Supabase Security Auditor

Scan any Supabase project for security misconfigurations. Get a shareable HTML report with copy-paste fix SQL on every finding. No install. No SaaS account. Your token is used only for the run and never stored.

Why this exists

On May 30, 2026 Supabase changed its default for new projects: tables in public no longer auto-expose to the Data API. On October 30, 2026 that becomes the enforced default for all existing projects.

If you've been on Supabase for more than a few months, you almost certainly have:

• Tables granted CRUD to anon by default (because that was the default).
• One or two tables where RLS got missed.
• SECURITY DEFINER functions that are technically callable by anon.

This actor surfaces all of that in one click. I built it after running it on my own production app and finding 17 publicly readable tables I had no idea about — b2b_leads, engagement_emails, internal growth metrics. Anyone with the anon key from the JS bundle could read or delete them.

What it checks

#	Check	Severity
1	Table has RLS disabled and direct anon grants	CRITICAL
2	Table in supabase_realtime publication WITHOUT RLS (leak via WebSocket)	CRITICAL
3	SECURITY DEFINER function (non-trigger) executable by anon	HIGH
4	Anonymous sign-ins enabled	HIGH
5	Public storage bucket	HIGH
6	Default privileges still grant CRUD on future tables	MEDIUM
7	Auth signups enabled without email confirmation	MEDIUM
8	Weak password policy (password_min_length < 8)	MEDIUM
9	No CAPTCHA on auth endpoints	MEDIUM
10	SECURITY DEFINER function without SET search_path	MEDIUM
11	RLS-locked table still has direct anon grants (defense-in-depth)	LOW

Output

• HTML report — self-contained (~25KB Tailwind + Chart.js via CDN). Saved to the run's key-value store under key REPORT. URL: https://api.apify.com/v2/key-value-stores/{storeId}/records/REPORT. Open in any browser. Includes copy-paste fix SQL on every finding plus an "apply all" SQL bundle.
• Dataset — every finding as a structured row (severity, title, target, fix_sql) for filtering/exporting in the Apify console.
• SUMMARY KV record — quick numbers for monitoring (counts by severity, total tables/functions/buckets scanned).

Sample report

The HTML report header shows your project name, region, scan timestamp, a letter grade (A+ → F), and KPI tiles for each severity level. Below that: severity bar chart, every finding as an expandable card, and a single "apply all" SQL bundle at the bottom.

How to get a Personal Access Token

1. Open https://supabase.com/dashboard/account/tokens
2. Click "Generate new token"
3. Read access is enough for the audit (the actor never writes to your project)

The token is passed as input, used only for this run's Management API queries, and never persisted by the actor.

Apply the fixes

The actor never modifies your project. To apply fixes:

1. Open the HTML report
2. Review each finding (some SECURITY DEFINER functions are intentionally exposed to anon — your decision)
3. Click "Copy all SQL" at the bottom
4. Paste into Supabase Dashboard → SQL Editor
5. Run inside BEGIN; ... ROLLBACK; first to verify, then BEGIN; ... COMMIT;

For a full agent loop (audit + preview + apply + re-audit) inside Claude Code / Cursor / Cline, see the sibling MCP server: https://github.com/Perufitlife/supabase-security-mcp

Pricing

Pay per run. The audit completes in 10–60 seconds depending on project size.

Source

Open source MIT — https://github.com/Perufitlife/supabase-security-skill

Limits

• Doesn't audit per-object Storage RLS yet (would mean iterating every file)
• Cannot revoke supabase_admin default privileges via SQL — that needs the Dashboard toggle. The report tells you so.
• App APIs intentionally exposed to anon (e.g. get_public_stats() RPC) appear as findings. You decide which are intentional.
• Alpha. PRs and issues welcome on GitHub.