Securie for Supabase — RLS validation + migration scanning

in-progress

Every Supabase migration in your repository gets validated before merge: RLS-disabled tables flagged, missing tenant scoping detected, over-broad anon-role grants caught, service-role key leaks into client code blocked. Browser-based checks at /signup cover the passive-check subset.

Updated

What it does

Validates every migration for four classes of problem. (1) Tables without RLS enabled — catches the single most common Supabase leak. (2) Policies missing tenant scoping — catches the multi-tenant cross-leak pattern. (3) Service-role key appearing in client-reachable code paths — catches the 'admin SDK in frontend' bug. (4) Over-broad grants (`grant select on ... to anon` when it should be `authenticated`). For each finding, generates the corrected migration SQL and reproduces the exploit in a sandbox fork of your project before shipping the fix.

When to use it

Best fit: any team using Supabase in production. Especially valuable for teams using AI coding tools (Lovable, Bolt, Cursor, v0) because those tools generate Supabase client code that mixes roles and omits RLS — the exact patterns Securie is tuned to catch.

Limitations

GitHub App rollout is managed. The in-browser checker at /signup covers only passive unauthenticated checks; it cannot see your migrations repo. Self-hosted Supabase with custom auth is supported but requires additional setup.

Install

  1. When the GitHub App is live: install the Securie GitHub App on the repo containing your supabase/ directory
  2. Securie auto-detects supabase/migrations/, supabase/seed.sql, and any Supabase client initialization
  3. On every PR touching schema, Securie runs RLS analysis and posts results as a PR comment
  4. Fix PRs are offered with the exact corrected policy SQL
  5. In the meantime: run /signup in your browser for passive checks today