Show HN: CLI to Test Supabase RLS Policies

[rodrigotarca]

I'm seeing how many vibe-coded apps using Supabase there are nowadays that don't even test their RLS policies and that's a pretty terrifying thought.

Half these apps could have their entire DB exposed to public and nobody would know until it's too late. Recently an app leaked 13k users' data because of broken RLS.

So I built a CLI to test RLS policies before prod:

- Introspects your DB schema - Simulates different roles (anon, authenticated, custom JWT claims) - Tries CRUD operations on every RLS-enabled table - Wraps everything in transactions with ROLLBACK (no actual data changes) - Generates snapshots you can diff in CI

It's not a substitute for proper security reviews (attackers will always find crafty exploits). But it catches the obvious messups before they leak user data.

https://github.com/Rodrigotari1/supashield

What's your RLS testing workflow? What edge cases am I missing?

[BandButcher]

Very cool, I've been in need of something like this even though I only have a few RLS polices (better start now then later right)

Kudos

Edit: does this also allow checking for the storage (buckets) RLS as well or just the DB tables? Thx

[rodrigotarca]

Just pushed an update you can run supashield init to discover your buckets then supashield test-storage to test them separately from tables

[rodrigotarca]

Thanks! Right now it only tests DB table RLS policies not storage buckets. Storage RLS is a good idea though, I'll add it to the roadmap

[olivieropinotti]

Super useful! I have had permissions issues with my DB more times than I'd like to admit..