A new RLS leak ships every time you push.
You should know before your users do.
RLS Monitor runs the open-source supabase-security auditor against your project on a weekly cron and emails you the diff. Catch the policy you forgot last sprint before it turns into a HackerNews thread.
- Subscribe ($29/mo, cancel anytime).
- Add our GitHub Action to your repo — it runs in your CI with your secrets.
- We post the audit JSON to a write-only endpoint and store findings by project_token.
- If next week's scan finds a new high/critical finding, you get an email. That's it.
We never see your service_role key or anon key. All scanning happens inside your CI runner.
- · Weekly RLS + anon-probe scans (every Sunday 02:00 UTC)
- · Diff-based alerts — only ping you when something NEW shows up
- · Email + Slack webhook (Slack on request)
- · Your keys never leave your CI
- · 7-day moneyback, no questions
Q&A
Why not just run the scanner myself?
You can. npx supabase-security is MIT. RLS Monitor handles the diff so you only get pinged on net-new findings, not the same 4 medium-severity warnings every week.
What stack works?
Currently Supabase. Firebase, PocketBase, Appwrite, Nhost adapters land in v0.2 (already on npm). Reply to the welcome email if you want one fast-tracked.
Why concierge / why so simple?
Two customers in and we automate the onboarding. Until then it's me running your first scan by hand and emailing you within 24h. You get a human who cares.