{"id":51118726,"url":"https://github.com/Perufitlife/supabase-security-skill","last_synced_at":"2026-06-25T00:01:25.747Z","repository":{"id":356659151,"uuid":"1233529305","full_name":"Perufitlife/supabase-security-skill","owner":"Perufitlife","description":"Open-source Supabase security auditor: detects RLS-disabled tables, public buckets, exposed SECURITY DEFINER functions. Active anonymous probe confirms each leak with the anon key.","archived":false,"fork":false,"pushed_at":"2026-06-21T09:54:30.000Z","size":175,"stargazers_count":19,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-21T11:26:12.398Z","etag":null,"topics":["audit","auditor","cli","devsecops","leak","mit-license","nodejs","open-source","penetration-testing","postgres","rls","scanner","security","security-audit","supabase","typescript","vulnerability"],"latest_commit_sha":null,"homepage":"https://perufitlife.github.io/supabase-security-skill/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Perufitlife.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-09T04:02:18.000Z","updated_at":"2026-06-21T09:54:34.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Perufitlife/supabase-security-skill","commit_stats":null,"previous_names":["perufitlife/supabase-security-skill"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Perufitlife/supabase-security-skill","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Fsupabase-security-skill","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Fsupabase-security-skill/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Fsupabase-security-skill/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Fsupabase-security-skill/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Perufitlife","download_url":"https://codeload.github.com/Perufitlife/supabase-security-skill/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Perufitlife%2Fsupabase-security-skill/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34753781,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","auditor","cli","devsecops","leak","mit-license","nodejs","open-source","penetration-testing","postgres","rls","scanner","security","security-audit","supabase","typescript","vulnerability"],"created_at":"2026-06-25T00:01:24.992Z","updated_at":"2026-06-25T00:01:25.741Z","avatar_url":"https://github.com/Perufitlife.png","language":"JavaScript","funding_links":[],"categories":["BaaS \u0026 Databases"],"sub_categories":[],"readme":"# supabase-security\n\n\u003e Audit and harden any Supabase project. Local-only, no SaaS, your token never leaves your machine. **v0.3 ships with active anon-key probe — confirms each leak live, not just inferred.**\n\n\u003e ▶ **Run it without installing anything →** [apify.com/renzomacar/supabase-security-auditor](https://apify.com/renzomacar/supabase-security-auditor) (paste project ref + PAT, get HTML report)\n\n\u003e ⚡ **Want me to run it for you?** Tiers from **$5 single-fix bundle → $99 full report → $249 multi-tenant audit** — [perufitlife.github.io/supabase-security-skill](https://perufitlife.github.io/supabase-security-skill/) (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)\n\n\u003e 🪞 **Sister tool**: [aitells](https://aitells.vercel.app/) detects + rewrites AI fingerprints in your text. Free detector at the URL, free first rewrite at [/rewrite](https://aitells.vercel.app/rewrite) (paste your own writing samples, get the AI text matched to your voice). Built after my own Reddit account got 2 \"all AI generated\" callouts in one day.\n\n\u003e 🤖 **Use it in GitHub Actions** — drop this into `.github/workflows/security.yml`:\n\u003e ```yaml\n\u003e - uses: Perufitlife/supabase-security-skill@v1.0.0-action\n\u003e   with:\n\u003e     project-ref: ${{ vars.SUPABASE_PROJECT_REF }}\n\u003e     token: ${{ secrets.SUPABASE_ACCESS_TOKEN }}\n\u003e     fail-on: critical\n\u003e ```\n\u003e\n\u003e 🔁 **Want this running on a cron?