FixVibe

// docs / baas security / supabase rls scanner

Supabase RLS scanner: kune na teveli e sega ni tiko vinaka kina na row-level security

Na row-level security (RLS) e duabau ga na ka e tu vakaduiduina ena maliwa ni data ni nomu customer kei na internet ni o vakayaca e dua na app vakatautaki Supabase. Na AI coding tools era cakava na RLS-shaped code e compile, e ship, ka leakage data lo โ€” teveli era buli sega ni ENABLE RLS, policies era wilika ka sega ni vakatabuya, predicates era veivakatauvatani kina dua na column kaya ga koya. Na itukutuku oqo e vakaraitaka na ka e rawa ni vakadinadinataka kina e dua na Supabase RLS scanner mai tuba, na ifa na mata ni RLS sa tawavinaka era basika ena vibe-coded apps, kei na sala me scan kina na nomu deployment ena loma ni dua na miniti.

Na ka e rawa ni vakadinadinataki ena dua na external RLS scan

E dua na passive RLS scan e cici kina PostgREST endpoint e dolava na Supabase ena https://[project].supabase.co/rest/v1/. E vakayagataka ga na publishable anon key โ€” na key tale ga e vakayagataka na nomu browser โ€” ka probe me kune na table-list metadata, na anonymous reads, kei na anonymous writes. E sega ni dua na gauna e authenticate kina vaka e dua na user ka e sega ni tara na service-role privileges. Na ka cava e rawa ni cakava, na unauthenticated attacker ena internet e rawa ni cakava tale ga.

Mai tuba ni database, e rawa ni vakadinadinataka e dua na scanner na ka lavetaki ena vakabauti levu:

  • RLS sa disable ena teveli. Na PostgREST e tukuna mai na rows ena dua na anonymous SELECT ke a sega ni vakacurumi na RLS se ke a vakadonuya e dua na policy. Na rua na ka oqo erau finding.
  • Na anonymous role e rawa ni list table. E dua na GET /rest/v1/ kei na anon key e tukuna mai na OpenAPI schema ena teveli kece e dua ga na privilege ni anon role ena vukuna. Na AI-generated apps era soli vakawasoma USAGE ena schema kei na SELECT ena teveli kece, ka e raitaki kina na schema map taucoko ke mada ga sa vakatabui na actual reads ena RLS.
  • Na anonymous role e rawa ni insert. E dua na probing POST kei na ivakatakilakila ena column shape e na yaco vinaka ke sega ni dua na INSERT policy e vakatabuya โ€” ke mada ga sa locked down na SELECT.
  • Na service-role key e tu ena browser bundle. E vovotuya na RLS: ke kune e dua na scanner na SUPABASE_SERVICE_ROLE_KEY se dua na JWT kei na role: service_role ena JavaScript bundle, sa sega ni yaga na RLS โ€” na taukei ni key oqo e tagi sivia na policy kece.

Na ka e sega ni rawa ni vakadinadinataki ena dua na external scan

Mo dina ena sala mo vakaraica kina na iyalayala ni scanner. Na external RLS scan e sega ni rawa ni wilika na nomu teveli pg_policies, na nomu migration files, se na vakatutu dodonu ni dua na policy. E vakatovotovotaka mai ena black-box behaviour, ka sa kena ibalebale ena sotava ena dua na gauna na finding ka qai dau public data ga sa nakiti vakavinaka (e dua na marketing newsletter table, e dua na public product catalog). Na FixVibe report e cikevi kina vaka medium confidence ena gauna e sega kina ni kilai vinaka na inaki โ€” vakaraica na yaca ni teveli ka vakatulewa.

Na ifa na mata ni RLS sa tawavinaka era cakava na AI tools

Ni dusimaki Cursor, Claude Code, Lovable, se Bolt ki Supabase, e dau basika tikoga na ifa na mata ni broken-RLS ena vica na udolu na app. Na yadua era pass type-check, era compile, ka era ship:

Mata 1: RLS sega ni enable

Na ka e dau yaco vakalevu. Na migration e bula kina na teveli ia na developer (se na AI tool) e guilecava na ALTER TABLE ... ENABLE ROW LEVEL SECURITY. Na PostgREST e marau ni veiqaravi taucoko na teveli ki na cava ga e tu vua na anon key. Fix: ALTER TABLE public.[name] ENABLE ROW LEVEL SECURITY; ALTER TABLE public.[name] FORCE ROW LEVEL SECURITY;. Na FORCE e sega ni rawa ni biu โ€” ke sega, na taukei ni teveli (kei na role kece e taukena na teveli) e bypass na RLS.

