pgrls in the wild
Row-Level Security bugs are easy to write and hard to see — an unwrapped per-row auth.uid(), a missing WITH CHECK, an anonymously-readable table, a cross-tenant leak. pgrls surfaces them and pgrls fix writes the migration.
Below are real fixes it produced for open-source Postgres / Supabase projects.
Merged upstream
Accepted by the maintainers.
| Project | ★ | What pgrls surfaced | Links |
|---|---|---|---|
| MODSetter/SurfSense | 15,226★ | Scope index endpoint authorization | #1503 |
| miurla/morphic | 8,969★ | Wrap current_setting() for per-statement eval | #902 |
| ruvnet/RuVector | 4,351★ | Wrap current_setting() in the tenancy RLS codegen (Rust) | #639 |
| JasperFx/marten | 3,429★ | Wrap current_setting() in the generated tenant policy (.NET) | #4805 |
| gridaco/grida | 2,557★ | Wrap auth.uid(), enable FORCE RLS | issue · #874 |
| crbnos/carbon | 2,255★ | Per-statement auth wrap (USING + WITH CHECK) | issue · #965 |
| moyangzhan/langchain4j-aideepin | 1,326★ | Fix cross-user knowledge-base read | issue · #105 |
| elymsyr/dungeon-master-tool | 107★ | Wrap auth calls across 56 policies | #74 |
| usetrmnl/byos_next | 89★ | Wrap the per-row session lookup | issue · #82 |
| kdpisda/django-rls | 89★ | RLS-hardening polish items | issue · #54 |
| OpenStudy-dev/OpenStudy | 69★ | Wrap RLS policy functions | issue · #3 |
| tutur3u/platform | 52★ | Wrap auth calls (incl. correlated EXISTS) | #4907 |
In review
Open pull requests.
| Project | ★ | What pgrls surfaced | Links |
|---|---|---|---|
| onlook-dev/onlook | 26,180★ | Wrap auth calls in RLS policies | #3121 |
| Helicone/helicone | 5,941★ | Wrap auth calls for per-statement eval | #5705 |
| archtechx/tenancy | 4,371★ | Wrap current_setting() in the RLS PolicyManager codegen (Laravel) | #1468 |
| butterbase-ai/butterbase | 2,620★ | Wrap current_setting('app.role') in the service-role policies | #88 |
| scosman/CMSaasStarter | 2,345★ | Wrap auth.uid() | issue · #213 |
| saltcorn/saltcorn | 2,029★ | Wrap current_setting() in the generated RLS policy codegen (Node/TS) | #4286 |
| lucasastorian/llmwiki | 1,348★ | Wrap auth.uid() | issue · #64 |
| firecrawl/open-scouts | 1,327★ | Wrap auth.uid() | issue · #13 |
| KolbySisk/next-supabase-stripe-starter | 798★ | Wrap auth.uid() | #31 |
| dadbodgeoff/drift | 782★ | Wrap current_setting() tenant policies (86) | #100 |
| Kanba-co/kanba | 632★ | Wrap auth calls (USING + WITH CHECK) | #32 |
| supabase-community/chatgpt-your-files | 514★ | Wrap auth.uid() | #53 |
| 10xapp/core-oss | 437★ | Wrap auth.uid() for per-statement eval | issue · #51 |
| DannyMac180/meta-agent | 416★ | Wrap current_setting() in RLS policies | #222 |
| antoineross/Hikari | 386★ | Harden RLS: wrap + index filters | issue · #7 |
| supabase-community/svelte-kanban | 316★ | Harden RLS: wrap, index, FORCE | issue · #26 |
| nolly-studio/ai-chatbot-supabase | 290★ | Wrap auth calls (24 policies) | #4 |
| AlexanderCollins/TurboDRF | 159★ | Wrap current_setting() in the RLS predicate codegen (Django) | #49 |
| kizivat/saas-kit | 126★ | Wrap auth.uid() | #7 |
| GeronimoDiClemente/raven-nest | 30★ | Wrap auth calls (39 policies) | #12 |
| getpact/pact | 20★ | Wrap current_setting() | issue · #7 |
| isaacsight/kernel | 15★ | Wrap 131 policy auth calls | #54 |
| arcadia-eternity/arcadia-eternity | 9★ | Wrap RLS policy functions | issue · #196 |
Ecosystem
| Project | ★ | What pgrls surfaced | Links |
|---|---|---|---|
| drizzle-team/drizzle-orm | 35,132★ | Add .forceRLS() to the pgTable builder | issue · #5843 |
| analysis-tools-dev/static-analysis | 14,670★ | List pgrls | #1829 |
| dhamaniasad/awesome-postgres | 11,989★ | List pgrls | #514 |
| supabase/splinter | 252★ | Propose a lint for inverted-auth read policies | issue · #169 |
Have an RLS issue pgrls could help with? pip install pgrls && pgrls lint, or open an issue.