** [RLS Monitor](https://rls-monitor.vercel.app/) does weekly diff-based scans + email alerts when new findings appear — $29/mo, your keys never leave your CI.\n\u003e\n\u003e 📦 **Need all 5 BaaS stacks at once?** The [BaaS Security Pack](https://perufitlife.github.io/supabase-security-skill/pack.html) bundles every scanner + sample reports + fix-SQL libraries — one $99 download.\n\n```\n$ supabase-security \u003cproject-ref\u003e --html report.html\nHTML report written to report.html\nFindings: 0 critical, 5 high, 2 medium\n```\n\n[![npm](https://img.shields.io/npm/v/supabase-security?color=red)](https://www.npmjs.com/package/supabase-security) [![downloads](https://img.shields.io/npm/dw/supabase-security)](https://www.npmjs.com/package/supabase-security) [![GitHub stars](https://img.shields.io/github/stars/Perufitlife/supabase-security-skill?style=social)](https://github.com/Perufitlife/supabase-security-skill) [![Glama](https://img.shields.io/badge/Glama-approved-blueviolet)](https://glama.ai/mcp/servers/) ![license](https://img.shields.io/badge/license-MIT-green) ![node](https://img.shields.io/badge/node-%3E%3D18-blue)\n\n\u003e **Sister tools** for other BaaS platforms (same `--discover` flag, all MIT):\n\u003e [pocketbase-security](https://www.npmjs.com/package/pocketbase-security) · [appwrite-security](https://www.npmjs.com/package/appwrite-security) · [firebase-security](https://www.npmjs.com/package/firebase-security) · [nhost-security](https://www.npmjs.com/package/nhost-security) · [strapi-security](https://www.npmjs.com/package/strapi-security) · [directus-security](https://www.npmjs.com/package/directus-security) · [convex-security](https://www.npmjs.com/package/convex-security) · [hasura-security](https://www.npmjs.com/package/hasura-security) · [payload-security](https://www.npmjs.com/package/payload-security)\n\n\u003e **Want it done for you?** Three productized services:\n\u003e - [**RLS Audit Friday** — $99 / 24h](https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m) — I run the audit on your project + send a PDF report by Friday EOD\n\u003e - [**Vibe-code Security Review** — $199 / 48h](https://buy.stripe.com/bJe00jgik4EqdWV2iScAo0n) — full security review of AI-generated code (Cursor / Claude / v0 / Bolt)\n\u003e - [**Sandbox-as-a-Service** — $499 / 48h](https://buy.stripe.com/aFa7sLc243Amf0Z5v4cAo0l) — custom partner integration sandbox for your API\n\n## Why\n\nOn **May 30, 2026** Supabase changes its default for new projects: tables in `public` no longer auto-expose to the Data API. On **October 30, 2026** that becomes the enforced default for **all existing projects**.\n\nIf you've been on Supabase for more than a few months, you almost certainly have:\n- Tables granted CRUD to `anon` by default (because that was the default).\n- One or two tables where RLS got missed.\n- `SECURITY DEFINER` functions that are technically callable by `anon`.\n\nThis tool surfaces all of that in a single HTML report you can share with your team, plus copy-paste SQL to fix each issue.\n\n## What it finds (real example)\n\nI ran this against my own apps. Two projects, similar size:\n\n| Project | Tables | Critical | High | Medium |\n|---|---|---|---|---|\n| Internal CRM (auth-only) | 55 | 0 | 11 | 2 |\n| Public web app | 139 | **17** before fix | 5 | 2 |\n\nThe public app had **17 tables with RLS disabled** and full CRUD to anon. They were leaking to anyone who pulled the anon key out of the JS bundle. Fixed in one SQL transaction generated by this tool.\n\n## Install\n\nNo install needed — clone and run:\n\n```bash\ngit clone https://github.com/Perufitlife/supabase-security-skill\ncd supabase-security-skill\nSUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js YOUR_PROJECT_REF --html report.html\n```\n\nOr as an [Agent Skill](https://agentskills.io/) for Claude Code, Cursor, Cline:\n\n```bash\n# (when published to skills marketplace)\nnpx skills add Perufitlife/supabase-security-skill\n```\n\nThen say: \"audit my Supabase project ref `xxx`\".