How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

AuditYourApp vs Firebase Emulator Suite

Feature	AuditYourApp	Firebase Emulator
Purpose	Security scanning	Local development & testing
Tests against production data model	✓	✕
Security rule validation	✓	✓
Automated vulnerability detection	✓	✕
Unit testing for rules	✕	✓
AI-powered analysis	✓	✕
Mobile app credential analysis	✓	✕
Local development environment	✕	✓
Supabase support	✓	✕
Cost	Credit-based	Free
Requires code changes	✕	✕
Production environment testing	✓	✕

AuditYourApp vs Firebase Emulator Suite: Different Tools for Different Problems

Comparing AuditYourApp to the Firebase Emulator Suite is somewhat like comparing a burglar alarm to a building inspector. Both contribute to the safety of your house, but they serve fundamentally different purposes. Understanding this distinction helps you use each tool where it provides the most value.

What the Firebase Emulator Suite Does

The Firebase Emulator Suite is a local development tool provided by Google that lets you run Firebase services (Firestore, Realtime Database, Cloud Storage, Authentication, and Cloud Functions) on your local machine. It allows developers to write and test security rules without deploying to production, run unit tests against those rules, and develop features without incurring Firebase usage costs or risking production data.

The Emulator Suite is excellent for what it does. Its security rules testing capability lets you write test cases that verify your rules behave as expected under specific conditions. You define test scenarios like "an authenticated user should be able to read their own profile" and "an unauthenticated user should not be able to read any profiles," and the emulator verifies these assertions against your rules.

What AuditYourApp Does

AuditYourApp is a security scanner that tests your production (or staging) Firebase and Supabase configurations for vulnerabilities. Rather than running predefined test cases, it actively probes your security configuration to find weaknesses you may not have anticipated. It approaches your application the way an attacker would: looking for open databases, overly permissive rules, exposed credentials, and misconfigurations that could lead to data breaches.

The Gap Between Testing and Scanning

Writing unit tests for security rules is a best practice, but it has a fundamental limitation: tests only verify the scenarios you think to test. If you do not write a test case for a specific attack vector, the emulator will not catch it. This is the classic problem with testing in general: you cannot test for what you have not imagined.

AuditYourApp fills this gap by bringing an attacker's perspective. Its checks are designed by security researchers who understand common Firebase exploitation techniques. It will test scenarios that many developers would not think to include in their unit tests, such as accessing data through alternative query patterns, exploiting wildcard rules, or leveraging authentication edge cases.

Production vs Local

The Firebase Emulator runs locally against your rule definitions, but it does not test against your actual production environment. This means there could be discrepancies between your local rules and what is deployed, especially if rules were modified directly in the Firebase Console or if the deployment pipeline has issues. AuditYourApp tests the actual deployed configuration, ensuring that what is running in production matches your security expectations.

Additionally, AuditYourApp can analyze your mobile applications to find hardcoded Firebase configurations and credentials. The Emulator Suite has no visibility into how your client applications use Firebase credentials, which is a significant blind spot since many Firebase security issues originate from client-side misconfigurations.

Supabase Coverage

The Firebase Emulator Suite is, by definition, Firebase-only. If your application uses Supabase in addition to (or instead of) Firebase, the emulator provides no coverage. AuditYourApp covers both platforms, providing a unified security assessment regardless of your BaaS choices.

Cost Considerations

The Firebase Emulator Suite is free and open-source, which is a significant advantage. It is also maintained by Google, ensuring compatibility with the latest Firebase features. AuditYourApp has a per-scan cost, but the value it provides is fundamentally different from what the emulator offers.

When to Use Each

Use the Firebase Emulator Suite for:

Local development and feature testing
Writing unit tests for your security rules
Verifying rule behavior before deployment
Testing Cloud Functions locally
CI pipeline integration for rule validation

Use AuditYourApp for:

Security scanning of production configurations
Discovering vulnerabilities you did not anticipate
Mobile app credential and configuration analysis
Ongoing security monitoring with scheduled scans
Multi-platform (Supabase + Firebase) security assessment

The Recommended Workflow

The strongest security posture combines both tools in a complementary workflow:

During development, use the Firebase Emulator to write and test security rules locally. This is your first line of defense and catches issues before they reach production.
Before and after deployment, run AuditYourApp against your staging and production environments. This catches issues that your unit tests missed, verifies that deployment was successful, and identifies vulnerabilities from an attacker's perspective.
On an ongoing basis, schedule AuditYourApp scans to detect configuration drift, newly introduced vulnerabilities, and changes that were made outside your normal deployment pipeline.

These tools are not competitors. They are complementary layers in a comprehensive Firebase security strategy.

AuditYourApp vs Firebase Emulator Suite

AuditYourApp vs Firebase Emulator Suite: Different Tools for Different Problems

What the Firebase Emulator Suite Does

What AuditYourApp Does

The Gap Between Testing and Scanning

Production vs Local

Supabase Coverage

Cost Considerations

When to Use Each

The Recommended Workflow

Scan your app for this vulnerability

Related

AuditYourApp vs Flames Shield

Supabase vs Firebase: Security Model Comparison

AuditYourApp vs Manual Penetration Testing

Free vs Paid BaaS Security Tools