The anon key ships in every app's bundle, so if Row Level Security is off or a policy is too loose, anyone can read the tables. I kept running into this in the wild, so I built a scanner that checks it from the outside using only the public key. Read-only, never logs in, never writes.
Paste your app URL: task-bounty.com/scan?utm_source=reddit_supabase
It also flags exposed keys, reachable .env/source maps, and open Firebase DBs. Curious what people find, and open to feedback on the RLS check itself.
The user has developed a tool that checks if Supabase tables are protected by Row Level Security (RLS). The tool uses the public key to scan for security vulnerabilities such as exposed keys and open databases. The user is seeking feedback on the tool's effectiveness in identifying RLS issues.