# Supabase RLS Security Scanner — Find anonymous data leaks (`renzomacar/supabase-rls-scanner`) Actor Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key — the #1 cause of Supabase data leaks. Returns row counts + a curl reproducer per finding. Counts only, no row data exfiltrated. - **URL**: https://apify.com/renzomacar/supabase-rls-scanner.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Supabase RLS Security Scanner Probes a public Supabase project for **Row-Level-Security misconfigurations**. Detects tables readable by the anon key (the #1 cause of Supabase data leaks). Returns table-level row counts and a verbatim curl command to reproduce each finding. ### Why this exists The Supabase anon key is **meant to be public** — it ships in your frontend. The only thing keeping your tables private is Row-Level Security policies. When RLS is forgotten on even one table, the data is publicly readable to anyone with your URL + anon key. Across 100+ Supabase projects I've audited, **22% leak user data anonymously** because RLS was forgotten on at least one table. This actor lets you check yours in 30 seconds. ### Input ```json { "supabaseUrl": "https://your-project.supabase.co", "anonKey": "eyJ...your-anon-public-key...", "tableHints": ["optional", "extra", "tables", "to", "probe"], "outputFormat": "both" } ```` - **supabaseUrl** — your project URL from Supabase Dashboard → Project Settings → API. - **anonKey** — your **anon/public** key (NOT service\_role). This is the same key you put in your frontend. - **tableHints** — beyond ~40 common tables (users, profiles, orders, etc.) probed by default, list any schema-specific tables you'd like checked. - **outputFormat** — `json` for programmatic use, `html-report` for human-readable HTML in KV store, `both` (default). ### Output ```json { "projectRef": "abcdefgh", "url": "https://abcdefgh.supabase.co", "scannedAt": "2026-05-12T15:00:00Z", "tablesProbed": 47, "findings": [ { "table": "profiles", "readable": true, "count": 1843, "severity": "critical", "columns": ["id", "email", "full_name", "..."], "sensitiveColumns": ["email"], "reproducer": "curl 'https://.../rest/v1/profiles?select=*' -H 'apikey: ' -H 'Prefer: count=exact' -H 'Range: 0-0' -I" } ], "summary": { "total_anon_readable": 3, "critical_count": 2, "high_count": 1, "medium_count": 0, "total_exposed_records": 2074 }, "next_steps": ["Rotate the anon key...", "For each finding ALTER TABLE...", "Re-run this scan..."], "paid_fix_offer": { "price_usd": 99, "stripe_link": "https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01" } } ``` Plus a beautiful HTML report saved to the run's key-value store as `report.html`. ### Ethical use - **Only scan projects you own** or have explicit permission to scan. - Counts only, never row data: the scanner uses `Prefer: count=exact` + `Range: 0-0` to confirm a leak exists without exfiltrating contents. - All findings remain private to the run owner unless explicitly shared. ### Related tools - **CLI** (free, runs entirely on your machine): `npx @perufitlife/supabase-security --discover --url --key ` - **Weekly auto-scan SaaS** ($29/mo): [rls-monitor.vercel.app](https://rls-monitor.vercel.app/) - **Turnkey paid fix** ($99 one-time): [stripe](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) - **Sister scanners**: Firebase, PocketBase, Appwrite, Nhost (search `@perufitlife` on npm). Built by [Renzo](https://github.com/Perufitlife). Open source: [supabase-security-skill](https://github.com/Perufitlife/supabase-security-skill). If this actor saves you from a data leak, please leave a review. That's the engine that keeps this thing free + improving. # Actor input Schema ## `supabaseUrl` (type: `string`): Your project URL, looks like https://abc123xyz.supabase.co. Find it in Supabase Dashboard → Project Settings → API. ## `anonKey` (type: `string`): Your anon/public key (NOT service\_role). The anon key is meant to be exposed in your frontend — that's the whole point of this scan: anything readable with the anon key is readable by anyone on the internet. Find it in Supabase Dashboard → Project Settings → API → 'anon public'. ## `tableHints` (type: `array`): Beyond the default list of ~40 common tables (users, profiles, accounts, posts, etc.), pass additional table names specific to your schema you'd like checked. Comma-separated. The scanner will probe each one for anonymous readability. ## `outputFormat` (type: `string`): JSON for programmatic use; HTML for a human-readable report stored to KV under report.html. ## Actor input object example ```json { "supabaseUrl": "https://YOUR-PROJECT.supabase.co", "tableHints": [], "outputFormat": "both" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "supabaseUrl": "https://YOUR-PROJECT.supabase.co", "anonKey": "" }; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/supabase-rls-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "supabaseUrl": "https://YOUR-PROJECT.supabase.co", "anonKey": "", } # Run the Actor and wait for it to finish run = client.actor("renzomacar/supabase-rls-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "supabaseUrl": "https://YOUR-PROJECT.supabase.co", "anonKey": "" }' | apify call renzomacar/supabase-rls-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/supabase-rls-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Supabase RLS Security Scanner — Find anonymous data leaks", "description": "Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key — the #1 cause of Supabase data leaks. Returns row counts + a curl reproducer per finding. Counts only, no row data exfiltrated.", "version": "0.1", "x-build-id": "644ehuXFaNwnuwEfZ" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~supabase-rls-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-supabase-rls-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~supabase-rls-scanner/runs": { "post": { "operationId": "runs-sync-renzomacar-supabase-rls-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~supabase-rls-scanner/run-sync": { "post": { "operationId": "run-sync-renzomacar-supabase-rls-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "supabaseUrl", "anonKey" ], "properties": { "supabaseUrl": { "title": "Supabase Project URL", "pattern": "^https://[a-z0-9-]+\\.supabase\\.co/?$", "type": "string", "description": "Your project URL, looks like https://abc123xyz.supabase.co. Find it in Supabase Dashboard → Project Settings → API." }, "anonKey": { "title": "Anon Key (public-side key)", "type": "string", "description": "Your anon/public key (NOT service_role). The anon key is meant to be exposed in your frontend — that's the whole point of this scan: anything readable with the anon key is readable by anyone on the internet. Find it in Supabase Dashboard → Project Settings → API → 'anon public'." }, "tableHints": { "title": "Extra table names to probe (optional)", "type": "array", "description": "Beyond the default list of ~40 common tables (users, profiles, accounts, posts, etc.), pass additional table names specific to your schema you'd like checked. Comma-separated. The scanner will probe each one for anonymous readability.", "default": [], "items": { "type": "string" } }, "outputFormat": { "title": "Output format", "enum": [ "json", "html-report", "both" ], "type": "string", "description": "JSON for programmatic use; HTML for a human-readable report stored to KV under report.html.", "default": "both" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```