Supaguard

Product Introduction

1. Definition: Supaguard is an automated security scanning tool specifically designed for Supabase applications. It falls under the technical category of cloud-native security auditing software, leveraging static code analysis and API probing to identify vulnerabilities.
2. Core Value Proposition: Supaguard exists to prevent costly data breaches in Supabase apps by detecting exposed PII (Personally Identifiable Information), PCI (Payment Card Industry) data, API keys, and JWT tokens before attackers exploit them. Its zero-setup approach prioritizes developer efficiency while mitigating compliance risks.

Main Features

1. JWT Leak Radar:
   Supaguard scans JavaScript bundles via static code analysis to identify hardcoded Supabase anon or service role keys. It cross-references these keys with Supabase project metadata to confirm exposure risks.
2. RLS Policy Vulnerability Detection:
   Using non-mutating OPTIONS requests to PostgREST, Supaguard probes Row-Level Security (RLS) policies without altering data. It maps accessible tables/columns per leaked key, revealing read/write permissions an attacker could exploit.
3. Sensitive Data Alerts:
   Employs regex heuristics and Luhn algorithm validation to flag tables containing emails, passwords, or financial data. For PCI, it identifies column names (e.g., "CVV," "expiry") and validates card number patterns.
4. Write Permission Risk Assessment:
   Detects if write methods (POST/PATCH/DELETE) are inadvertently exposed via API endpoints, using HEAD/OPTIONS HTTP method analysis to prevent data mutation during scans.

Problems Solved

1. Pain Point: Supabase developers often accidentally expose sensitive data via misconfigured RLS policies, hardcoded keys, or unsecured tables, leading to compliance violations and breach costs averaging $4.45M (IBM 2023).
2. Target Audience:
   • Supabase Founders/CTOs managing app security posture.
   • Full-Stack Developers building React/Next.js/Vue apps on Supabase.
   • Compliance Officers requiring PCI-DSS or GDPR adherence.
3. Use Cases:
   • Pre-production security audits for new Supabase deployments.
   • Continuous monitoring of public-facing client-side code.
   • Incident response triage for suspected data leaks.

Unique Advantages

1. Differentiation: Unlike generic SAST tools, Supaguard specializes in Supabase-specific threats (e.g., JWT leaks, RLS misconfigurations). It outperforms manual audits with <5-minute scans and actionable reports.
2. Key Innovation: Proprietary "RLS Attack Simulation" uses OPTIONS requests to safely map attacker access paths without data mutation—eliminating false positives from theoretical vulnerabilities.

Frequently Asked Questions (FAQ)

1. How does Supaguard detect Supabase API key leaks?
   Supaguard crawls minified JavaScript bundles using pattern matching for Supabase client initializations, identifying exposed public or private keys via AST parsing.
2. Can Supaguard prevent PCI compliance violations?
   Yes, it flags potential PCI leaks through Luhn-validated card number detection and column-name heuristics (e.g., "cvc" or "card_number"), reducing audit scope by 70%.
3. Is Supaguard safe for production databases?
   Absolutely. It uses read-only methods (OPTIONS/HEAD) for RLS checks and never modifies, inserts, or deletes data during security scans.
4. What frameworks does Supaguard support?
   It analyzes all JavaScript-based Supabase clients, including React, Next.js, Vue, Svelte, and vanilla JS deployments.
5. How quickly does Supaguard alert about vulnerabilities?
   Scans complete in under 5 minutes, with real-time Slack/email alerts for critical exposures like service role keys or write-enabled RLS policies.