supascan 0.0.0

package/.bun-version

@@ -0,0 +1 @@
+1.3.2

package/.github/workflows/release-github.yml

@@ -0,0 +1,70 @@
+name: Create GitHub Release
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+
+  release:
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+
+      - run: bun install --frozen-lockfile
+      - run: bun run build:binary
+
+      - name: Get version from package.json
+        id: pkg
+        run: echo "version=$(bun -e "console.log(require('./package.json').version)")" >> $GITHUB_OUTPUT
+
+      - name: Check if tag exists
+        id: tag-check
+        run: |
+          if git rev-parse "v${{ steps.pkg.outputs.version }}" >/dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create and push tag
+        if: steps.tag-check.outputs.exists == 'false'
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag v${{ steps.pkg.outputs.version }}
+          git push origin v${{ steps.pkg.outputs.version }}
+
+      - name: Check if release exists
+        id: release-check
+        run: |
+          if gh release view "v${{ steps.pkg.outputs.version }}" >/dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create GitHub Release
+        if: steps.release-check.outputs.exists == 'false'
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: v${{ steps.pkg.outputs.version }}
+          name: Release v${{ steps.pkg.outputs.version }}
+          generate_release_notes: true
+          files: |
+            dist/supascan

package/.github/workflows/release-npm.yml

@@ -0,0 +1,45 @@
+name: Publish to npm
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+
+  publish:
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+
+      - run: bun install --frozen-lockfile
+      - run: bun run build:bundle
+
+      - name: Get version from package.json
+        id: pkg
+        run: echo "version=$(bun -e "console.log(require('./package.json').version)")" >> $GITHUB_OUTPUT
+
+      - name: Check if version exists on npm
+        id: npm-check
+        run: |
+          if npm view supascan@${{ steps.pkg.outputs.version }} version 2>/dev/null; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Publish to npm
+        if: steps.npm-check.outputs.exists == 'false'
+        run: bun publish --access public
+        env:
+          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/tests.yml

@@ -0,0 +1,36 @@
+name: Tests
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version-file: ".bun-version"
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Lint
+        run: bun run lint
+
+      - name: Run tests
+        run: bun run test
+
+      - name: Build bundle
+        run: bun run build:bundle
+
+      - name: Build binary
+        run: bun run build:binary

package/LICENCE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025-present Abhishek Govindarasu 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,115 @@
+# supascan
+
+[![.github/workflows/tests.yml](https://github.com/abhishekg999/supascan/actions/workflows/tests.yml/badge.svg)](https://github.com/abhishekg999/supascan/actions/workflows/tests.yml) [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/abhishekg999/supascan/master/LICENCE)
+
+**supascan** is an automated security scanner for Supabase databases. It detects exposed data, analyzes Row Level Security (RLS) policies, tests RPC functions, and generates comprehensive security reports.
+
+## Features
+
+- Automated schema and table discovery
+- RLS policy effectiveness testing
+- Exposed data detection with row count estimation
+- RPC function parameter analysis and testing
+- JWT token decoding and validation
+- Multiple output formats (Console, JSON, HTML)
+- Interactive HTML reports with live query interface
+- Credential extraction from JavaScript files (experimental)
+
+## Installation
+
+**Note:**
+
+- Primarily tested with [Bun](https://bun.sh) runtime (Node.js support is experimental)
+
+**Bun:**
+
+```bash
+bun install -g supascan
+```
+
+**NPM:**
+
+```bash
+npm install -g supascan
+```
+
+**From source:**
+
+```bash
+git clone https://github.com/abhishekg999/supascan.git
+cd supascan
+bun install
+bun run build
+```
+
+## Usage
+
+To get basic options and usage:
+
+```bash
+supascan --help
+```
+
+### Quick Start
+
+```bash
+# Basic security scan
+supascan --url https://your-project.supabase.co --key your-anon-key
+
+# Generate HTML report
+supascan --url https://your-project.supabase.co --key your-anon-key --html
+
+# Analyze specific schema
+supascan --url https://your-project.supabase.co --key your-anon-key --schema public
+
+# Dump table data
+supascan --url https://your-project.supabase.co --key your-anon-key --dump public.users --limit 100
+
+# Test RPC function
+supascan --url https://your-project.supabase.co --key your-anon-key --rpc public.my_function --args '{"param": "value"}'
+```
+
+## What supascan Detects
+
+- **Exposed Tables**: Tables readable without authentication or with weak RLS
+- **Data Leakage**: Estimated row counts for accessible tables
+- **RPC Vulnerabilities**: Publicly callable functions and their parameters
+- **JWT Issues**: Token expiration, role assignments, and claims
+- **Schema Information**: Complete database structure visibility
+
+## Security Considerations
+
+⚠️ **Important**: This tool is for authorized security testing only.
+
+- Only scan databases you own or have explicit permission to test
+- Use on staging/development environments when possible
+- Never use on production databases without proper authorization
+- Be aware that scanning may trigger rate limits or monitoring alerts
+
+Unauthorized database scanning may be illegal in your jurisdiction.
+
+## Development
+
+```bash
+# Install dependencies
+bun install
+
+# Run locally
+bun run start
+
+# Run tests
+bun test
+
+# Build
+bun run build
+```
+
+## License
+
+supascan is distributed under the [MIT License](LICENCE).
+
+## Links
+
+- **Homepage**: https://github.com/abhishekg999/supascan
+- **Issues**: https://github.com/abhishekg999/supascan/issues
+- **NPM**: https://www.npmjs.com/package/supascan

