An enterprise-grade, asynchronous security auditing framework. Proactively identify RLS leaks, exposed storage, and insecure RPCs before they become a breach. Now with Stealth Mode and JWT Analysis.
A single misconfigured RLS policy can expose your entire database. Manual checks aren't enough. ssf automates the heavy lifting.
Built on Python's `asyncio` for blazing fast scans. Check hundreds of tables, buckets, and functions in seconds without timeouts.
It doesn't just find bugs; it understands them. Integrated with Gemini Pro to explain why a policy is dangerous and how to fix it via SQL.
Catch regressions before they reach production. Compare current scans against baselines and fail the build on new critical findings.
Detects tables with RLS disabled or permissive policies. Tests read/write access using the anon key.
Checks if `auth.users` or `auth.identities` are exposed, potentially leaking emails and user data.
Enumerates and fuzzes executable RPCs for SQL Injection and information leaks using context-aware payloads.
Identifies public buckets and sniffs Realtime channels for sensitive events being broadcasted.
Scans local source code and migrations for hardcoded keys and weak security definitions.
Generates comprehensive threat models (DFD, Attack Paths) using AI to visualize risks.
Launch a browser-based interface to manage scans, view results, and monitor security posture in real-time.
Spoof JA3/TLS fingerprints and rotate proxies to bypass WAFs and avoid detection during scans.
Stop guessing how to fix vulnerabilities. ssf injects your scan results and a specialized security knowledge base into your preferred LLM to generate actionable insights. Supports Gemini, OpenAI, Anthropic, DeepSeek, and local Ollama models.
Executive Summary:
The scan detected a critical misconfiguration in the profiles table. RLS is enabled, but the policy allows `anon` users to update any row.
Recommended Fix (SQL):