Free security scanning for a Next.js + Supabase repo (no card)
You can get continuous, automated security scanning for one Next.js + Supabase repo completely free — every push checked against 20 stack-specific rules, results posted as a pull-request comment and a merge-gate check, with no credit card and no trial that expires. There's also a one-off scanner you can run on any code right now without an account. Here's exactly what's free, where free stops, and how to turn it on.
Most "free" security tools are a 14-day countdown or a crippled demo that flags three issues and hides the rest behind a paywall. GuardLayer's free tier is different in a specific way: it's the full engine, on one repo, indefinitely. You pay when you want to watch more repos — not to unlock the part that actually protects you.
What do you actually get for free?
Two separate things, and you can use either without paying:
A one-off scanner, no signup. Drop a folder, upload a few files, or paste a snippet at the scanner and you get a full report — every finding, the offending line, and the exact fix — in a few seconds. No account, no card, nothing to install. Your code is scanned in memory and never stored.
Continuous scanning on one repo. Connect GitHub, pick one repository, and GuardLayer scans every push automatically. You get a comment on the pull request and a Check Run that can block the merge when something critical lands. It runs all 20 Next.js + Supabase checks — the same engine that's on every tier, not a trimmed-down free version.
The free tier isn't a trial. There's no countdown and no card on file: one repo, free, indefinitely.
Is a free scanner actually useful, or just a teaser?
The honest test of a free tier is whether it catches the bugs that matter. GuardLayer's does, because the free plan runs the same rules as the paid ones — the limit is how many repos you watch, not how deeply it looks.
The two bugs most likely to end a Next.js + Supabase project are a service_role key that reaches the browser — it bypasses every RLS policy — and Row Level Security left disabled, which turns your table into a public API. Both are caught on the free tier, on every push. Here's the real engine flagging the first one, live on this page:
- Criticallib/supabaseAdmin.ts:7
Service role key exposed to the client
Never prefix the service role key with NEXT_PUBLIC_. Read it only in server code via process.env.SUPABASE_SERVICE_ROLE_KEY, and rotate the key immediately since it has been exposed. - Criticallib/supabaseAdmin.ts:7
Service role key used in client-side code
Move all service-role usage into a server context (Route Handler, Server Action, or server-only module). On the client use only the anon key, protected by RLS. - Criticallib/supabaseAdmin.ts:7
Secret exposed through NEXT_PUBLIC_
Drop the NEXT_PUBLIC_ prefix and read the value only on the server. Publishable/anon keys are fine to expose; secret keys, tokens, and passwords are not — rotate any that have shipped.
That's not a screenshot or a mock-up — it's the actual GuardLayer engine running on the code sample above, the same output you'd get on a pull request. The free scanner produces exactly this.
Where does free stop?
The paywall is about repo count, not capability. Every plan gets the full engine — push scanning, PR comments, the merge gate, all 20 checks, and the concrete fix:
- Free — 1 repo. Full automation on one repository, no card.
- Solo — $19/month, 5 repos. For when one side project becomes a few.
- Studio — $49/month, unlimited repos, plus team access and an audit log.
You upgrade to watch more repos or bring your team in — never to make the scanner work properly. Pricing is flat per repo, not per developer, which (if you run several small apps) usually beats any per-seat tool; we walk through the math in the buyer's guide for solo devs.
How do I scan my Supabase app for free right now?
Two paths, depending on whether you want a one-time check or ongoing coverage:
- Instant, no account: go to the scanner, drop in the files you're about to push — or your
lib/,app/api/, and migrations — and read the report. Best for a quick "where do I stand right now." - Continuous, on one repo: sign in, connect GitHub, and turn on a single repository. From then on every push is scanned and every risky PR gets a comment before it merges. Best for "I don't want to remember to check."
Either way you see the same findings GuardLayer posts on a pull request. Worst case, you confirm you're clean. Best case, you catch a service_role leak before a bot does.
FAQ
Is GuardLayer free? Yes. There's a one-off scanner that needs no account, and a free plan that continuously scans one connected repository on every push — with no credit card and no expiry.
Does the free plan expire or need a card? No. It's free for one repo with no card on file and no trial countdown. You only enter payment details if you choose to upgrade.
What's included in the free plan? The full engine: scanning on every push, a pull-request comment, a merge-gate Check Run, all 20 Next.js + Supabase checks, the exact fix for each finding, and a downloadable PDF report. The paid plans add more repos (and, on Studio, team access plus an audit log) — not extra detection.
How many repos can I scan for free? One repository continuously. Solo ($19/month) raises that to five, and Studio ($49/month) is unlimited. The one-off scanner has no repo concept — you can scan any code, any number of times, without an account.
Do I need to sign up to try it? No. The one-off scanner runs without an account. You only sign in when you want continuous scanning tied to a GitHub repo.
Catch this before it ships — free
GuardLayer scans every push for this and 19 other Next.js + Supabase issues, with the exact fix inline.
No signup, no card — your code is scanned in memory and never stored.