Supabase Security Invoker View Drift Checker

Paste redacted Supabase view SQL, dashboard definition output, or migration diff notes and check whether a public view may have lost security_invoker = true, broad grants, or the regression evidence needed to prove RLS still applies.

Use this when

1
A view fronts protected rowsYour app reads through a public view that selects from RLS-protected tables.
2
A migration or dashboard edit changed the viewA create or replace view or diff may omit security_invoker.
3
Anon access must be provenYou need concrete anon/authenticated smoke tests before trusting the launch.

Project label Paste redacted view, grant, policy, or migration notes

Use redacted SQL only. Do not paste secrets, private connection strings, real user data, customer records, payment data, private screenshots, full names, private handles, full transaction identifiers, credential values, service-role keys, or dashboard screenshots. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Ready.

View drift findings

Evidence to keep before launch

Current deployed view definition includes with (security_invoker = true) or with (security_invoker=on).
Migration output preserves the view option when it uses create or replace view.
Underlying tables have RLS enabled and policies are tested as anon, authenticated, and one wrong-owner authenticated user.
Broad grant select on a view is paired with proof that caller RLS applies, not creator-role access.
Any dashboard-copied SQL is treated as untrusted until it is compared to pg_class.reloptions or equivalent deployed metadata.

Check paid report scope Open full RPC/view audit Open CLI release

Need a second pass?

The fixed-scope report can review one redacted Supabase view/RLS packet: likely drift, grant boundary, anon/authenticated smoke tests, and the exact evidence to keep before users touch real data. The sample report is fictional and shows the report shape before checkout.

Buy $25 Supabase report Read sample report

Source-backed problem set

Supabase view security Official docs explain that views default to creator permissions and need security_invoker for RLS. Supabase RLS docs Official docs describe policy behavior and role-specific testing expectations. Open CLI issue Public report that db diff can omit the security_invoker option for views. Dashboard drift report Public bug report showing dashboard definition output missing the view option.