package/apps/cli/build.ts

@@ -0,0 +1,37 @@
+import { $ } from "bun";
+import { mkdir, readFile } from "fs/promises";
+
+console.log("Building CLI...");
+
+await $`tsc --noEmit`;
+
+console.log("Building web app for embedding...");
+await $`cd ../web && bun run build`;
+
+const webHtml = await readFile("../web/dist/index.html", "utf-8");
+
+await Bun.write(
+  "./src/embedded-report.ts",
+  `export const reportTemplate = ${JSON.stringify(webHtml)};`,
+);
+
+await mkdir("./dist", { recursive: true });
+
+const nodeBuild = await Bun.build({
+  entrypoints: ["./src/index.ts"],
+  outdir: "./dist",
+  minify: true,
+  target: "node",
+  banner: "#!/usr/bin/env node",
+  naming: {
+    entry: "supascan.js",
+  },
+});
+
+if (!nodeBuild.success) {
+  console.error("Failed to bundle CLI");
+  for (const log of nodeBuild.logs) console.error(log);
+  process.exit(1);
+}
+
+console.log("✓ CLI built: dist/supascan.js");

package/apps/cli/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "supascan",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/supascan.js",
+  "bin": {
+    "supascan": "./dist/supascan.js"
+  },
+  "files": [
+    "dist/**"
+  ],
+  "scripts": {
+    "build": "bun run build.ts",
+    "dev": "bun run src/index.ts",
+    "lint": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@commander-js/extra-typings": "^14.0.0",
+    "@supabase/supabase-js": "^2.75.0",
+    "@supascan/core": "workspace:*",
+    "commander": "^14.0.1",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5.9.3"
+  }
+}

