Skip to content 
The fastest way to identify and fix security risks in your Supabase environment – before they reach production.
The Supabase RLS Scanner is an open-source Supabase security audit tool designed to detect misconfigurations, prevent data exposure, privilege escalation, and unauthorized access in your Supabase database and API.
Supabase makes it easy to ship production apps quickly. As an open source Firebase alternative, it accelerates development – but default configurations can unintentionally expose data.
This scanner helps you identify authentication, storage, RLS, and API security risks before they become real-world vulnerabilities.
Developed based on real security audits and penetration tests, it delivers actionable findings with straightforward remediation guidance – no complex setup or infrastructure required.
This security tool is open source and developed for security engineers, developers, and DevOps professionals.
You can inspect the code, use it locally, and customize it for your use case.
Star the repository to support the project and stay updated with improvements.
The scanner performs targeted checks specifically for Supabase environments:
Each finding includes severity classification and step-by-step remediation guidance.
While working on cloud and application security projects, we noticed that the same issues in Supabase kept appearing in startups and scaling SaaS companies.
Some of these issues included:
These issues were typically found during audits and penetration tests.
We created this open-source project to help teams identify and remediate these issues early on.
During a security review of a multi-tenant SaaS platform using Supabase, we identified:
Identify Supabase security risks directly within your testing workflow.
Download the extension and load it into Burp Suite using the Extensions tab. The setup takes less than a minute and requires no infrastructure changes.
View on GitHubAs Burp captures HTTP traffic, the extension automatically detects Supabase endpoints, configuration objects, and exposed JWT tokens — including high-risk service_role credentials.
Use the built-in "Test RLS" feature to actively evaluate database tables for Row Level Security misconfigurations. The extension performs controlled tests to identify unauthorized read and write access.
The scanner classifies discovered data by severity and highlights potential exposure of credentials, financial records, personal data, and authentication artifacts.
Leverage Burp's native reporting capabilities alongside the extension findings to prioritize remediation and eliminate dangerous access paths before attackers exploit them.
Quickly identify RLS bypass opportunities, exposed tokens, and unauthorized data access during application security assessments.
Automate Supabase discovery and uncover high-impact vulnerabilities that often lead to critical findings.
Enhance testing coverage with targeted checks designed specifically for Supabase attack surfaces.
Simulate real-world attack paths by validating privilege boundaries and detecting sensitive data exposure.
Proactively test applications before release to ensure misconfigured policies do not expose production data.
The extension helps uncover high-impact vulnerabilities that commonly lead to data breaches:
Each finding is enriched with severity indicators so security teams can quickly focus on exploitable risks.
Identify Supabase security risks directly within your testing workflow.
We provide production Supabase security audits, RLS policy reviews, and compliance-driven assessments.