sql
ALTER TABLE public.[name] ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.[name] FORCE  ROW LEVEL SECURITY;

Mata 2: RLS enable, sega ni dua na policy

Dua na ka vunitaki. Na RLS sa enable ia sa sega ni vola e dua na policy. Na default ena PostgreSQL e deny, o koya sa sega kina ni dua e raica e dua na authenticated user โ€” ka na developer e vakaitavi kina USING (true) me cakava me cakacaka rawa na app, ka qo e vakadonuya na lewenivanua kece me wilika na ka kece. Fix: vola e dua na policy e scope ki na auth.uid(): CREATE POLICY "select_own" ON public.[name] FOR SELECT USING (auth.uid() = user_id); kei na INSERT/UPDATE/DELETE policy.

sql
CREATE POLICY "select_own"
  ON public.[name]
  FOR SELECT
  USING (auth.uid() = user_id);

Mata 3: Na policy e vakatauvatana na column kaya ga koya

A copy-paste artefact. The developer writes <code>USING (user_id = user_id)</code> โ€” which is always true โ€” instead of <code>USING (auth.uid() = user_id)</code>. Type-checks pass; the policy permits every row. <strong>Fix:</strong> always compare a column to a function call (<code>auth.uid()</code>, <code>auth.jwt()->>'org_id'</code>, etc.), never to itself or to a constant.

Mata 4: Policy ena SELECT ia sega ena INSERT/UPDATE

Na developer e sogota na reads ia e guilecava na writes. Na RLS policies e ena command yadua. Na FOR SELECT e taqomaka ga na reads; e dua na anonymous client e rawa ni INSERT ke sega ni dua na policy e vakatabuya. Fix: vola e dua na policy ena command yadua, se vakayagataka na FOR ALL kei na USING kei na WITH CHECK clause vakamatata.

Na sala e cakacaka kina na FixVibe Supabase RLS scanner

Na check baas.supabase-rls e cakacaka ena tolu na stage, e dua na confidence level matata ena yadua:

  1. Stage 1 โ€” fingerprint. Na scanner e crawl na deployed app, parse na JavaScript bundle, ka extract na Supabase project URL kei na anon key mai na runtime configuration. Sega ni dua na DNS guessing, sega ni brute force โ€” e wilika ga na ka e wilika na browser.
  2. Stage 2 โ€” schema discovery. Dua ga na GET /rest/v1/ kei na anon key e tukuna mai na OpenAPI schema ena teveli kece e rawa ni raica na anon role. Na scanner e maroroya na yaca ni teveli ia sega ni wilika na row data ena stage qo.
  3. Stage 3 โ€” read kei na write probes. Ena teveli yadua e kunei, na scanner e cakava e dua na anonymous SELECT kei na limit=1. Ke yaco mai na rows, sa permissive na RLS. Na scanner e mudu kina โ€” sega ni enumerate na rows, sega ni paginate, sega ni veisautaka na data. Na INSERT probes era taqomaki ena verified domain ownership kei na explicit opt-in; era sega ni cakava ena targets sega ni verified.

Na finding yadua e ship kei na request URL dodonu, response status, response shape (header-only), kei na yaca ni teveli. Na AI fix prompt ena ra ni finding e dua na copy-paste SQL block mo vakayagataka ena Supabase SQL editor.

Na ka mo cakava ni sa kune e dua na ka na scanner

Na RLS finding yadua e dua na runtime emergency. Na public PostgREST endpoints era scan ena loma ni vica na miniti vei ira na attackers. Na ivakarau ni vakacegu e mechanical:

