Supabase Splinter Linter: Complete Guide

How to set up and use the Supabase splinter linter for PostgreSQL schema security and performance auditing.

Explore more rules and knowledge

BeforeMerge offers hundreds of code review rules, guides, and detection patterns to help your team ship better code.

Supabase Splinter Linter

Splinter is Supabase's built-in PostgreSQL schema linter. It runs as a set of SQL queries against system catalogs and checks for 24 common issues.

Quick Start

Via Supabase Dashboard

Go to Database → Linter in your Supabase Dashboard. Results appear automatically.

Via SQL

# Download splinter.sql
curl -sL https://raw.githubusercontent.com/supabase/splinter/main/splinter.sql -o splinter.sql
 
# Run against your database
psql $DATABASE_URL -f splinter.sql

In CI/CD

- name: Run Splinter
  run: psql $DATABASE_URL -f packages/db/supabase/lints/splinter.sql

Lint Categories

Security (ERROR level)

Lint	Description
`auth_users_exposed`	auth.users accessible from API
`rls_disabled_in_public`	Public tables without RLS
`policy_exists_rls_disabled`	Policies defined but RLS off
`rls_references_user_metadata`	RLS using untrusted metadata
`security_definer_view`	Views that bypass RLS
`insecure_queue_exposed_in_api`	pgmq queues in API schema
`fkey_to_auth_unique`	FK to auth without unique constraint
`sensitive_columns_exposed`	Sensitive data in API

Performance (WARN/INFO level)

Lint	Description
`unindexed_foreign_keys`	FK columns missing indexes
`no_primary_key`	Tables without primary keys
`unused_index`	Indexes never used
`duplicate_index`	Redundant indexes
`table_bloat`	Bloated tables needing VACUUM
`auth_rls_initplan`	Suboptimal RLS auth patterns

Security (WARN level)

Lint	Description
`multiple_permissive_policies`	Potential policy gaps
`function_search_path_mutable`	Functions with mutable search_path
`extension_in_public`	Extensions in public schema
`materialized_view_in_api`	MVs exposed in API
`extension_versions_outdated`	Outdated extensions
`rls_policy_always_true`	RLS policies that always pass

Filtering Results

-- Only ERROR-level issues
SELECT * FROM (<splinter query>) lints WHERE level = 'ERROR';
 
-- Only security issues
SELECT * FROM (<splinter query>) lints WHERE 'SECURITY' = ANY(categories);

Integration with CI

See the packages/db/scripts/lint-all.sh script for automated lint pipeline.