Find Supabase RLS leaks before your users do.
We connect to your Supabase project, parse RLS policy SQL, and probe the deployed app with real requests. Permissive policies, exposed service_role keys, missing auth on Edge Functions — surfaced in minutes, not days.
Free scan in minutes. No signup required. Read-only access.
What Sekrd finds in Supabase apps
Your scanner sees RLS: enabled.
We see the actual policy.
⚠USING (true) RLS policies
Policies that return true for every row let anyone with the anon key read everything. We parse the actual SQL — not just whether RLS is enabled.
⚠service_role keys in client bundle
If service_role leaks into your Next.js client JS, every visitor can bypass RLS entirely. We grep your deployed bundle for the JWT prefix.
⚠Tables with RLS disabled
RLS off + a public anon key = a database open to the internet. We enumerate every table the anon key can reach.
⚠Public buckets with PII
Storage buckets set to public + filenames that look like user-uploaded content (avatars, documents) = enumerable PII.
⚠Missing auth on Edge Functions
Edge Functions without a JWT verification check are publicly callable. We probe every function URL and check the response.
⚠Postgres extensions exposing privilege escalation
Misconfigured pg_net, http, or auth.users access from public schemas can give the anon role superuser-adjacent reach.
The trap
USING(true) = RLS enabled, database wide open.
What other scanners report
✓ RLS: enabled ✓ Policies: 3 found ✓ Auth: configured Result: PASS ✓
What Sekrd reports
⚠ CRITICAL: users table
Policy: USING (true)
→ Anyone with anon key
can read ALL user data
Fix: USING (auth.uid() = id)How it works
Three steps. Quick result.
Paste your URL
Your deployed Supabase app's URL. We crawl the homepage and detect the Supabase project from the JS bundle.
Connect (optional)
Optionally paste a read-only service key. We parse every RLS policy, enumerate tables and storage buckets, probe Edge Functions.
Get the report
Findings with file paths, severity, and an AI fix prompt you paste into Cursor / Claude Code. PDF download for App Store / due diligence.
Read-only
Never modifies your database, RLS, or storage rules.
No agent install
We scan the deployed URL. No code changes, no library to ship.
Credentials encrypted
Service keys encrypted at rest, deleted on plan end.
Supabase FAQ
Do I need to give Sekrd my service_role key?⌃
No. The deep scan can run with your anon key only — we just see less. service_role unlocks RLS policy SQL parsing and table enumeration; without it we still catch USING(true) via active probes, but slower.
Can you scan a private Supabase project (no public domain)?⌃
Today: only deployed apps with a public URL. Direct project scanning (Supabase API → policy SQL) is on the Continuous Pro roadmap.
What about Edge Functions?⌃
We probe every Edge Function URL, check for auth headers being verified, look for SQL injection in path params, and test rate limiting.
Will scanning trigger Supabase rate limits?⌃
Conservative: 1 request per second to your project, max 50 requests per scan. Won't trip Supabase Pro tier limits.
Is the report App Store compatible?⌃
The PDF report documents findings + the security/compliance attestation. App Store reviewers and investor due diligence accept it as evidence of a pre-launch audit. Not a substitute for a certified GDPR auditor.
Audit your Supabase app before you ship.
Free scan first. $39 one-time for the full report + PDF + AI fix prompts.