\n\n## Get a Personal Access Token\n\n`https://supabase.com/dashboard/account/tokens` → \"Generate new token\". Read access is sufficient.\n\n## Checks performed\n\n| # | Check | Severity |\n|---|---|---|\n| 1 | Table has RLS disabled and anon grants | **CRITICAL** |\n| 2 | SECURITY DEFINER function (non-trigger) executable by anon | HIGH |\n| 3 | Public storage bucket | HIGH |\n| 4 | Default privileges still grant CRUD to anon (future-table risk) | MEDIUM |\n| 5 | Auth signups enabled without email confirmation | MEDIUM |\n| 6 | RLS-locked table still has direct anon grants (defense-in-depth) | LOW |\n\nEvery finding ships with copy-paste fix SQL. The HTML report has a \"Copy all SQL\" button to apply everything in one go.\n\n## How it differs from the alternatives\n\n| | This | SupaExplorer | AuditYourApp |\n|---|---|---|---|\n| Where your project ref goes | Your machine | Their SaaS | Their SaaS |\n| Cost | Free, MIT | $6.75–$187 | $29/mo–$499 |\n| Source code | Public | Closed | Closed |\n| Generates fix SQL | Yes | Pro tier | Pro tier |\n| Runs in CI | Trivially | API tier | API tier |\n\nThis is fewer features than the SaaS players. The trade-off is full control of the data and zero recurring cost.\n\n## Run in CI\n\n```yaml\n# .github/workflows/supabase-security.yml\n- run: |\n    npx -y github:Perufitlife/supabase-security-skill \\\n      ${{ secrets.SUPABASE_PROJECT_REF }} \\\n      --html report.html\n- uses: actions/upload-artifact@v4\n  with: { name: supabase-security-report, path: report.html }\n```\n\n## Limits — read these before trusting it\n\n- Doesn't audit per-object Storage RLS (would mean iterating every file).\n- Can't revoke `supabase_admin` default privileges via SQL — that needs the Dashboard toggle. The report tells you so.\n- App APIs that are intentionally exposed to anon (e.g. a `get_public_stats()` RPC) will appear as findings. **You decide which are intentional.**\n- Alpha. If you find a false positive or missed check, open an issue with the SQL output of the relevant `pg_*` query and I'll fix it.\n\n## Roadmap\n\n- [ ] Storage object-level scan\n- [ ] `pg_cron` scheduled-job audit\n- [ ] Edge Function secrets scan (env var leak detection)\n- [ ] Apify actor wrapper (one-click HTML report, no install)\n- [ ] MCP server with `audit` and `apply-fix` tools (preview + rollback)\n\n\n## Integration pattern reference\n\nSee [`rotatepilot-skyx-sandbox`](https://github.com/Perufitlife/rotatepilot-skyx-sandbox) for a live demo of how a partner consumes one of our public REST APIs in a single static page — built 12-may-2026 in response to an aviation-platform partnership inbound. Same JSON-contract / CORS / edge-served approach we use for `supabase-security` integrations.\n\n## Sister AI text tools\n\nIf your team writes outreach, PR descriptions, or social posts with AI, the [aitells](https://aitells.vercel.app) ecosystem catches the fingerprints before they ship:\n\n- [`@perufitlife/aitells-mcp`](https://www.npmjs.com/package/@perufitlife/aitells-mcp) — MCP server for Claude Code / Cursor. `detect_ai_tells` + `humanize_text` as native tools.\n- [`Perufitlife/aitells-action`](https://github.com/Perufitlife/aitells-action) — GitHub Action that scans PR titles/bodies/commits for AI patterns. Posts friendly summary comment.\n- [aitells.vercel.app](https://aitells.vercel.app) — free detector + $19 lifetime humanizer (first 100 buyers)\n\n## License\n\nMIT.\n\n---\n\n📚 Part of [**Awesome Backend Security Auditors**](https://github.com/Perufitlife/awesome-backend-security) — the full collection of keyless active-probe auditors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPerufitlife%2Fsupabase-security-skill","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPerufitlife%2Fsupabase-security-skill","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPerufitlife%2Fsupabase-security-skill/lists"}