supasec

🔒 SupaSec

A free, open-source CLI tool for comprehensive Supabase security auditing.

🚀 Quick Start

Scan any Supabase-powered website instantly:

npx supasec scan https://myapp.com

✨ Features

• 🔍 Secret Detection - Find exposed API keys, service role keys, and credentials with JWT permission level analysis
• 🛡️ RLS Analysis - Detect missing or misconfigured Row Level Security policies
• 🧪 RLS Fuzzing - Actually test data access to confirm RLS effectiveness
• ⚡ RPC Scanner - Detect dangerous RPC functions and SQL injection risks
• 🗄️ Storage Scanner - Check bucket ACLs, file type restrictions, and exposed sensitive files
• 🔐 Auth Config - Validate MFA, password policies, email verification, and JWT settings
• 📜 Git History - Scan commits for secrets and .env files
• 📸 Snapshots - Track security posture changes over time with diff capabilities
• 📊 Security Grading - Get an A-F grade with actionable recommendations
• 🔧 Auto-Fix - Interactive wizard to automatically fix vulnerabilities
• 📈 CI/CD Ready - Integrate with GitHub Actions, GitLab CI, and more
• 💯 Free & Open Source - No paywalls, no subscriptions

📋 Installation

Using npx (Recommended)

npx supasec scan <url>

Global Installation

npm install -g supasec
supasec scan <url>

🔧 Usage

Basic Scan

# Scan a website
supasec scan https://myapp.com

# Scan with authentication
supasec scan https://myapp.com --project-url https://abc.supabase.co --service-key xxx

# Deep scan with RLS fuzzing
supasec scan https://myapp.com --deep --project-url https://abc.supabase.co --anon-key xxx

# Scan local project
supasec scan --local

# Create security snapshot
supasec snapshot create --name pre-deploy-v1.0.6

# Compare snapshots
supasec snapshot diff pre-deploy-v1.0.6 post-deploy-v1.0.6

Output Formats

# Terminal output (default)
supasec scan https://myapp.com

# JSON output
supasec scan https://myapp.com --format json

# HTML report
supasec scan https://myapp.com --format html --output report.html

CI/CD Integration

# Fail on critical or high severity issues
supasec scan https://myapp.com --fail-on critical,high

# Quiet mode for CI
supasec scan https://myapp.com --format json --quiet --output audit.json

🛠️ Auto-Fix (Coming Soon)

Fix vulnerabilities interactively:

supasec fix --interactive

Or apply fixes automatically:

supasec fix --auto --backup

Note: The fix command is planned for a future release.

🔐 Security Checks

SupaSec performs comprehensive security checks across multiple categories:

Secrets Detection

• ✅ Service role key exposure with JWT permission analysis
• ✅ Anon key validation and permission levels
• ✅ Third-party API keys (Stripe, OpenAI, AWS, etc.)
• ✅ JWT token exposure and decoding
• ✅ Private keys in bundles
• ✅ Git history scanning for committed secrets

RLS Security

• ✅ Tables without RLS enabled
• ✅ Missing RLS policies
• ✅ Bypass policies (USING (true))
• ✅ Missing user isolation
• ✅ Public role access
• ✅ 🆕 RLS Fuzzing - Actually test data access
• ✅ 🆕 Row count estimation for exposed data

Authentication

• ✅ Password policy strength
• ✅ MFA configuration and enforcement
• ✅ Email verification requirements
• ✅ JWT expiry settings
• ✅ Refresh token rotation
• ✅ Session timeout configuration
• ✅ Secure email change

Storage Security

• ✅ Public bucket exposure
• ✅ File type restrictions
• ✅ File size limits
• ✅ Dangerous MIME type detection
• ✅ Exposed sensitive files (.env, keys)

RPC Security

• ✅ 🆕 Dangerous function name patterns
• ✅ 🆕 SECURITY DEFINER checks
• ✅ 🆕 SQL injection risk detection

Git Security

• ✅ 🆕 Committed .env files
• ✅ 🆕 Secrets in commit messages
• ✅ 🆕 Private keys in history
• ✅ 🆕 Stashed secrets

Snapshot & Diff

• ✅ 🆕 Create security snapshots
• ✅ 🆕 Compare snapshots over time
• ✅ 🆕 Track security posture changes
• ✅ 🆕 Grade change tracking

API Security

• ✅ CORS configuration
• ✅ GraphQL introspection

📊 Example Output

🔍 SupaSec - Supabase Security Audit v1.0.6
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🎯 Target: https://myapp.com
⏱️  Started: 2026-01-28T14:23:15.000Z

✓ Detected Supabase project
  Found 12 tables, 8 RPCs, 3 storage buckets

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 SCAN SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

❌ CRITICAL: 1 issues
⚠️  HIGH: 2 issues
⚡ MEDIUM: 1 issues

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ CRITICAL (1 issues)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

┌─ RLS-001: Table 'users' has RLS disabled
│ The table 'users' does not have Row Level Security enabled.
│
│ Location: public.users
│ Impact: Complete exposure of 1847 records
│
│ Fix: Enable Row Level Security on table 'users'
│ SQL:
│   ALTER TABLE public.users ENABLE ROW LEVEL SECURITY;
│   CREATE POLICY "Users can only access own data"
│     ON public.users FOR SELECT
│     USING (auth.uid() = id);
└

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📈 SECURITY GRADE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  Grade D - 45/100
  Below average - serious issues found.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛠️  QUICK ACTIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Fix critical issues now:
  $ supasec fix --interactive

View detailed report:
  $ supasec report --format html --output report.html

🔄 CI/CD Integration

GitHub Actions

name: Security Audit

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run SupaSec Security Scan
        run: |
          npx supasec scan https://staging.myapp.com \
            --format json \
            --fail-on critical,high \
            --output audit.json
      
      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: security-report
          path: audit.json

GitLab CI

security_scan:
  stage: security
  image: node:18
  script:
    - npx supasec scan $STAGING_URL
        --format json
        --output audit.json
        --fail-on critical,high
  artifacts:
    paths:
      - audit.json

📚 Documentation

• Full Documentation
• Configuration Guide
• CI/CD Integration
• API Reference

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

Development Setup

# Clone the repository
git clone https://github.com/yourusername/supasec.git
cd supasec

# Install dependencies
npm install

# Build the project
npm run build

# Run in development mode
npm run dev

# Run tests
npm test

📄 License

MIT License - see LICENSE file for details.

🙏 Acknowledgments

• Inspired by AuditYour.App, SupaShield, and other Supabase security tools
• Built with ❤️ for the Supabase community

📞 Support

• GitHub Issues
• Discord Community
• Twitter/X: @supasec

Made with 🔒 by the SupaSec Team