A free, open-source CLI tool for comprehensive Supabase security auditing
npm install supasecbash
npx supasec scan https://myapp.com
`
โจ Features
- ๐ Secret Detection - Find exposed API keys, service role keys, and credentials with JWT permission level analysis
- ๐ก๏ธ RLS Analysis - Detect missing or misconfigured Row Level Security policies
- ๐งช RLS Fuzzing - Actually test data access to confirm RLS effectiveness
- โก RPC Scanner - Detect dangerous RPC functions and SQL injection risks
- ๐๏ธ Storage Scanner - Check bucket ACLs, file type restrictions, and exposed sensitive files
- ๐ Auth Config - Validate MFA, password policies, email verification, and JWT settings
- ๐ Git History - Scan commits for secrets and .env files
- ๐ธ Snapshots - Track security posture changes over time with diff capabilities
- ๐ Security Grading - Get an A-F grade with actionable recommendations
- ๐ง Auto-Fix - Interactive wizard to automatically fix vulnerabilities
- ๐ CI/CD Ready - Integrate with GitHub Actions, GitLab CI, and more
- ๐ฏ Free & Open Source - No paywalls, no subscriptions
๐ Installation
$3
`bash
npx supasec scan
`
$3
`bash
npm install -g supasec
supasec scan
`
๐ง Usage
$3
`bash
Scan a website
supasec scan https://myapp.com
Scan with authentication
supasec scan https://myapp.com --project-url https://abc.supabase.co --service-key xxx
Deep scan with RLS fuzzing
supasec scan https://myapp.com --deep --project-url https://abc.supabase.co --anon-key xxx
Scan local project
supasec scan --local
Create security snapshot
supasec snapshot create --name pre-deploy-v1.0.6
Compare snapshots
supasec snapshot diff pre-deploy-v1.0.6 post-deploy-v1.0.6
`
$3
`bash
Terminal output (default)
supasec scan https://myapp.com
JSON output
supasec scan https://myapp.com --format json
HTML report
supasec scan https://myapp.com --format html --output report.html
`
$3
`bash
Fail on critical or high severity issues
supasec scan https://myapp.com --fail-on critical,high
Quiet mode for CI
supasec scan https://myapp.com --format json --quiet --output audit.json
`
๐ ๏ธ Auto-Fix (Coming Soon)
Fix vulnerabilities interactively:
`bash
supasec fix --interactive
`
Or apply fixes automatically:
`bash
supasec fix --auto --backup
`
> Note: The fix command is planned for a future release.
๐ Security Checks
SupaSec performs comprehensive security checks across multiple categories:
$3
- โ
Service role key exposure with JWT permission analysis
- โ
Anon key validation and permission levels
- โ
Third-party API keys (Stripe, OpenAI, AWS, etc.)
- โ
JWT token exposure and decoding
- โ
Private keys in bundles
- โ
Git history scanning for committed secrets
$3
- โ
Tables without RLS enabled
- โ
Missing RLS policies
- โ
Bypass policies (USING (true))
- โ
Missing user isolation
- โ
Public role access
- โ
๐ RLS Fuzzing - Actually test data access
- โ
๐ Row count estimation for exposed data
$3
- โ
Password policy strength
- โ
MFA configuration and enforcement
- โ
Email verification requirements
- โ
JWT expiry settings
- โ
Refresh token rotation
- โ
Session timeout configuration
- โ
Secure email change
$3
- โ
Public bucket exposure
- โ
File type restrictions
- โ
File size limits
- โ
Dangerous MIME type detection
- โ
Exposed sensitive files (.env, keys)
$3
- โ
๐ Dangerous function name patterns
- โ
๐ SECURITY DEFINER checks
- โ
๐ SQL injection risk detection
$3
- โ
๐ Committed .env files
- โ
๐ Secrets in commit messages
- โ
๐ Private keys in history
- โ
๐ Stashed secrets
$3
- โ
๐ Create security snapshots
- โ
๐ Compare snapshots over time
- โ
๐ Track security posture changes
- โ
๐ Grade change tracking
$3
- โ
CORS configuration
- โ
GraphQL introspection
๐ Example Output
`
๐ SupaSec - Supabase Security Audit v1.0.6
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target: https://myapp.com
โฑ๏ธ Started: 2026-01-28T14:23:15.000Z
โ Detected Supabase project
Found 12 tables, 8 RPCs, 3 storage buckets
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ SCAN SUMMARY
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CRITICAL: 1 issues
โ ๏ธ HIGH: 2 issues
โก MEDIUM: 1 issues
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CRITICAL (1 issues)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ RLS-001: Table 'users' has RLS disabled
โ The table 'users' does not have Row Level Security enabled.
โ
โ Location: public.users
โ Impact: Complete exposure of 1847 records
โ
โ Fix: Enable Row Level Security on table 'users'
โ SQL:
โ ALTER TABLE public.users ENABLE ROW LEVEL SECURITY;
โ CREATE POLICY "Users can only access own data"
โ ON public.users FOR SELECT
โ USING (auth.uid() = id);
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ SECURITY GRADE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Grade D - 45/100
Below average - serious issues found.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ ๏ธ QUICK ACTIONS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Fix critical issues now:
$ supasec fix --interactive
View detailed report:
$ supasec report --format html --output report.html
`
๐ CI/CD Integration
$3
`yaml
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run SupaSec Security Scan
run: |
npx supasec scan https://staging.myapp.com \
--format json \
--fail-on critical,high \
--output audit.json
- name: Upload Report
if: always()
uses: actions/upload-artifact@v3
with:
name: security-report
path: audit.json
`
$3
`yaml
security_scan:
stage: security
image: node:18
script:
- npx supasec scan $STAGING_URL
--format json
--output audit.json
--fail-on critical,high
artifacts:
paths:
- audit.json
`
๐ Documentation
- Full Documentation
- Configuration Guide
- CI/CD Integration
- API Reference
๐ค Contributing
We welcome contributions! Please see our Contributing Guide for details.
$3
`bash
Clone the repository
git clone https://github.com/yourusername/supasec.git
cd supasec
Install dependencies
npm install
Build the project
npm run build
Run in development mode
npm run dev
Run tests
npm test
``