Beta onboarding new batch soon

we probe your supabase app the way an attacker would. then we show you how to fix it, automatically.

Join waitlist how it works
acme-app.supabase.co
6 issues
3
Critical
3
Warning
12
Passed
18
Total
next@14.1.0
CVE-2025-29927, middleware auth bypass
public.profiles
RLS on, anon reads all rows
public.orders
Cross-user SELECT via policy gap
/api/comments
User HTML rendered unsanitized (XSS)
src/lib/admin.ts
service_role key in client bundle
/functions/v1/webhook
No JWT verification
storage.uploads
Locked down
auth.users
Locked down
Scanned just now · 18 checksView fix prompts →
acme-app.supabase.co
scanning
2
verified critical
1
verified medium
0
false positives
public.profiles, RLS policy gapcritical
anon key returns 1,204 rows. No RLS policy restricts SELECT.Verified
public.orders, cross-user SELECTcritical
Query with user_id ≠ session returns results. Policy allows WHERE true.Verified
/functions/v1/webhook, no authmedium
Edge function accepts requests without JWT verification.Verified
every finding verified against live endpoints · zero noise
How it works

Scan. Fix. Monitor.
Zero noise, zero effort.

Step 01
Scan like an attacker
We analyze your web app, check the anon key, and map what's left in the open. Every finding is verified, no stale alerts, no noise you'll ignore.
Step 02
Get AI-ready fix prompts
Each vulnerability ships with a copy-paste prompt. Drop it into Cursor, Claude, or Copilot, apply the fix and push. No security expertise required.
Step 03
Verify & monitor
We re-scan to confirm the fix worked, then watch continuously. Every deploy, every change, your CISO on autopilot in the background.
GitHub Agent

An autonomous agent that finds, proves, and fixes vulnerabilities via pull requests.

Connect your repo. Our agent traverses your codebase, traces data flows from Supabase client calls to API routes, and identifies security issues at the code level.

For every issue, it writes a proof-of-concept, explains the attack scenario, and opens a pull request with the fix. Ready to review and merge.

Deep code analysis
Traverses every file with Supabase calls, traces data flows from client to API routes end-to-end.
Non-destructive PoCs
Builds proof-of-concept scenarios from code analysis. Never runs exploits against your live app.
Fix via pull request
Opens a PR with the fix, the reasoning, and step-by-step verification instructions.
fix: add RLS policy to orders table
supasec-agent wants to merge into main
open
why this matters
The orders table has no RLS policy restricting SELECT. Any request with the anon key can read all rows, including orders belonging to other users.
proof of concept
curl https://acme.supabase.co/rest/v1/orders \
  -H "apikey: eyJhbGciOi...anon" \
  -H "Authorization: Bearer eyJhbGciOi...anon"

# → 200 OK, all orders returned
# → user_id, amount, address exposed
how to verify
1. Run the curl above with your anon key
2. If it returns rows from other users → vulnerable
3. After applying the fix, the same request returns 0 rows
proposed fix
+ CREATE POLICY "users read own orders"
+   ON public.orders FOR SELECT
+   USING (auth.uid() = user_id);
Merge pull request
The difference

From ignored alerts
to peace of mind.

Stale security alerts pile up because fixing them is a chore. We do it for you. Just review and merge.

Before
Dependabot alerts 12 open
Supabase advisories 3 unread
RLS on orders table disabled
Anon key exposure unchecked
Last security review never
After supasec
Dependabot alerts resolved
Supabase advisories addressed
RLS on orders table enforced
Anon key exposure scoped
Monitoring always on
supasec verified
All checks passed. Embed this on your site.
What we check

Everything an attacker
would try first.

Table and RLS probing
We use your anon key to query every table your client code references. Not "is RLS on?" but "can I read other users' data right now?"
Hidden function discovery
PostgREST leaks real function names when you guess close enough. We probe ~75 dangerous patterns and verify every function that comes back.
JS bundle extraction
We crawl your app like an attacker would. Service role keys, internal RPC calls, table names, storage buckets. Everything left in the open.
Auth and endpoint exposure
Schema endpoint open? OpenAPI spec leaking your table structure? Edge functions callable without a JWT? We check what's accessible to anyone.
Pricing

Plans for every stage.
Building, growing, selling.

Every scan, re-scan, and agent action consumes credits. Pick the plan that fits and upgrade anytime.

Starter
$29
per month
  • 100 credits / month
  • External scans
  • Fix prompts for every finding
  • Verification re-scans
  • Continuous monitoring
Agent
$79
per month
  • 500 credits / month
  • Everything in Starter
  • GitHub agent, autonomous PRs
  • Code-level exploit analysis
  • Proof-of-concept generation
Due Diligence
$249
one-time
  • 1,000 credits · 7-day access
  • Full before & after report
  • Agent + external scans included
  • Exportable PDF for M&A / investors
  • Remediation verification

find and fix your security issues before you lose revenue.

Join the waitlist. We're onboarding a new batch soon.

Limited spots per batch. Next cohort fills fast.