Open-source scanner for Supabase RLS and security issues

If you are using Supabase (especially if you vibe coded your app), there is a good chance your RLS policies have gaps. I see it constantly: tables with RLS disabled, storage buckets wide open, service_role keys hardcoded in frontend code.

I built Ship Safe, an open-source security scanner with a dedicated Supabase RLS Agent.

npx ship-safe audit .

What the Supabase agent checks:

• RLS disabled on tables: If you forgot to enable RLS, anyone with your anon key can read/write everything.
• Missing RLS policies: RLS is enabled but no policies defined (locked out), OR you are bypassing with service_role (worse).
• service_role key in client code: Your service key should never leave the server. If it is in your Next.js frontend, React app, or .env committed to git, you are exposed.
• Open storage buckets: Public buckets without proper policies means anyone can upload/download anything.
• Supabase auth misconfiguration: Weak JWT secrets, missing email confirmation, no rate limiting on auth endpoints.

It also scans for general issues that affect Supabase apps:

• Hardcoded secrets (Supabase URL, anon key in places it should not be, database connection strings).
• Dependency CVEs in your npm/pip/yarn packages.
• Auth bypass patterns (timing attacks on token comparison, missing middleware).
• Injection vulnerabilities in your API routes.

The scanner runs locally, so no data leaves your machine. No account needed.

Quick example of what it catches:

// this is in your frontend code
const supabase = createClient(
  'https://xxx.supabase.co',
  'eyJhbGciOiJIUzI1NiIs...'  // ← ship-safe flags this immediately
)

// table without RLS
create table user_data (
  id uuid primary key,
  email text,
  ssn text        -- ← no RLS = public read/write
);