I Built a CLI to Test Supabase RLS Policies

Rodrigo Tari Carderera — Fri, 17 Oct 2025 13:28:30 +0000

The Problem

RLS policies are a pain to test and the consequences of getting them wrong are serious.

Recently, a Lovable app leaked 13k users' data due to broken RLS policies. This isn't uncommon.

With the rise of vibe coded apps, many developers are shipping to production without proper security testing.

The Solution

I built SupaShield a CLI tool that tests your Supabase RLS policies before they hit production:

Introspects your DB schema automatically
Simulates different roles (anon, authenticated, custom JWT claims)
Tests CRUD operations on every RLS enabled table
Wraps everything in transactions with ROLLBACK (no data changes)
Generates snapshots you can diff in CI

Installation

npm install -g supashield

Quick Start

# Set your database URL
export SUPASHIELD_DATABASE_URL="postgresql://..."

# Generate tests and run them
supashield init                        # discover tables and generate tests
supashield test                        # test all RLS policies
supashield test --table public.users   # test specific table
supashield test --as-user admin@company.com  # test with real user
supashield users                       # list users from auth.users for testing
supashield export-pgtap -o tests.sql   # export tests to pgTap format

Example Output

Testing public.users:
  anonymous_user:
    SELECT: ALLOW (expected DENY) - MISMATCH!
    INSERT: DENY (expected DENY) - PASS
  authenticated_user:
    SELECT: ALLOW (expected ALLOW) - PASS
    INSERT: DENY (expected ALLOW) - MISMATCH!

Results: 2 passed, 2 failed
2 policy mismatches detected!

It's not a substitute for proper security reviews as attackers will always find crafty exploits.

But it catches the obvious mistakes before they leak user data.

Try It Out

The tool is open source (MIT licensed) and available on GitHub: https://github.com/Rodrigotari1/supashield

Open to feedback!