package/apps/cli/src/commands/analyze.ts

@@ -0,0 +1,213 @@
+import {
+  analyze,
+  type AnalysisResult,
+  type RPCParameter,
+} from "@supascan/core";
+import pc from "picocolors";
+import type { CLIContext } from "../context";
+import { log } from "../formatters/console";
+import { handleEvent } from "../formatters/events";
+
+export async function executeAnalyzeCommand(
+  ctx: CLIContext,
+  options: { schema?: string },
+): Promise<void> {
+  if (ctx.html) {
+    const { reportTemplate } = await import("../embedded-report");
+    const { generateTempFilePath, writeHtmlFile } = await import(
+      "../utils/files"
+    );
+    const { openInBrowser } = await import("../utils/browser");
+
+    const config = {
+      url: ctx.url,
+      key: ctx.key,
+      headers: ctx.headers,
+      autorun: true,
+    };
+    const encoded = Buffer.from(JSON.stringify(config)).toString("base64");
+
+    const filePath = generateTempFilePath();
+    const htmlContent = reportTemplate.replace(
+      "</head>",
+      `<script>window.__SUPASCAN_CONFIG__ = "${encoded}";</script></head>`,
+    );
+    writeHtmlFile(filePath, htmlContent);
+
+    openInBrowser(filePath);
+    log.success(`HTML report generated: ${filePath}`);
+    return;
+  }
+
+  const analysisGen = analyze(ctx.client, ctx.url, ctx.key, options);
+  let analysisResult;
+
+  while (true) {
+    const next = await analysisGen.next();
+    if (next.done) {
+      analysisResult = next.value;
+      break;
+    }
+    handleEvent(ctx, next.value);
+  }
+
+  if (!analysisResult || !analysisResult.success) {
+    log.error(
+      "Analysis failed",
+      analysisResult?.error.message ?? "Unknown error",
+    );
+    process.exit(1);
+  }
+
+  if (ctx.json) {
+    console.log(JSON.stringify(analysisResult.value, null, 2));
+  } else {
+    displayAnalysisResult(analysisResult.value);
+  }
+}
+
+function displayAnalysisResult(result: AnalysisResult): void {
+  console.log();
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log(pc.bold(pc.cyan("  SUPABASE DATABASE ANALYSIS")));
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log();
+
+  console.log(pc.bold(pc.yellow("TARGET SUMMARY")));
+  console.log(pc.dim("-".repeat(20)));
+  console.log(pc.bold("Domain:"), pc.white(result.summary.domain));
+
+  if (result.summary.metadata?.service) {
+    console.log(pc.bold("Service:"), pc.white(result.summary.metadata.service));
+  }
+
+  if (result.summary.metadata?.region) {
+    console.log(
+      pc.bold("Project ID:"),
+      pc.white(result.summary.metadata.region),
+    );
+  }
+
+  if (result.summary.metadata?.title) {
+    console.log(pc.bold("Title:"), pc.white(result.summary.metadata.title));
+  }
+
+  if (result.summary.metadata?.version) {
+    console.log(pc.bold("Version:"), pc.white(result.summary.metadata.version));
+  }
+
+  if (result.summary.jwtInfo) {
+    console.log();
+    console.log(pc.bold(pc.yellow("JWT TOKEN INFO")));
+    console.log(pc.dim("-".repeat(20)));
+
+    if (result.summary.jwtInfo.iss) {
+      console.log(pc.bold("Issuer:"), pc.white(result.summary.jwtInfo.iss));
+    }
+    if (result.summary.jwtInfo.aud) {
+      console.log(pc.bold("Audience:"), pc.white(result.summary.jwtInfo.aud));
+    }
+    if (result.summary.jwtInfo.role) {
+      console.log(pc.bold("Role:"), pc.white(result.summary.jwtInfo.role));
+    }
+    if (result.summary.jwtInfo.exp) {
+      const expDate = new Date(result.summary.jwtInfo.exp * 1000);
+      console.log(pc.bold("Expires:"), pc.white(expDate.toISOString()));
+    }
+    if (result.summary.jwtInfo.iat) {
+      const iatDate = new Date(result.summary.jwtInfo.iat * 1000);
+      console.log(pc.bold("Issued:"), pc.white(iatDate.toISOString()));
+    }
+  }
+
+  console.log();
+  console.log(pc.bold(pc.cyan("DATABASE ANALYSIS")));
+  console.log(pc.dim("-".repeat(20)));
+  console.log(
+    pc.bold("Schemas discovered:"),
+    pc.green(result.schemas.length.toString()),
+  );
+  console.log();
+
+  Object.entries(result.schemaDetails).forEach(([schema, analysis]) => {
+    console.log(pc.bold(pc.cyan(`Schema: ${schema}`)));
+    console.log();
+
+    const exposedCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "readable",
+    ).length;
+    const deniedCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "denied",
+    ).length;
+    const emptyCount = Object.values(analysis.tableAccess).filter(
+      (a) => a.status === "empty",
+    ).length;
+
+    console.log(
+      pc.bold("Tables:"),
+      pc.green(analysis.tables.length.toString()),
+    );
+    console.log(
+      pc.dim(
+        `  ${exposedCount} exposed | ${emptyCount} empty/protected | ${deniedCount} denied`,
+      ),
+    );
+    console.log();
+
+    if (analysis.tables.length > 0) {
+      analysis.tables.forEach((table) => {
+        const access = analysis.tableAccess[table];
+        let indicator = "";
+        let description = "";
+
+        switch (access?.status) {
+          case "readable":
+            indicator = pc.green("[+]");
+            description = pc.dim(`(~${access.rowCount ?? "?"} rows exposed)`);
+            break;
+          case "empty":
+            indicator = pc.yellow("[-]");
+            description = pc.dim("(0 rows - empty or RLS)");
+            break;
+          case "denied":
+            indicator = pc.red("[X]");
+            description = pc.dim("(access denied)");
+            break;
+        }
+
+        console.log(`  ${indicator} ${pc.white(table)} ${description}`);
+      });
+    } else {
+      console.log(pc.dim("  No tables found"));
+    }
+    console.log();
+
+    console.log(pc.bold("RPCs:"), pc.green(analysis.rpcs.length.toString()));
+    if (analysis.rpcFunctions.length > 0) {
+      analysis.rpcFunctions.forEach((rpc) => {
+        console.log(`  * ${pc.white(rpc.name)}`);
+        if (rpc.parameters.length > 0) {
+          rpc.parameters.forEach((param: RPCParameter) => {
+            const required = param.required
+              ? pc.red("(required)")
+              : pc.dim("(optional)");
+            const type = param.format
+              ? `${param.type} (${param.format})`
+              : param.type;
+            console.log(
+              `    - ${pc.cyan(param.name)}: ${pc.yellow(type)} ${required}`,
+            );
+          });
+        } else {
+          console.log(pc.dim("    No parameters"));
+        }
+      });
+    } else {
+      console.log(pc.dim("  No RPCs found"));
+    }
+    console.log();
+  });
+
+  console.log(pc.bold(pc.cyan("=".repeat(60))));
+  console.log();
+}

