Audit and harden any Supabase project. Local-only, no SaaS, your token never leaves your machine. v0.3 ships with active anon-key probe — confirms each leak live, not just inferred.
▶ Run it without installing anything → apify.com/renzomacar/supabase-security-auditor (paste project ref + PAT, get HTML report)
⚡ Want me to run it for you? Tiers from $5 single-fix bundle → $99 full report → $249 multi-tenant audit — perufitlife.github.io/supabase-security-skill (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)
🪞 Sister tool: aitells detects + rewrites AI fingerprints in your text. Free detector at the URL, free first rewrite at /rewrite (paste your own writing samples, get the AI text matched to your voice). Built after my own Reddit account got 2 "all AI generated" callouts in one day.
🤖 Use it in GitHub Actions — drop this into
.github/workflows/security.yml:- uses: Perufitlife/supabase-security-skill@v1.0.0-action with: project-ref: ${{ vars.SUPABASE_PROJECT_REF }} token: ${{ secrets.SUPABASE_ACCESS_TOKEN }} fail-on: critical🔁 Want this running on a cron? RLS Monitor does weekly diff-based scans + email alerts when new findings appear — $29/mo, your keys never leave your CI.
📦 Need all 5 BaaS stacks at once? The BaaS Security Pack bundles every scanner + sample reports + fix-SQL libraries — one $99 download.
$ supabase-security <project-ref> --html report.html
HTML report written to report.html
Findings: 0 critical, 5 high, 2 medium
Sister tools for other BaaS platforms (same
--discoverflag, all MIT): pocketbase-security · appwrite-security · firebase-security · nhost-security
Want it done for you? Three productized services:
- RLS Audit Friday — $99 / 24h — I run the audit on your project + send a PDF report by Friday EOD
- Vibe-code Security Review — $199 / 48h — full security review of AI-generated code (Cursor / Claude / v0 / Bolt)
- Sandbox-as-a-Service — $499 / 48h — custom partner integration sandbox for your API
On May 30, 2026 Supabase changes its default for new projects: tables in public no longer auto-expose to the Data API. On October 30, 2026 that becomes the enforced default for all existing projects.
If you've been on Supabase for more than a few months, you almost certainly have:
- Tables granted CRUD to
anonby default (because that was the default). - One or two tables where RLS got missed.
SECURITY DEFINERfunctions that are technically callable byanon.
This tool surfaces all of that in a single HTML report you can share with your team, plus copy-paste SQL to fix each issue.
I ran this against my own apps. Two projects, similar size:
| Project | Tables | Critical | High | Medium |
|---|---|---|---|---|
| Internal CRM (auth-only) | 55 | 0 | 11 | 2 |
| Public web app | 139 | 17 before fix | 5 | 2 |
The public app had 17 tables with RLS disabled and full CRUD to anon. They were leaking to anyone who pulled the anon key out of the JS bundle. Fixed in one SQL transaction generated by this tool.
No install needed — clone and run:
git clone https://github.com/Perufitlife/supabase-security-skill
cd supabase-security-skill
SUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js YOUR_PROJECT_REF --html report.htmlOr as an Agent Skill for Claude Code, Cursor, Cline:
# (when published to skills marketplace)
npx skills add Perufitlife/supabase-security-skillThen say: "audit my Supabase project ref xxx".
https://supabase.com/dashboard/account/tokens → "Generate new token". Read access is sufficient.
| # | Check | Severity |
|---|---|---|
| 1 | Table has RLS disabled and anon grants | CRITICAL |
| 2 | SECURITY DEFINER function (non-trigger) executable by anon | HIGH |
| 3 | Public storage bucket | HIGH |
| 4 | Default privileges still grant CRUD to anon (future-table risk) | MEDIUM |
| 5 | Auth signups enabled without email confirmation | MEDIUM |
| 6 | RLS-locked table still has direct anon grants (defense-in-depth) | LOW |
Every finding ships with copy-paste fix SQL. The HTML report has a "Copy all SQL" button to apply everything in one go.
| This | SupaExplorer | AuditYourApp | |
|---|---|---|---|
| Where your project ref goes | Your machine | Their SaaS | Their SaaS |
| Cost | Free, MIT | $6.75–$187 | $29/mo–$499 |
| Source code | Public | Closed | Closed |
| Generates fix SQL | Yes | Pro tier | Pro tier |
| Runs in CI | Trivially | API tier | API tier |
This is fewer features than the SaaS players. The trade-off is full control of the data and zero recurring cost.
# .github/workflows/supabase-security.yml
- run: |
npx -y github:Perufitlife/supabase-security-skill \
${{ secrets.SUPABASE_PROJECT_REF }} \
--html report.html
- uses: actions/upload-artifact@v4
with: { name: supabase-security-report, path: report.html }- Doesn't audit per-object Storage RLS (would mean iterating every file).
- Can't revoke
supabase_admindefault privileges via SQL — that needs the Dashboard toggle. The report tells you so. - App APIs that are intentionally exposed to anon (e.g. a
get_public_stats()RPC) will appear as findings. You decide which are intentional. - Alpha. If you find a false positive or missed check, open an issue with the SQL output of the relevant
pg_*query and I'll fix it.
- Storage object-level scan
-
pg_cronscheduled-job audit - Edge Function secrets scan (env var leak detection)
- Apify actor wrapper (one-click HTML report, no install)
- MCP server with
auditandapply-fixtools (preview + rollback)
See rotatepilot-skyx-sandbox for a live demo of how a partner consumes one of our public REST APIs in a single static page — built 12-may-2026 in response to an aviation-platform partnership inbound. Same JSON-contract / CORS / edge-served approach we use for supabase-security integrations.
If your team writes outreach, PR descriptions, or social posts with AI, the aitells ecosystem catches the fingerprints before they ship:
@perufitlife/aitells-mcp— MCP server for Claude Code / Cursor.detect_ai_tells+humanize_textas native tools.Perufitlife/aitells-action— GitHub Action that scans PR titles/bodies/commits for AI patterns. Posts friendly summary comment.- aitells.vercel.app — free detector + $19 lifetime humanizer (first 100 buyers)
MIT.