supafix

What it checks

Every common Supabase security hole.

Checks your migrations, source code, config files, and Edge Functions — not just patterns, but context.

🔐

RLS Policies

Table with no Row Level Security
RLS enabled but no policies (all queries denied)
USING (true) — unconditionally permissive
Tenant column not enforced in any policy
Missing WITH CHECK on write policies
user_metadata used for RBAC

🔑

Auth Misuse

getSession() as server-side auth gate
createBrowserClient in server files
auth.admin outside admin routes
Edge functions without auth forwarding

🛤

API Routes

Exported handler with no auth pattern
Template literal in Supabase query (SQL injection)
Raw req.json() piped into insert (mass assignment)
ID param without ownership check (IDOR)

📦

Storage Security

public: true bucket in migrations or code
USING (true) on storage.objects
dangerouslyAllowBrowser: true
Signed URL with expiry > 7 days

🔒

Secrets & Credentials

Stripe, OpenAI, Anthropic, GitHub, Slack keys
AWS Access Key ID & Secret
DB connection strings with credentials
Private key blocks, Firebase service accounts
.env not in .gitignore

⚡

Edge Functions

Supabase client without auth header forwarding
Wildcard CORS with authenticated operations
Hardcoded JWT in function source
DB access without user identity check

Security grade

Know your score. Share it.

Every scan ends with a letter grade. Add a badge to your README — or keep it private and work through the findings.

No findings

Warnings only
(≤ 2)

Warnings only
(3+)

1–2 critical
issues

3+ critical
issues

$ npx supafix --badge

# Paste this into your README

[![supafix](https://img.shields.io/badge/supabase--guard%3A+A-brightgreen?logo=supabase&logoColor=white)](https://github.com/noblleai/supafix)

Auto-fix

It doesn't just report.
It fixes.

Run --fix and supafix generates a migration for your RLS gaps and updates your .gitignore — then tells you what it couldn't touch and why.

supafix --fix

supafix v0.2.0 --fix mode ───────────────────────────────────────────── Auto-fixed ───────────────────────────────────────────── ✔ Created supabase/migrations/20260622120000_supabase_guard_fixes.sql · Enable RLS on "orders" · Stub policy for "products" (needs customisation) ✔ Updated .gitignore · Added ".env.local" Needs manual attention (3 issues) ───────────────────────────────────────────── ✖ getSession() used for server-side auth in app/api/posts/route.ts ✖ Stripe secret key found in source → lib/stripe.ts:3 ✖ Policy "insert_post" uses user_metadata for RBAC Run npx supafix to verify. ⚠ Review the generated migration before running supabase db push.

CI integration

Ship it. Then keep it clean.

Drop the GitHub Action in your workflow. It outputs the security grade, finding counts, and a JSON results file as step outputs.

.github/workflows/security.yml

# One-line action - uses: noblleai/supafix@v1 with: fail-on: critical # critical | warning | info | none # Or run directly and use the outputs - uses: noblleai/supafix@v1 id: audit with: fail-on: none - run: echo "Grade is ${{ steps.audit.outputs.grade }}"

outputs.grade

Security grade — A, B, C, D, or F

outputs.critical-count

Number of critical findings

outputs.results-path

Path to the full JSON results file

Security audit forSupabase projects.

Every common Supabase security hole.

Know your score. Share it.

It doesn't just report.It fixes.

Ship it. Then keep it clean.

Security audit for
Supabase projects.

It doesn't just report.
It fixes.