  1. Audit na teveli kece. Cakava SELECT schemaname, tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; ena Supabase SQL editor. Na row kece kei na rowsecurity = false e dua na leqa.
  2. Enable na RLS ena public table kece. Default ki na ENABLE ROW LEVEL SECURITY kei na FORCE ROW LEVEL SECURITY ena teveli kece e buli โ€” vakavotuna me ivakavuvuli ni migration template.
  3. Vola na policies ena command yadua. Kakua ni vakayagataka na FOR ALL USING (true). Vola na policy matata ena SELECT, INSERT, UPDATE, DELETE โ€” na yadua e scope ki na auth.uid() se na org-id column mai na auth.jwt().
  4. Vakadinadinataki ena dua tale na account. Sign up vaka e dua tale na user, sa qai tovolea me wilika na rekoti ni dua tale na user mai na REST API. Ke 200 na response, sa tawavinaka na policy.
  5. Cakava lesu na scan. Ni sa caka na fix, cakava lesu na FixVibe scan ki na URL vata. Na baas.supabase-rls finding ena dredre.
sql
-- Audit every table for missing RLS. Run in the Supabase SQL editor.
SELECT schemaname, tablename, rowsecurity
FROM   pg_tables
WHERE  schemaname = 'public'
ORDER  BY rowsecurity, tablename;

Na kena vakatauvatani kei na tale na scanners

Na generic DAST tools (Burp Suite, OWASP ZAP, Nessus) era sega ni kila se cava na PostgREST. Era na crawl na nomu app, vakawalena na /rest/v1/ path, ka tukuna ga na ka era kila ena HTML pages. Na Snyk kei na Semgrep erau static-analysis tools โ€” erau kunea na migration files ena nomu repo kei na RLS calls sa yali, ia erau sega ni rawa ni vakadinadinataka na deployed database sa misconfigured. Na FixVibe e tu ena loma: passive, BaaS-aware, vakavakacegui ki na ka e rawa ni vakadinadinataka e dua na unauthenticated attacker mai na public URL.

Na taro era dau tarogi

Ena wilika se veisautaka na scanner na noqu data?

Sega. Na passive scans era cakava ena vinakata duadua e dua ga na SELECT ... limit=1 ena teveli yadua e kunei me vakadinadinataki ke vakadonuya na RLS na anonymous reads. Na scanner e maroroya na response shape, sega na lewena na rows. Na INSERT, UPDATE, kei na DELETE probes era taqomaki ena verified domain ownership ka era sega ni cici ena targets sega ni verified.

Ena cakacaka rawa qo ke pause na noqu Supabase project se tu ena custom domain?

Na project sa pause e tukuna mai 503 ena request kece โ€” na scanner e tukuna na project me sega ni rawa ni reach. Na custom domain e cakacaka vinaka ke se load tikoga na deployed app na Supabase client SDK ena browser; na scanner e extract na project URL mai na bundle ena rua na sala.

Vakacava ke rotate na noqu anon key se veisau na publishable key?

Cakava lesu na scan. Na scanner e re-extract na key mai na bundle ena run yadua. Na rotation e vakatabuya ga na previous report, sega na policy state ni database.

E check na scanner na ivakarau vou ni Supabase publishable-key (<code>sb_publishable_*</code>)?

Io. Na detector e kila rua na vakaira anon JWTs kei na keys vou sb_publishable_* ka veiqaravi tautauvata โ€” erau ruarua intended me public ka erau biuta na RLS me dua ga na line of defence.

Tikitiki tarava

Cakava e dua na FixVibe scan ena saumi ki na nomu production URL โ€” na baas.supabase-rls check e enable ena plan kece kei na free tier. Me dua na rai sivia, vakaraica Supabase service role key sa lai vakaraitaki ena JavaScript kei na Supabase storage bucket security checklist. Me kunei na rai vakatauvatani ena BaaS providers kece, wilika BaaS misconfiguration scanner.

// scan na nomu baas surface

Kune na teveli sa dola ni bera ni kunea e dua tale.

Vakacurumi mai e dua na production URL. Sa wilika na FixVibe na BaaS provider e veivosaki kaya na nomu app, sa fingerprint na nodra public endpoints, ka tukuna na ka e rawa ni wilika se vola e dua na unauthenticated client. E sega ni saumi, sega ni install, sega ni card.

  • Free tier โ€” 3 scan / vula, sega ni gadrevi na card ena signup.
  • Passive BaaS fingerprinting โ€” sega ni gadrevi me veivakadinadinataki na domain.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, kei na vo tale.
  • AI fix prompts ena finding kece โ€” vakauta lesu i Cursor / Claude Code.
Cakava e dua na BaaS scan ena saumi โ†’

sega ni gadrevi na signup

Supabase RLS scanner: kune na teveli e sega ni tiko vinaka kina na row-level security โ€” Docs ยท FixVibe