Securie for Supabase — RLS validation + migration scanning

in-progress

In private beta via the Securie GitHub App. Every Supabase migration in your repository gets validated before merge: RLS-disabled tables flagged, missing tenant scoping detected, over-broad anon-role grants caught, service-role key leaks into client code blocked. The free browser-based RLS scanner at /signup is available today and covers the passive-check subset.

What it does

Validates every migration for four classes of problem. (1) Tables without RLS enabled — catches the single most common Supabase leak. (2) Policies missing tenant scoping — catches the multi-tenant cross-leak pattern. (3) Service-role key appearing in client-reachable code paths — catches the 'admin SDK in frontend' bug. (4) Over-broad grants (`grant select on ... to anon` when it should be `authenticated`). For each finding, generates the corrected migration SQL and reproduces the exploit in a sandbox fork of your project before shipping the fix.

When to use it

Best fit: any team using Supabase in production. Especially valuable for teams using AI coding tools (Lovable, Bolt, Cursor, v0) because those tools generate Supabase client code that mixes roles and omits RLS — the exact patterns Securie is tuned to catch.

Limitations

GitHub App integration pre-launch. The free in-browser scanner at /signup works today but covers only passive unauthenticated checks (it cannot see your migrations repo). Self-hosted Supabase with custom auth is supported but requires additional setup.

Install

  1. When the GitHub App is live: install the Securie GitHub App on the repo containing your supabase/ directory
  2. Securie auto-detects supabase/migrations/, supabase/seed.sql, and any Supabase client initialization
  3. On every PR touching schema, Securie runs RLS analysis and posts results as a PR comment
  4. Fix PRs are offered with the exact corrected policy SQL
  5. In the meantime: run /signup in your browser for passive checks today