Built for Next.js + Supabase

Catch the security mistakebefore it reaches main.

GuardLayer scans every push for the security holes that actually get startups hacked — exposed keys, missing RLS, unprotected Server Actions — and hands you the exact fix. Not another wall of warnings. The patch.

No credit card. No config. Free forever for one repo, then $19/mo.

guardlayer · scan #a1b2c3
Merge blocked
31/100 · F
Service role key exposed to the client
.env.local:2
Drop NEXT_PUBLIC_ — read it server-side only, then rotate.
Row Level Security disabled
migrations/001.sql:14
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
Server Action without an auth check
app/actions.ts:8
Verify the user before the mutation.

90%

of hacked startups fall to basic mistakes — not zero-days.

2 min

to set up. No security dashboard to babysit.

Every push

scanned automatically. You stop thinking about it.

Most breaches are boring.

Not sophisticated zero-days — a service role key in a public repo, an RLS policy nobody turned on, a Server Action anyone can call. Mistakes a developer could have fixed in an hour, if anyone had the time to look. Enterprise tools like Snyk cost $100+/mo and take a day to configure. GuardLayer takes two minutes and then runs itself.

How it works

It lives in your pipeline, not your to-do list.

STEP 1

You push to GitHub

Nothing changes in your workflow. Or upload files right here.

STEP 2

GuardLayer scans the diff

Against your whole codebase, in seconds, automatically.

STEP 3

You get the exact fix

Not just “RLS missing” — the precise SQL to run.

STEP 4

Critical issues block merge

You can’t deploy a leaked service role key by accident.

What it catches

A tight rule set, tuned for precision.

A hundred false positives is worse than no tool at all. GuardLayer flags what matters and stays quiet otherwise.

Supabase

  • RLS disabled on sensitive tables
  • Service role key exposed client-side
  • Public storage buckets
  • Policies missing auth.uid()
  • Edge functions without auth

Next.js

  • Server Actions without an auth check
  • Secrets leaked via NEXT_PUBLIC_
  • API routes without input validation
  • Middleware that misses protected routes
  • Wildcard CORS with credentials

General

  • Hardcoded API keys & private keys
  • Dependencies with known CVEs
  • String-built SQL (injection)
  • eval() on dynamic input
  • Unsanitised dangerouslySetInnerHTML

From founder interviews

Built for people who’ve already been burned.

Exactly the thing I didn’t know I needed. We had an RLS miss in production last quarter that cost us a week. $20–30 is nothing — cheaper than an hour of my time.
EErikFounder, 31
Finally something that doesn’t assume you have a dedicated secops person. We’re three people and none of us is a security expert. Two minutes and it runs itself — no-brainer.
JJonasFounder, 44
A service role key that ended up in a public repo cost us two days. $20–30 a month is nothing if it prevents a single breach. It fixes the problem, not just identifies it.
MMarkusFounder, 38

Pricing

Priced for founders, not enterprises.

Per project, not per seat — your whole team for one flat price, while enterprise tools start at $100–300/mo. Annual billing gets you two months free.

Free

$0forever

Secure your first project — no card required.

  • Public demo scanner (no signup)
  • 1 connected repo
  • All 20 Next.js + Supabase checks
  • Concrete fixes + PDF report

Solo

$19/mo

or $182/yr

One indie, one product, shipping fast.

  • 3 repositories
  • Scan on every push
  • PR comments + merge gate
  • AI-written fixes
  • Scan history & trends
Most popular

Studio

$49/mo

or $470/yr

Your whole team — one flat price.

  • Unlimited repos
  • Unlimited members (flat, not per-seat)
  • Team dashboard + risk score
  • Slack alerts on criticals
  • Configurable merge-gate policy

Scale

$149/mo

or $1,430/yr

Funded teams that need governance.

  • Everything in Studio
  • SSO / SAML + audit log
  • SOC 2 evidence export
  • Unlimited AI fixes
  • 1-business-day support SLA

Transparent pricing all the way up — no “contact sales.” Founder lifetime deal for early waitlist members.

Early access

Accounts & PR scanning are coming.

The demo scanner is live and free to use right now. Drop your email and we'll let you know when Pro — push-triggered scans, the merge gate, and AI-written fixes — opens up.

Or try the free scanner now — no signup needed.

Straight answers

The questions every founder asks.

Won’t I drown in false positives?

That’s the whole design constraint. GuardLayer runs a deliberately tight rule set and is tuned to stay quiet on safe, idiomatic code — public anon keys, parameterised SQL, properly-guarded actions. Precision beats coverage.

Isn’t Next.js + Supabase too niche?

That’s the moat. A generic scanner can’t match the precision of a tool built for one stack. Being the best for Next.js + Supabase matters more than being okay for everyone.

Does setup really take two minutes?

Yes — upload files here, or connect a repo. No config files, no security dashboard to learn. Try the live demo above and see a real report in seconds.

What happens when Supabase or Vercel build this in?

They secure their platform. Application-level security — your RLS policies, your Server Actions, your keys — is still your responsibility. Supabase protects Supabase. We protect your app.

Don’t fix security “later.”

Later is the day after the breach. Scan your repo now — it takes two minutes and the first one’s free.