DEV Community

Cover image for I Built a CLI to Test Supabase RLS Policies
Rodrigo Tari Carderera
Rodrigo Tari Carderera

Posted on

I Built a CLI to Test Supabase RLS Policies

The Problem

RLS policies are a pain to test and the consequences of getting them wrong are serious.

Recently, a Lovable app leaked 13k users' data due to broken RLS policies. This isn't uncommon.

With the rise of vibe coded apps, many developers are shipping to production without proper security testing.

The Solution

I built SupaShield a CLI tool that tests your Supabase RLS policies before they hit production:

  • Introspects your DB schema automatically
  • Simulates different roles (anon, authenticated, custom JWT claims)
  • Tests CRUD operations on every RLS enabled table
  • Wraps everything in transactions with ROLLBACK (no data changes)
  • Generates snapshots you can diff in CI

Installation

npm install -g supashield
Enter fullscreen mode Exit fullscreen mode

Quick Start

# Set your database URL
export SUPASHIELD_DATABASE_URL="postgresql://..."

# Generate tests and run them
supashield init                        # discover tables and generate tests
supashield test                        # test all RLS policies
supashield test --table public.users   # test specific table
supashield test --as-user admin@company.com  # test with real user
supashield users                       # list users from auth.users for testing
supashield export-pgtap -o tests.sql   # export tests to pgTap format
Enter fullscreen mode Exit fullscreen mode

Example Output

Testing public.users:
  anonymous_user:
    SELECT: ALLOW (expected DENY) - MISMATCH!
    INSERT: DENY (expected DENY) - PASS
  authenticated_user:
    SELECT: ALLOW (expected ALLOW) - PASS
    INSERT: DENY (expected ALLOW) - MISMATCH!

Results: 2 passed, 2 failed
2 policy mismatches detected!
Enter fullscreen mode Exit fullscreen mode

It's not a substitute for proper security reviews as attackers will always find crafty exploits.

But it catches the obvious mistakes before they leak user data.

Try It Out

The tool is open source (MIT licensed) and available on GitHub: https://github.com/Rodrigotari1/supashield

Open to feedback!

Top comments (0)