Row Shield
Supabase public exposure scans

Find exposed rows before strangers do.

Row Shield scans Supabase projects for public table access, explains the credential model up front, and stores metadata instead of customer row values.

Public checks use anon access
Customer-held encryption
No stored row values
Public Exposure scan
Supabase public schema
Running

Tables checked

24

High risk

2

Rows stored

0

TableFindingSeverity
customer_notesPublic readHigh
profilesRLS disabledHigh
billing_eventsNo public rowsClear
invitationsPolicy reviewMedium

Trust model first

You stay in control of the keys Row Shield uses.

The product is explicit about why each credential exists, when it is needed, and what to revoke after the scan.

Public Exposure

Row Shield checks what an unauthenticated public client can read from your Supabase public schema.

Discovery Keys

Use a temporary elevated key only to discover tables. Public checks still run with the public API key.

Customer Encryption Keys

Credentials are encrypted in the browser with a key you hold before they are stored by Row Shield.

Revocation Instructions

Each setup flow tells you exactly which temporary keys to revoke after discovery is complete.

Discovery without guesswork

Clear setup, explicit revocation, practical evidence.

Row Shield is built for security teams that need a repeatable scan, not a black-box credential sink.

1Create a temporary Discovery Key in Supabase.
2Encrypt and save the key with your Customer Encryption Key.
3Run a public-schema scan against anon access.
4Review metadata, redacted evidence, and revocation steps.
Metadata, redacted evidence, and table profiles.
Row Shield records what it needs to explain a leak without keeping your live customer row values.

Table name

Stored for auditability and remediation context.

Exposure status

Stored for auditability and remediation context.

Redacted evidence

Stored for auditability and remediation context.

Ready to begin?

Start with the trust model, then sign in to scan.