New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
Overview
Supabase powers thousands of production apps, but its permissive defaults can leave your data wide open. Our scanner checks Row Level Security policies, exposed REST and Realtime endpoints, auth configuration, storage bucket permissions, and edge function security to ensure your Supabase backend is locked down.
What this scanner does
Connects to your Supabase project and analyzes RLS policies on all tables, checks for publicly accessible data through the REST API, verifies auth settings (email confirmation, MFA enablement), audits storage bucket policies, and tests edge function authentication requirements.
Why it matters
Supabase exposes a public REST API by default, and without proper RLS policies, any authenticated (or anonymous) user can read, modify, or delete data from any table. This is the #1 security mistake in Supabase projects and has led to numerous data breaches in production applications.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
Vulnerability Detection
Test your login, signup, and password reset flows for common security weaknesses.
Configuration Audit
Check Firebase Security Rules, authentication settings, and Firestore/RTDB access controls.
