Onboarding founders now

We probe your Supabase app the way an attacker would.

The Supabase dashboard tells you if RLS is missing. It doesn't tell you what an attacker can actually do with your anon key. Misconfigured policies, overly permissive functions, open endpoints, auth gaps in edge functions. That's where things break.

Supasec probes your project from the outside, finds what the built-in advisor misses, gives you the prompts to fix it, then keeps watching. Every deploy. Automatically.

Get a free scan when we launch

01 / Scan from the outside

We test what an attacker can actually reach.

Not just "is RLS enabled?" We make real requests with your anon key and map what comes back. Misconfigured policies that look fine in the dashboard but leak data in practice. Edge functions that skip auth. Endpoints you forgot existed.

Scan report

acme-app.supabase.co last scan: just now

2 critical

2 warnings

12 passed

public.profiles RLS on, but anon can read all rows

/functions/v1/webhook no JWT verification

public.orders policy allows cross-user SELECT

storage.uploads public bucket, no path scoping

auth.users locked down

02 / Get fix prompts

Copy, paste, fixed. No security expertise needed.

For every issue we find, you get a prompt you can drop straight into your AI coding assistant. It explains what's wrong and exactly what to change.

Fix prompt

critical public.profiles: RLS on, but anon can read all rows

Prompt for your AI assistant

The table `public.profiles` has RLS enabled, but the existing SELECT policy uses `true` as the condition. This means any request with the anon key can read every row, including email addresses and metadata.

Replace the SELECT policy with one that restricts reads to rows where `id = auth.uid()`. If other users need to see profiles, add a separate policy scoped to specific columns.

03 / Verify and monitor

We re-scan after every fix. Then we keep watching.

After you apply the fix, we run the scan again to confirm it actually worked. Then we monitor continuously so the next deploy doesn't reopen what you just closed.

Monitoring

Mar 6, 14:02 Deploy detected re-scanning

Mar 6, 14:02 Scan complete all clear

Mar 5, 09:30 Fix verified public.api_keys

Mar 5, 09:12 Fix applied RLS enabled

Mar 4, 22:00 Scheduled scan 3 issues

What we look for

Beyond what the Supabase advisor catches.

RLS misconfigurations Not just "is RLS enabled," but whether your policies actually restrict access the way you think they do.
Anon key reach We use your anon key like an attacker would and map everything it can touch. Tables, RPCs, storage buckets.
Edge function auth Whether your edge functions verify JWTs and check roles, or just trust whoever calls them.
Hardcoded secrets Service role keys, database URLs, or API tokens sitting in client-side code where they shouldn't be.
Open endpoints REST and realtime endpoints that accept unauthenticated requests. Including ones you didn't build on purpose.

Coming next

Soon

Dependency monitoring via GitHub

Connect your repo. We watch your dependencies for known vulnerabilities and open PRs to fix them automatically.

Soon

Code vulnerability agent

An AI agent connected to your GitHub repo that finds security issues in your code and submits fixes as pull requests.

Get a free scan when we launch.

We're onboarding a small group of founders first. Drop your details and we'll set you up.

You're on the list. We'll be in touch.