I built a Supabase security tool, then found 14 critical leaks in my own production CRM

1 / 2

I built a Supabase security tool, then found 14 critical leaks in my own production CRM

DEV Community·Perufitlife·21 days ago

#6A0jxU1h

#database #opensource #security #anon #supabase #article

Reading 0:00

15s threshold

I've been working on an open-source security auditor for Supabase projects for the last few weeks ( supabase-security on npm , MIT licensed, ~4k weekly downloads). Probes anonymously to find RLS gaps, public storage buckets, SECURITY DEFINER functions exposed to anon, that kind of thing. This morning I shipped a new feature: a --discover mode. Keyless — it walks your local repo, pulls every table / RPC / bucket reference from .from() / .rpc() / .storage.from() call sites, then probes only the surface your app actually uses with the public anon key. No PAT, no admin token, no signup. Before announcing it, I wanted to run it against my own production CRM as the final QA test. Worst case it finds zero issues and I look smart.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

I built a Supabase security tool, then found 14 critical leaks in my own production CRM