package/apps/cli/src/commands/dump.ts

@@ -0,0 +1,68 @@
+import { dumpTable } from "@supascan/core";
+import type { CLIContext } from "../context";
+import { log } from "../formatters/console";
+
+export async function executeDumpCommand(
+  ctx: CLIContext,
+  options: { dump: string; limit: string },
+): Promise<void> {
+  const parts = options.dump.split(".");
+
+  if (parts.length === 1) {
+    const schema = parts[0];
+    if (!schema) {
+      log.error("Invalid dump format. Use schema.table or schema");
+      process.exit(1);
+    }
+
+    log.info(`Dumping swagger for schema: ${schema}`);
+
+    const { data, error } = await ctx.client.schema(schema).from("").select();
+
+    if (error) {
+      log.error("Failed to fetch swagger", error.message);
+      process.exit(1);
+    }
+
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+
+  if (parts.length === 2) {
+    const schema = parts[0];
+    const table = parts[1];
+
+    if (!schema || !table) {
+      log.error("Invalid dump format. Use schema.table");
+      process.exit(1);
+    }
+
+    const limit = parseInt(options.limit);
+    if (isNaN(limit) || limit <= 0) {
+      log.error("Invalid limit value");
+      process.exit(1);
+    }
+
+    log.info(`Dumping table: ${schema}.${table} (limit: ${limit})`);
+
+    const result = await dumpTable(ctx.client, schema, table, limit);
+
+    if (!result.success) {
+      log.error("Failed to dump table", result.error.message);
+      process.exit(1);
+    }
+
+    if (ctx.json) {
+      console.log(JSON.stringify(result.value, null, 2));
+    } else {
+      console.log(
+        `\nTable: ${schema}.${table} (${result.value.count} total rows, showing ${result.value.rows.length})\n`,
+      );
+      console.table(result.value.rows);
+    }
+    return;
+  }
+
+  log.error("Invalid dump format. Use schema.table or schema");
+  process.exit(1);
+}