

Input

{
  "supabaseUrl": "https://your-project.supabase.co",
  "anonKey": "eyJ...your-anon-public-key...",
  "tableHints": ["optional", "extra", "tables", "to", "probe"],
  "outputFormat": "both"
}

• supabaseUrl — your project URL from Supabase Dashboard → Project Settings → API.
• anonKey — your anon/public key (NOT service_role). This is the same key you put in your frontend.
• tableHints — beyond ~40 common tables (users, profiles, orders, etc.) probed by default, list any schema-specific tables you'd like checked.
• outputFormat — json for programmatic use, html-report for human-readable HTML in KV store, both (default).

Output

{
  "projectRef": "abcdefgh",
  "url": "https://abcdefgh.supabase.co",
  "scannedAt": "2026-05-12T15:00:00Z",
  "tablesProbed": 47,
  "findings": [
    {
      "table": "profiles",
      "readable": true,
      "count": 1843,
      "severity": "critical",
      "columns": ["id", "email", "full_name", "..."],
      "sensitiveColumns": ["email"],
      "reproducer": "curl 'https://.../rest/v1/profiles?select=*' -H 'apikey: <anon-key>' -H 'Prefer: count=exact' -H 'Range: 0-0' -I"
    }
  ],
  "summary": {
    "total_anon_readable": 3,
    "critical_count": 2,
    "high_count": 1,
    "medium_count": 0,
    "total_exposed_records": 2074
  },
  "next_steps": ["Rotate the anon key...", "For each finding ALTER TABLE...", "Re-run this scan..."],
  "paid_fix_offer": {
    "price_usd": 99,
    "stripe_link": "https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01"
  }
}

Plus a beautiful HTML report saved to the run's key-value store as report.html.

Ethical use

• Only scan projects you own or have explicit permission to scan.
• Counts only, never row data: the scanner uses Prefer: count=exact + Range: 0-0 to confirm a leak exists without exfiltrating contents.
• All findings remain private to the run owner unless explicitly shared.

Related tools

• CLI (free, runs entirely on your machine): npx @perufitlife/supabase-security --discover --url <URL> --key <KEY>
• Weekly auto-scan SaaS ($29/mo): rls-monitor.vercel.app
• Turnkey paid fix ($99 one-time): stripe
• Sister scanners: Firebase, PocketBase, Appwrite, Nhost (search @perufitlife on npm).

Built by Renzo. Open source: supabase-security-skill.

If this actor saves you from a data leak, please leave a review. That's the engine that keeps this thing free + improving.