RLS is the security boundary of a Supabase app, but writing pgTAP tests for it by hand is
painful — you have to fake identities, seed matching rows for every policy, and assert who
can do what. So it mostly gets skipped, and a missed policy ships as a data leak.
I made rlsautotest to automate exactly that. Point it at your database and it reads your RLS
policies and generates a native pgTAP suite — plus the seed data — that proves, per table,
per command, per identity, who can SELECT / INSERT / UPDATE / DELETE which rows. It catches
an unprotected table on the spot.
The part I cared most about getting right: a generated test only means something if the data
behind it matches the policy and the identity. So it works backward from each policy to the
exact rows and identities that satisfy (and violate) it, pairs every "denied" with a positive
control, and never emits a false-passing test — anything it can't prove soundly is marked,
not faked.
Free and open source (Apache-2.0). Emits standard pgTAP, so it runs with `supabase test db`,
pg_prove, or psql, and there's a CI gate that fails the build on a leak.
pip install rlsautotest
rlsautotest --db-url "$DATABASE_URL" --schema public --html rls-report.html # quick report
rlsautotest --db-url "$DATABASE_URL" --schema public --emit supabase/ # commit + run in
GitHub: https://github.com/unitautogen/rlsautotest
PyPI: https://pypi.org/project/rlsautotest/
It's beta — I'd genuinely love feedback, especially on policies it handles badly. Built on
Munaf-Khatri developed 'rlsautotest', a tool to automate pgTAP test generation for Supabase RLS policies. The tool reads RLS policies, generates pgTAP suites, and creates seed data to verify access controls per table and command. It's open source and aims to prevent data leaks by ensuring policies are correctly enforced.
pgTAP and the basejump test helpers; thanks to both.