This open-source security auditor for Supabase helps identify vulnerabilities such as RLS-disabled tables and public buckets. With an active anon-key probe, each leak is confirmed, providing comprehensive insights through a detailed HTML report, ensuring your project's security remains intact.
Supabase Security Auditor
The Supabase Security Auditor is an open-source tool designed to thoroughly audit and enhance the security of Supabase projects. This project empowers users to identify critical security vulnerabilities such as RLS-disabled tables, public storage buckets, and exposed SECURITY DEFINER functions. Utilizing an active anonymous key probe, the auditor confirms every leak dynamically, ensuring thorough and reliable results.
Key Features
- Local Execution: Operate entirely on your machine; your credentials and data never leave your local environment.
- Live Leak Confirmation: The tool features an active anon-key probe that validates each leak in real time.
- Detailed Reporting: Generates comprehensive HTML reports that detail vulnerabilities across your Supabase project, including suggested SQL fixes for each issue identified.
Audit Findings
The auditor provides a breakdown of findings, categorized by severity, to equip teams with actionable insights:
| Check | Severity |
|---|---|
| Table has RLS disabled and anon grants | CRITICAL |
| SECURITY DEFINER function (non-trigger) executable by anon | HIGH |
| Public storage bucket | HIGH |
| Default privileges still grant CRUD to anon (future-table risk) | MEDIUM |
| Auth signups enabled without email confirmation | MEDIUM |
| RLS-locked table still has direct anon grants (defense-in-depth) | LOW |
Every finding includes SQL commands for resolution, making it easy to implement fixes directly. The tool also possesses capabilities to run automatically in CI/CD pipelines, enhancing the overall security as part of the development lifecycle.
Comparison with Alternative Tools
| Feature | Supabase Security Auditor | SupaExplorer | AuditYourApp |
|---|---|---|---|
| Execution Location | Local Machine | SaaS | SaaS |
| Cost | Free | $6.75 – $187 | $29/month – $499 |
| Source Code | Open Source | Closed Source | Closed Source |
| Generates Fix SQL | Yes | Pro tier only | Pro tier only |
| CI Compatibility | Yes | Limited | Limited |
This tool stands out by offering complete control over your data without the ongoing costs associated with other SaaS solutions. It is ideal for developers who prioritize security and prefer a local solution.
Getting Started
To launch the auditor, no installation is required. Simply clone the repository and execute the provided script:
$ supabase-security <project-ref> --html report.html
This command generates an HTML report of your project's security status, highlighting the critical and high-severity issues that require immediate attention.
Future Development
The roadmap includes planned enhancements such as:
- Object-level storage scans
- Scheduled job audits
- Environment variable leak detection
- A user-friendly reporting interface for ease of use
The Supabase Security Auditor is a valuable tool for ensuring that your Supabase projects are secure and compliant with best practices. By utilizing this tool, potential vulnerabilities can be identified and remediated efficiently.
No comments yet.
Sign in to be the first to comment.