The Problem
RLS policies are a pain to test and the consequences of getting them wrong are serious.
Recently, a Lovable app leaked 13k users' data due to broken RLS policies. This isn't uncommon.
With the rise of vibe coded apps, many developers are shipping to production without proper security testing.
The Solution
I built SupaShield a CLI tool that tests your Supabase RLS policies before they hit production:
- Introspects your DB schema automatically
- Simulates different roles (anon, authenticated, custom JWT claims)
- Tests CRUD operations on every RLS enabled table
- Wraps everything in transactions with ROLLBACK (no data changes)
- Generates snapshots you can diff in CI
Installation
npm install -g supashield
Quick Start
# Set your database URL
export SUPASHIELD_DATABASE_URL="postgresql://..."
# Generate tests and run them
supashield init # discover tables and generate tests
supashield test # test all RLS policies
supashield test --table public.users # test specific table
supashield test --as-user admin@company.com # test with real user
supashield users # list users from auth.users for testing
supashield export-pgtap -o tests.sql # export tests to pgTap format
Example Output
Testing public.users:
anonymous_user:
SELECT: ALLOW (expected DENY) - MISMATCH!
INSERT: DENY (expected DENY) - PASS
authenticated_user:
SELECT: ALLOW (expected ALLOW) - PASS
INSERT: DENY (expected ALLOW) - MISMATCH!
Results: 2 passed, 2 failed
2 policy mismatches detected!
It's not a substitute for proper security reviews as attackers will always find crafty exploits.
But it catches the obvious mistakes before they leak user data.
Try It Out
The tool is open source (MIT licensed) and available on GitHub: https://github.com/Rodrigotari1/supashield
Open to feedback!
Top comments (0)