So I built SupaExplorer Leak Scanner.
It scans any public website for leaked Supabase project refs, anon/public keys, service role keys, storage bucket exposures, and then automatically runs an RLS policy audit on the linked Supabase instance. No database password required, no signup for scans.
What it does:
- Detects leaked Supabase credentials in HTML/JS responses, source maps, and network payloads (for this you can use the free Chrome Extension!) - Identifies publicly exposed tables or storage buckets - Audits RLS on the instance and checks if policies enforce user isolation
Generates a clean security report + optional SQL fixes if issues are found
It’s fully free to scan. The paid report is just there if you want instant fixes bundled, but the core tool is open for anyone to use without friction.
Would love feedback from fellow builders. I’m especially interested in edge cases I haven’t hit yet, and ideas to make the RLS audit even better.
Try it out and roast it kindly.