I audited my own back ends on 5 BaaS
Vulnerability ScanningLocal‑only audit and hardening tool for Supabase projects that checks RLS, anon key exposure, and generates fix SQL without sending your token anywhere
Features
- Detects tables with RLS disabled granting CRUD to the `anon` role (critical)
- Finds SECURITY DEFINER functions callable by `anon` (high severity)
- Scans public storage buckets and other misconfigurations
- Produces an HTML report with copy‑paste fix SQL for all findings
- Runs locally or as a GitHub Action, never sending credentials to SaaS
Recent releases
View all 3 releases →
v0.2.0
Feature
Notable features
- realtime_publication_no_rls (CRITICAL)
- anonymous_signins_enabled (HIGH)
- weak_password_policy (MEDIUM)
Full changelog
Added 5 new checks:
- realtime_publication_no_rls (CRITICAL)
- anonymous_signins_enabled (HIGH)
- weak_password_policy (MEDIUM)
- no_captcha_on_auth (MEDIUM)
- function_no_search_path (MEDIUM)
Total checks: 11. Same single-file install, no deps.
v0.1.0
New feature
Notable features
- Detects RLS leaks, SECURITY DEFINER functions, public buckets, default privileges issues, and unsafe auth configurations
- Generates HTML report with copy‑paste fix SQL
Full changelog
First release. Detects RLS leaks, exposed SECURITY DEFINER functions, public buckets, default privileges issues, and unsafe auth config. Outputs HTML report with copy-paste fix SQL.
Found 17 leaky tables on my own production app while testing — see README for the case study.
Install:
git clone https://github.com/Perufitlife/supabase-security-skill
SUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js <project-ref> --html report.html
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
About
Stars
18
Forks
0
Languages
JavaScript
Python
Downloads/week
23
↓90%
NPM Maintainers
1
Single npm maintainer
Contributors
1
Install & Platforms
Install via
npm
Similar tools
Alternative to
SupaExplorer
AuditYourApp