npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

supasec

v1.0.6

Published

A free, open-source CLI tool for comprehensive Supabase security auditing

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

interpoolxinterpoolx

Keywords

supabasesecurityauditclirlsscannervulnerabilitypentesting

Readme

🔒 SupaSec

A free, open-source CLI tool for comprehensive Supabase security auditing.

npm version License: MIT

🚀 Quick Start

Scan any Supabase-powered website instantly:

npx supasec scan https://myapp.com

✨ Features

  • 🔍 Secret Detection - Find exposed API keys, service role keys, and credentials with JWT permission level analysis
  • 🛡️ RLS Analysis - Detect missing or misconfigured Row Level Security policies
  • 🧪 RLS Fuzzing - Actually test data access to confirm RLS effectiveness
  • ⚡ RPC Scanner - Detect dangerous RPC functions and SQL injection risks
  • 🗄️ Storage Scanner - Check bucket ACLs, file type restrictions, and exposed sensitive files
  • 🔐 Auth Config - Validate MFA, password policies, email verification, and JWT settings
  • 📜 Git History - Scan commits for secrets and .env files
  • 📸 Snapshots - Track security posture changes over time with diff capabilities
  • 📊 Security Grading - Get an A-F grade with actionable recommendations
  • 🔧 Auto-Fix - Interactive wizard to automatically fix vulnerabilities
  • 📈 CI/CD Ready - Integrate with GitHub Actions, GitLab CI, and more
  • 💯 Free & Open Source - No paywalls, no subscriptions

📋 Installation

Using npx (Recommended)

npx supasec scan <url>

Global Installation

npm install -g supasec
supasec scan <url>

🔧 Usage

Basic Scan

# Scan a website
supasec scan https://myapp.com

# Scan with authentication
supasec scan https://myapp.com --project-url https://abc.supabase.co --service-key xxx

# Deep scan with RLS fuzzing
supasec scan https://myapp.com --deep --project-url https://abc.supabase.co --anon-key xxx

# Scan local project
supasec scan --local

# Create security snapshot
supasec snapshot create --name pre-deploy-v1.0.6

# Compare snapshots
supasec snapshot diff pre-deploy-v1.0.6 post-deploy-v1.0.6

Output Formats

# Terminal output (default)
supasec scan https://myapp.com

# JSON output
supasec scan https://myapp.com --format json

# HTML report
supasec scan https://myapp.com --format html --output report.html

CI/CD Integration

# Fail on critical or high severity issues
supasec scan https://myapp.com --fail-on critical,high

# Quiet mode for CI
supasec scan https://myapp.com --format json --quiet --output audit.json

🛠️ Auto-Fix (Coming Soon)

Fix vulnerabilities interactively:

supasec fix --interactive

Or apply fixes automatically:

supasec fix --auto --backup

Note: The fix command is planned for a future release.

🔐 Security Checks

SupaSec performs comprehensive security checks across multiple categories:

Secrets Detection

  • ✅ Service role key exposure with JWT permission analysis
  • ✅ Anon key validation and permission levels
  • ✅ Third-party API keys (Stripe, OpenAI, AWS, etc.)
  • ✅ JWT token exposure and decoding
  • ✅ Private keys in bundles
  • ✅ Git history scanning for committed secrets

RLS Security

  • ✅ Tables without RLS enabled
  • ✅ Missing RLS policies
  • ✅ Bypass policies (USING (true))
  • ✅ Missing user isolation
  • ✅ Public role access
  • ✅ 🆕 RLS Fuzzing - Actually test data access
  • ✅ 🆕 Row count estimation for exposed data

Authentication

  • ✅ Password policy strength
  • ✅ MFA configuration and enforcement
  • ✅ Email verification requirements
  • ✅ JWT expiry settings
  • ✅ Refresh token rotation
  • ✅ Session timeout configuration
  • ✅ Secure email change

Storage Security

  • ✅ Public bucket exposure
  • ✅ File type restrictions
  • ✅ File size limits
  • ✅ Dangerous MIME type detection
  • ✅ Exposed sensitive files (.env, keys)

RPC Security

  • ✅ 🆕 Dangerous function name patterns
  • ✅ 🆕 SECURITY DEFINER checks
  • ✅ 🆕 SQL injection risk detection

Git Security

  • ✅ 🆕 Committed .env files
  • ✅ 🆕 Secrets in commit messages
  • ✅ 🆕 Private keys in history
  • ✅ 🆕 Stashed secrets

Snapshot & Diff

  • ✅ 🆕 Create security snapshots
  • ✅ 🆕 Compare snapshots over time
  • ✅ 🆕 Track security posture changes
  • ✅ 🆕 Grade change tracking

API Security

  • ✅ CORS configuration
  • ✅ GraphQL introspection

📊 Example Output

🔍 SupaSec - Supabase Security Audit v1.0.6
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🎯 Target: https://myapp.com
⏱️  Started: 2026-01-28T14:23:15.000Z

✓ Detected Supabase project
  Found 12 tables, 8 RPCs, 3 storage buckets

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 SCAN SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

❌ CRITICAL: 1 issues
⚠️  HIGH: 2 issues
⚡ MEDIUM: 1 issues

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ CRITICAL (1 issues)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

┌─ RLS-001: Table 'users' has RLS disabled
│ The table 'users' does not have Row Level Security enabled.
│
│ Location: public.users
│ Impact: Complete exposure of 1847 records
│
│ Fix: Enable Row Level Security on table 'users'
│ SQL:
│   ALTER TABLE public.users ENABLE ROW LEVEL SECURITY;
│   CREATE POLICY "Users can only access own data"
│     ON public.users FOR SELECT
│     USING (auth.uid() = id);
└

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📈 SECURITY GRADE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  Grade D - 45/100
  Below average - serious issues found.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛠️  QUICK ACTIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Fix critical issues now:
  $ supasec fix --interactive

View detailed report:
  $ supasec report --format html --output report.html

🔄 CI/CD Integration

GitHub Actions

name: Security Audit

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run SupaSec Security Scan
        run: |
          npx supasec scan https://staging.myapp.com \
            --format json \
            --fail-on critical,high \
            --output audit.json
      
      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: security-report
          path: audit.json

GitLab CI

security_scan:
  stage: security
  image: node:18
  script:
    - npx supasec scan $STAGING_URL
        --format json
        --output audit.json
        --fail-on critical,high
  artifacts:
    paths:
      - audit.json

📚 Documentation

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

Development Setup

# Clone the repository
git clone https://github.com/yourusername/supasec.git
cd supasec

# Install dependencies
npm install

# Build the project
npm run build

# Run in development mode
npm run dev

# Run tests
npm test

📄 License

MIT License - see LICENSE file for details.

🙏 Acknowledgments

  • Inspired by AuditYour.App, SupaShield, and other Supabase security tools
  • Built with ❤️ for the Supabase community

📞 Support

Made with 🔒 by the SupaSec Team