
I built a tool that analyzes what websites using Supabase expose to attackers.
Hi all,
We’ve been working on LeakScope for a while now and recently updated it quite a bit.
We didn't build LeakScope because we wanted another security scanner.
We built it because after manually reviewing Supabase applications, we kept running into the same problems: weak RLS policies, overly permissive access rules, exposed frontend configuration, and data that developers didn't realize was publicly accessible.
LeakScope is an automated security scanner designed specifically for developers and indie hackers building applications with Supabase. It helps identify critical backend vulnerabilities—such as weak Row-Level Security (RLS) policies, exposed database tables, and API keys hidden in frontend code—simply by pasting your website's URL.
We recently expanded it with two scanning modes:
- Light Scan — Fast public reconnaissance with no account required.
- Deep Scan — Authenticated testing with broader coverage, including RLS validation, BOLA/IDOR checks, JWT analysis, and detailed security reports.
So far, LeakScope has:
- Scanned 1,982 websites
- Identified 13,834 security findings
We're still actively improving it, and we'd genuinely love feedback from everyone.
If you're building with Supabase, what would you want a tool like this to detect or do?
Whether that's generating RLS policies, exporting pgTAP tests, CI/CD integration, monitoring production changes, or something else. We'd love to hear your thoughts.
Drop your site, we'll run free scans for you or you can do it yourself at leakscope.tech it's free :)