Supabase Security Audit - Find RLS Leaks Free
Pricing
Pay per usage
Supabase Security Audit - Find RLS Leaks Free
Audit any Supabase project for missing RLS, public tables, dangerous SECURITY DEFINER functions, public storage buckets, and over-permissive policies. Active anon probe confirms live leaks. HTML report with paste-ready fix SQL. Read-only token, never persisted. Free.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Renzo Madueno
Actor stats
0
Bookmarked
1
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Supabase Security Auditor
If RLS is missing on even one table in your public schema, anyone with your anon key (sitting in your JS bundle) can read every row in that table right now. This actor finds those leaks in 30 seconds and tells you exactly which tables to fix.
I scanned my own production project last week and found 17 publicly readable tables I had no idea about —
b2b_leads,engagement_emails, internal growth metrics. Anyone with the anon key from the JS bundle could read or delete them.
Free in-browser scanner (no install, no token): https://perufitlife.github.io/supabase-security-skill/scan.html
Scan any Supabase project for security misconfigurations. Get a shareable HTML report with copy-paste fix SQL on every finding. No install. No SaaS account. Your token is used only for the run and never stored.
Why this exists
On May 30, 2026 Supabase changed its default for new projects: tables in public no longer auto-expose to the Data API. On October 30, 2026 that becomes the enforced default for all existing projects.
If you've been on Supabase for more than a few months, you almost certainly have:
- Tables granted CRUD to
anonby default (because that was the default). - One or two tables where RLS got missed.
SECURITY DEFINERfunctions that are technically callable byanon.
This actor surfaces all of that in one click. I built it after running it on my own production app and finding 17 publicly readable tables I had no idea about — b2b_leads, engagement_emails, internal growth metrics. Anyone with the anon key from the JS bundle could read or delete them.
What it checks
| # | Check | Severity |
|---|---|---|
| 1 | Table has RLS disabled and direct anon grants | CRITICAL |
| 2 | Table in supabase_realtime publication WITHOUT RLS (leak via WebSocket) | CRITICAL |
| 3 | SECURITY DEFINER function (non-trigger) executable by anon | HIGH |
| 4 | Anonymous sign-ins enabled | HIGH |
| 5 | Public storage bucket | HIGH |
| 6 | Default privileges still grant CRUD on future tables | MEDIUM |
| 7 | Auth signups enabled without email confirmation | MEDIUM |
| 8 | Weak password policy (password_min_length < 8) | MEDIUM |
| 9 | No CAPTCHA on auth endpoints | MEDIUM |
| 10 | SECURITY DEFINER function without SET search_path | MEDIUM |
| 11 | RLS-locked table still has direct anon grants (defense-in-depth) | LOW |
Output
- HTML report — self-contained (~25KB Tailwind + Chart.js via CDN). Saved to the run's key-value store under key
REPORT. URL:https://api.apify.com/v2/key-value-stores/{storeId}/records/REPORT. Open in any browser. Includes copy-paste fix SQL on every finding plus an "apply all" SQL bundle. - Dataset — every finding as a structured row (severity, title, target, fix_sql) for filtering/exporting in the Apify console.
- SUMMARY KV record — quick numbers for monitoring (counts by severity, total tables/functions/buckets scanned).
Sample report
The HTML report header shows your project name, region, scan timestamp, a letter grade (A+ → F), and KPI tiles for each severity level. Below that: severity bar chart, every finding as an expandable card, and a single "apply all" SQL bundle at the bottom.
How to get a Personal Access Token
- Open https://supabase.com/dashboard/account/tokens
- Click "Generate new token"
- Read access is enough for the audit (the actor never writes to your project)
The token is passed as input, used only for this run's Management API queries, and never persisted by the actor.
Apply the fixes
The actor never modifies your project. To apply fixes:
- Open the HTML report
- Review each finding (some
SECURITY DEFINERfunctions are intentionally exposed to anon — your decision) - Click "Copy all SQL" at the bottom
- Paste into Supabase Dashboard → SQL Editor
- Run inside
BEGIN; ... ROLLBACK;first to verify, thenBEGIN; ... COMMIT;
For a full agent loop (audit + preview + apply + re-audit) inside Claude Code / Cursor / Cline, see the sibling MCP server: https://github.com/Perufitlife/supabase-security-mcp
Want a written report + Q&A support?
Free actor → you find leaks. $29 lite tier (top 5 critical fixes + written summary) or $99 full audit (every table/policy/bucket + 30-day Q&A + paste-ready SQL bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe.
Pricing
Pay per run. The audit completes in 10–60 seconds depending on project size.
Source
Open source MIT — https://github.com/Perufitlife/supabase-security-skill
Limits
- Doesn't audit per-object Storage RLS yet (would mean iterating every file)
- Cannot revoke
supabase_admindefault privileges via SQL — that needs the Dashboard toggle. The report tells you so. - App APIs intentionally exposed to anon (e.g.
get_public_stats()RPC) appear as findings. You decide which are intentional. - Alpha. PRs and issues welcome on GitHub.
