I keep seeing posts here about leaked Supabase keys, missing RLS policies, and exposed service_role keys. Built an open-source scanner that catches this stuff automatically.
npx ship-safe audit .
What it catches for Supabase projects specifically:
SUPABASE_SERVICE_ROLE_KEY in client-side code (this is the big one — your service role key should never be in the browser)anon key used where service_role is needed (or vice versa).env files with Supabase keys committed to git (checks git history too)It also scans for general stuff like SQL injection, auth bypass, XSS, dependency vulnerabilities — 12 agents total covering OWASP Top 10.
DiscussionHealthy802 introduced an open-source tool called 'ship-safe' that scans Supabase projects for security issues like hardcoded service role keys, missing RLS policies, and insecure headers. The tool provides a security score and a prioritized list of fixes. LevelSoft1165 suggested reaching out to the Supabase team for potential integration into their CLI tool.
You should reach out to the Supabase team, maybe its something they'd want to implement in their CLI tool!
You get a score out of 100 and a prioritized list of what to fix first. No account needed, runs locally, completely free.
I also have a drop-in Supabase RLS checklist and security config template in the repo under /configs/supabase/.
If you're about to launch something on Supabase, run this first. Takes 30 seconds and might save you from a very bad day.