A comprehensive security scanner for Supabase instances that automatically detects common vulnerabilities and misconfigurations. This tool helps developers and security researchers identify critical security gaps before they become data breaches.
Many Supabase developers don't realize that tables are publicly accessible by default unless Row Level Security (RLS) is properly configured. This scanner helps identify these critical security gaps that could lead to:
- Data breaches - Unauthorized access to sensitive information
- Privacy violations - Exposure of user data
- Compliance issues - GDPR, SOC2, HIPAA violations
- Reputation damage - Loss of user trust
# Clone the repository
git clone [email protected]:sahanxdissanayake/supabase-security-scanner-oss.git
cd supabase-security-scanner-oss
# or using HTTPS
git clone https://github.com/sahanxdissanayake/supabase-security-scanner-oss.git
cd supabase-security-scanner-oss
# Make executable
chmod +x supabase_security_scanner.sh
# Run scan
./supabase_security_scanner.sh <SUPABASE_URL> <ANON_KEY>./supabase_security_scanner.sh https://your-project.supabase.co eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...- bash (>= 4)
- curl
- jq
Install jq on macOS: brew install jq
./supabase_security_scanner.sh --helpThe script also supports environment variables:
export SUPABASE_URL="https://your-project.supabase.co"
export SUPABASE_ANON_KEY="eyJhbGciOiJIUzI1NiIs..."
./supabase_security_scanner.sh- Anonymous data exposure - Tables accessible without authentication
- RLS bypasses - Row Level Security misconfigurations
- CSV export vulnerabilities - Unauthorized data downloads
- JSON data exposure - Sensitive information in API responses
- Public function calls - Database functions accessible anonymously
- Parameter injection - SQL injection vulnerabilities
- Function permissions - Improper access controls
- Bucket access - File storage permissions
- Public file exposure - Unprotected file access
- Upload vulnerabilities - File upload security
- Overly permissive policies - Wildcard origins
- Missing security headers - CORS misconfigurations
- JWT token validation - Token security issues
- Session management - Authentication bypasses
- Non-destructive - Read-only operations only
- Rate limited - Respects API rate limits
- Detailed reporting - Clear vulnerability descriptions
- Remediation guidance - Step-by-step fixes
- Multiple formats - JSON, CSV, and human-readable output
- Safe scanning - No data modification or deletion
[WARNING] VULNERABLE: public.users returned data (status: 200, size: 123 bytes)
[SUCCESS] SECURE: CSV export blocked for user_profiles (status: 401)
Summary: 3 high, 2 medium, 0 low
Report: ./supabase_security_scan_YYYYMMDD_HHMMSS/security_report.md
Run this scanner only against projects you own or have explicit permission to assess.
- Missing jq: install via
brew install jq(macOS) or your package manager - 401/403 errors: verify
ANON_KEYand that theSUPABASE_URLis correct - Empty results: ensure the project exposes REST via PostgREST and tables exist
Contributions are welcome! Please open an issue or pull request.