DBAudit
For Supabase & Firebase Projects

Reveal security mistakes your agent missed.

DBAudit helps you see exactly what's risky or exposed in your Supabase & Firebase setup.
Get your Supabase and Firebase security scan report today, with prioritized fixes plan in minutes.

Start your scanExplore features

Now offering both subscriptions & one-time purchases

What we actively test:

  • RLS gaps exposing reads or writes
  • Public or weakly protected RPCs
  • Unsafe SECURITY DEFINER functions
  • Leaked service-role style keys

Small backend mistakes, Big security problems.

DBAudit helps you reveal & solve the mistakes both humans and agents can make that might expose data, bypass rules, and turn helpers into backdoors.

Critical

One missing policy. Another customer's rows come back.

The UI may look account-specific, but the database is not enforcing the boundary.

RLSauth.uid()tenant isolation
User A
SELECT * FROM invoices

NO USER BOUNDARY

no owner check on rows

invoices
UserAmountStatus
User A$4,200expected
User B
$12,800leaked

The admin key reached the browser.

A privileged key was shipped to code anyone can download.

service_rolefrontend bundlesecrets
app.js
service_role
RLS bypassed

Project-wide access

A user upgraded themselves to Pro for free.

The API trusted a plan field from the request body instead of verifying the payment.

planrequest bodybilling
Current planFree
malicious request
curl /api/user/plan \
-d '{"plan":"pro"}'
Plan updated
Pro
$0 charged · no webhook · no receipt

Billing bypassed

A helper function became an admin door.

A normal user may be able to call elevated database logic.

SECURITY DEFINERRPCEXECUTE grants
caller
get_admin_stats()
SECURITY DEFINER
Admin-only data path unlocked

Elevated execution

Our practical security rule engine

Unlike tools that run hundreds of noisy useless scans, we run 52+ built-in checks for real things you should care about. Covering RLS policies, auth configs, leaked secrets, SECURITY DEFINER functions, privilege escalation or mass assignment paths, and even a few meaningful performance checks.

Included in all plans

We help you move fast & stay secure.

Built for solo devs and teams that move fast but don't leave security as an afterthought.

Deep schema analysis

Our schema revealing allows us to be aware of and inspect your tables, roles, functions, and extensions for misconfigurations that attackers commonly exploit.

Included in all plans

We help you take action

Every report has explanations of the findings & records. We don't run AI on your data - but your results can be exported into your own ChatGPT, Claude, or any local model you trust.

Included in all plans

Fast & efficient

Our audit in most cases runs in a matter of seconds via a separate worker which allows us to maximize scans speed. No agents/extensions to install.

Included in all plans

Continuous monitoring

Coming soon

Schedule recurring audits and get Slack or email alerts the moment your security posture changes.

Will be included in Pro

How DBAudit works

01

Fill in your details

Your Supabase project URL/Firebase config, the public anon key, a test login and read-only schema export for full coverage (Supabase). We never ask for your service_role or admin key.

02

Test as real users

DBAudit probes as an anonymous visitor and a signed-in user. Add a second test user and it tries to read one account's data while signed in as another.

03

Nothing gets mutated

Read and write checks run without changing your data - write probes use a rollback-guarded transaction. Destructive pentests are opt-in, guarded, and built for staging.

04

Prioritized fixes

Findings ranked by severity, each with the exact fix, plus agent-ready remediation instructions and a full report you can export as JSON.

Why we ask for more than a public key

Most scanners take your public key and stop there. That is enough to list which tables have a policy, but not enough to know whether the policy actually holds. So DBAudit signs in as a real user and tries to reach data that is not theirs. It is a little more to set up than a public key, and it is the difference between findings you can act on and a green checkmark that means nothing.

RLS being on is not the same as RLS being right.

A checklist can tell you a policy exists. DBAudit signs in as separate accounts and actually tries to cross the boundary between them, so you find out whether the policy holds.

Anonymous

anyone with your public key

Signed-in user

a real logged-in account

Second user (optional)

used to prove cross-account isolation

your database
  • Can account B read account A's rows?
  • Can the public key reach private tables or RPCs?
  • Does a write that should be denied actually go through?

Supabase checks

RLS disabled tablesalways-true policiescross-account readspublic schema enumerationSECURITY DEFINER RPCsexposed / leaked keyssensitive columnsstorage buckets

Firebase checks

unauth Firestore / RTDB readsunauth writesstorage bucket accessrecursive wildcard rulescreate / update divergenceApp Check & anon sign-inopen sign-upemail enumeration
No service_role keyEncrypted at restDiscarded after scanStaging-friendly
Read the full methodology

FAQ

Everything you need to know before running your first audit.

dbaudit faq --interactive
No.
DBAudit runs non-destructive checks. We inspect permissions, policies, and configuration patterns without mutating your data.
If you wish to deepen the scan and run destructive pentests against a staging/dev environment, you can choose to do so, but it is guarded and disabled by default.
We currently support both Supabase and Firebase databases.
Yes, we use industry-standard encryption. In fact, the scan doesn't require any sensitive inputs in the first place.
Semi-sensitive inputs (test user login, schema-only export, etc.) are encrypted at rest with AES-256-GCM before storage, and then discarded after the scan, once they are no longer needed.
We don't need or want your data after we provide you the audit results.
Yes. You'll get personalized agent instructions with all the details, plus a full technical report.
Download reports as JSON and use them in your preferred tooling to fix issues faster.
No installation is required. You connect your project, run a scan, and receive findings with practical remediation guidance.
Yes. The one-time Quick Scan plan is built for exactly that. You can also move to a subscription later if you want automatic recurring coverage.
Most scans complete within seconds. Maybe minutes if your schema is huge. Firebase scans usually take a bit longer.
For Supabase, a scan requires your project URL + public anon key, a throwaway test user account, and a schema-only export (select-only introspection query, no data). We never ask for your service_role or admin key.
For Firebase, you provide your public firebase config and a throwaway test user account.
In fact, the scan doesn't require any sensitive inputs in the first place.
Semi-sensitive inputs (test user login, schema-only export, etc.) are encrypted at rest with AES-256-GCM before storage, and then discarded after the scan, once they are no longer needed.
We don't need or want your data after we provide you the audit results. We retain only scan metadata and the resulting report so your dashboard history works.

Pay for what you need

Quick Scan

One-off check before shipping or after schema changes.

one-time

  • One full security report
  • See exactly what's exposed
  • Access for 7 days—no subscription

Results stored for 7 days

Buy a scan

Starter

Best value

For vibe coders, indie hackers, and solo SaaS builders.

/month

Billed $240/yr

  • 2 scans/week
  • Optional scheduled scans
  • 30-day history to spot patterns

Max 2 scans/day · No email alerts

Get started

Pro

For teams, agencies, and serious builders with multiple projects.

/month

Billed $780/yr

  • 14 scans/week
  • Optional scheduled scans
  • 180-day scan history
  • Email alerts to 1 address· Coming soon

Max 5 scans/day

Get started

DBAudit is an independent product and is not affiliated with, endorsed by, or sponsored by Supabase or Firebase.