Integrate your Supabase Projects
By connecting your Supabase organization to Aikido, our pentest agents get deeper context about your setup, helping them uncover security issues that could otherwise go unnoticed.
By running a pentest, agents will try to find vulnerabilities in your application and will need to interact with it. This might result in test data being created in your Supabase project.
What is covered in a Supabase pentest?
With the Supabase integration, Aikido reviews your Supabase project configuration and gives our pentest agents the context they need to find more hidden security issues.
The following areas are tested:
RLS policies: These decide who can view or change data. If they are misconfigured, private customer or business data can become accessible to the wrong users.
Storage buckets: These often contain sensitive uploads, documents, images, or exports. A small configuration mistake can make sensitive files public without you realizing it.
Edge Functions: These often handle important backend logic, such as payments, account actions, or integrations. If they are not properly protected, attackers may be able to abuse that logic or access data behind it.
PostgREST exposure: Supabase can expose database data through APIs. This needs to be checked so only the intended data and actions are reachable.
Auth configuration: Login and signup settings are what protect user accounts. Weak settings can make account abuse, fake signups, or unauthorized access possible.
Realtime: Realtime features send live updates to users. If access is too broad, private data can be exposed through updates sent to the wrong users.
Service and anon key exposure: Keys allow your app to connect to Supabase. When exposed in the wrong place, they can give attackers a way to misuse your project.
Database configuration: Public schema exposure and dangerous extensions can accidentally open up sensitive parts of your database. Testing this helps catch risky settings before attackers can use them to access data.
Connect Supabase and run a pentest
Connecting Supabase uses an OAuth authorization flow. Aikido is granted access to the Supabase organization you select during the flow, and you can revoke that access at any time from Supabase.
Create a new assessment
In Aikido, open your pentest project and click Create Assessment.
Define your scope
Add the entry point of the application built on top of your Supabase project. This should be the URL of your application, not your Supabase URL.
Aikido uses the application entry point to test your Supabase configuration the way real attackers would. This gives the agents the context of your application and business flows, helping them determine whether specific configurations are intentional or potentially risky.
We recommend running pentests against a test environment that closely mirrors production.
Connect Supabase As Part of Scope
To add Supabase, click on Add Scope and then connect Supabase.
Authorize Aikido on Supabase
On the Supabase Configuration page, click Connect Supabase. You'll be redirected to Supabase, where you can review the requested permissions and pick which organization to grant access to.
Approve the authorization. Aikido receives a short-lived authorization code and exchanges it for a refresh token used to list your projects. No Personal Access Token needs to be created or stored.
Name your cloud configuration
Back in Aikido, give the connected Supabase organization a name and select the environment it represents (production, staging, etc.). This helps Aikido prioritize findings based on severity and business impact.
Select your Supabase project
Aikido sends you back to the Scope step. Pick the project you want to test from the dropdown. Aikido automatically adds the project's Supabase domain (or your custom domain, if configured) to the pentest scope.
Complete the rest of the setup
Go through the remaining steps of the assessment flow in Aikido. The most important parts are adding test users (so Aikido can reach authenticated areas of your app) and reviewing the discovered domains.
For each section, see:
How to Setup a Pentest — overview of the full setup flow
Setting Up Test Users — add test users and roles for deeper coverage
Scope of Assessment — mark domains as attackable or accessible
Leveraging Code and Documentation — link repositories so agents can reason about RLS policies and Edge Functions
Safety Measures — review the safety check before running
If you haven't already verified ownership of your Supabase domain for this pentest project, follow Supabase domain verification.
Last updated
Was this helpful?