GitHub Action v1.0.0

Composite GitHub Action that runs npx supabase-security@latest with project-ref + token inputs. Posts findings to optional webhook (RLS Monitor integration). Uploads HTML report as workflow artifact.

Quickstart:

- uses: Perufitlife/supabase-security-skill@v1.0.0-action
  with:
    project-ref: ${{ vars.SUPABASE_PROJECT_REF }}
    token: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
    fail-on: critical

v0.2.0 — +5 checks

Added 5 new checks:

• realtime_publication_no_rls (CRITICAL)
• anonymous_signins_enabled (HIGH)
• weak_password_policy (MEDIUM)
• no_captcha_on_auth (MEDIUM)
• function_no_search_path (MEDIUM)

Total checks: 11. Same single-file install, no deps.

v0.1.0 — Initial release

First release. Detects RLS leaks, exposed SECURITY DEFINER functions, public buckets, default privileges issues, and unsafe auth config. Outputs HTML report with copy-paste fix SQL.

Found 17 leaky tables on my own production app while testing — see README for the case study.

Install:

git clone https://github.com/Perufitlife/supabase-security-skill
SUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js <project-ref> --html report.html