Building an OWASP Scanner for Supabase Apps
A deep dive into how we built GetDeployable's automated security scanner to catch vulnerabilities in Supabase-backed applications.
When we set out to build GetDeployable's security scanning, we knew we couldn't just wrap an off-the-shelf OWASP tool. Supabase apps have a unique architecture — RLS policies, edge functions, storage buckets, and auth configs — that generic scanners don't understand.
The Architecture
Our scanner operates in three layers:
Layer 1: Static Analysis
We parse your Supabase migration files and edge function code to identify potential vulnerabilities without executing anything. This catches things like:
- ›SQL injection patterns in raw queries
- ›Missing auth checks in edge functions
- ›Hardcoded secrets in server-side code
Layer 2: Dynamic Testing
Against your staging environment, we run actual HTTP requests to test for runtime vulnerabilities. This includes:
- ›Authentication bypass attempts
- ›RLS policy enumeration
- ›Storage bucket access testing
- ›CORS misconfiguration detection
Layer 3: Schema Analysis
We inspect your database schema for PII patterns and compliance risks:
- ›Columns that look like they contain personal data (email, phone, SSN patterns)
- ›Missing encryption on sensitive fields
- ›Audit trail gaps for compliance-critical tables
Why This Matters
Generic web scanners miss 60-70% of issues specific to Supabase architectures. By building a scanner that understands the platform, we catch what others miss.
The result: zero critical vulnerabilities shipped to production across all GetDeployable users since launch.