I keep seeing posts here about leaked Supabase keys, missing RLS policies, and exposed service_role keys. Built an open-source scanner that catches this stuff automatically.
npx ship-safe audit .
What it catches for Supabase projects specifically:
SUPABASE_SERVICE_ROLE_KEY in client-side code (this is the big one — your service role key should never be in the browser)anon key used where service_role is needed (or vice versa).env files with Supabase keys committed to git (checks git history too)It also scans for general stuff like SQL injection, auth bypass, XSS, dependency vulnerabilities — 12 agents total covering OWASP Top 10.
A user introduced an open-source tool called 'ship-safe' that scans Supabase projects for security issues like hardcoded keys, missing RLS policies, and insecure headers. The tool provides a security score and a prioritized list of issues to fix. It runs locally and is free to use, with additional resources like a Supabase RLS checklist available in the repository.
You should reach out to the Supabase team, maybe its something they'd want to implement in their CLI tool!
we used https://scan.testavi.com/ in our team and it's quite good
You get a score out of 100 and a prioritized list of what to fix first. No account needed, runs locally, completely free.
I also have a drop-in Supabase RLS checklist and security config template in the repo under /configs/supabase/.
If you're about to launch something on Supabase, run this first. Takes 30 seconds and might save you from a very bad day.