Skip to content

makroumi/slowql

BranchesTags

Repository files navigation

SlowQL

SlowQL is a production-focused offline SQL static analyzer that catches security vulnerabilities, performance regressions, reliability issues, compliance risks, cost inefficiencies, and code quality problems before they reach production.

It performs safe static analysis of your SQL source code with no database connection required. SlowQL ships with 272 built-in rules covering 14 SQL dialects, and is built for modern engineering teams supporting CI/CD pipelines, pre-commit hooks, GitHub Actions, SARIF output, LSP, and automated fixes.

Release PyPI Python Docker GHCR VS Code

Docker Pulls PyPI Downloads

CI Coverage Ruff Mypy License

Stars Issues Discussions Contributors Sponsor Known Vulnerabilities

SlowQL CLI demo

Why SlowQL

Offline-First Analysis. Catch bugs without ever connecting to a live database. SlowQL works entirely on SQL source files, making it safe to run anywhere.

272 Built-in Rules. Covers security, performance, reliability, compliance, cost, and quality. Each rule includes impact documentation, fix guidance, and severity classification.

14 SQL Dialects. Dialect-aware analysis for PostgreSQL, MySQL, SQL Server (T-SQL), Oracle, SQLite, Snowflake, BigQuery, Redshift, ClickHouse, DuckDB, Presto, Trino, Spark, and Databricks. Universal rules fire on all dialects; dialect-specific rules only fire when relevant.

Schema-Aware Validation. Optionally validate against your DDL files to catch missing tables, columns, and suggest indexes.

Safe Autofix. Conservative, exact-text-replacement fixes with FixConfidence.SAFE. No guessing, no heuristic rewrites. Preview with --diff, apply with --fix.

CI/CD Native. GitHub Actions, SARIF, pre-commit hooks, JSON/HTML/CSV exports. Exit codes based on severity thresholds.

Editor Integration. VS Code extension via slowql-vscode and foundational LSP server for other editors.

Installation

pipx (recommended)

pipx install slowql

pip

pip install slowql

Docker

docker run --rm -v $(pwd):/src makroumi/slowql /src/queries.sql

Requirements: Python 3.11+, Linux / macOS / Windows.

Quick Start

Analyze a SQL file:

slowql queries.sql

Analyze with schema validation:

slowql queries.sql --schema schema.sql

Run in CI mode with failure thresholds:

slowql --non-interactive --input-file sql/ --fail-on high --format github-actions

Preview and apply safe fixes:

slowql queries.sql --diff
slowql queries.sql --fix --fix-report fix-report.json

Schema-Aware Validation

SlowQL performs optional schema-aware validation by inspecting your DDL files. This catches structural issues that generic static analysis misses.

Tables and Columns. Detect references to non-existent tables or columns.

Index Suggestions. Identify filtered columns that lack corresponding indexes.

slowql queries.sql --schema database/schema.sql
slowql migrations/ --schema schema.sql --fail-on critical

Schema findings:

Rule Description
SCHEMA-TBL-001 Table referenced but not defined in schema
SCHEMA-COL-001 Column referenced but not present in table definition
SCHEMA-IDX-001 Missing index suggested for filtered column

Rule Coverage

SlowQL ships with 272 rules across six dimensions:

Dimension Focus Rules
Security SQL injection, privilege escalation, credential exposure, SSRF 61
Performance Full scans, indexing, joins, locking, sorting, pagination 56
Reliability Data loss prevention, transactions, race conditions, idempotency 35
Quality Naming, complexity, null handling, modern SQL, style 38
Cost Cloud warehouse optimization, storage, compute, network 33
Compliance GDPR, HIPAA, PCI-DSS, SOX, CCPA 18

Dialect-Specific Rules

107 rules are dialect-aware, firing only on the relevant database engine:

Dialect Specific Rules Examples
PostgreSQL 12 pg_sleep detection, SECURITY DEFINER without search_path, CREATE INDEX without CONCURRENTLY
MySQL 15 LOAD DATA LOCAL INFILE, utf8 vs utf8mb4, ORDER BY RAND(), MyISAM detection
T-SQL (SQL Server) 22 OPENROWSET, sp_OACreate, @@IDENTITY, MERGE without HOLDLOCK, SET NOCOUNT ON
Oracle 10 UTL_HTTP/UTL_FILE, EXECUTE IMMEDIATE injection, CONNECT BY without NOCYCLE
Snowflake 8 COPY INTO credentials, VARIANT in WHERE, CLONE without COPY GRANTS
BigQuery 6 SELECT * cost, DISTINCT on UNNEST, repeated subqueries
SQLite 6 ATTACH DATABASE file access, PRAGMA foreign_keys = OFF, AUTOINCREMENT overhead
Redshift 7 COPY with embedded credentials, COPY without MANIFEST, DISTSTYLE ALL
ClickHouse 7 url() SSRF, mutations, SELECT without FINAL, JOIN without GLOBAL
DuckDB 3 COPY without FORMAT, large IN lists, old-style casts
Presto / Trino 4 Implicit cross-joins, INSERT OVERWRITE without partition, ORDER BY without LIMIT
Spark / Databricks 5 BROADCAST on large table, UDF in WHERE, CACHE TABLE without filter

The remaining 165 rules are universal and fire on all dialects.

Safe Autofix

SlowQL provides conservative, zero-risk autofixes for rules where the replacement is 100% semantically equivalent:

slowql queries.sql --diff
slowql queries.sql --fix
slowql queries.sql --fix --fix-report fixes.json

Autofix principles:

  1. Only exact text replacements. No schema inference, no heuristic rewrites.
  2. Every fix is tagged with FixConfidence.SAFE, meaning the output is functionally identical to the input.
  3. A .bak backup is always created before writing.
  4. Fixes can be previewed as a unified diff before applying.

Examples of safe autofixes:

Rule Before After
QUAL-NULL-001 WHERE x = NULL WHERE x IS NULL
QUAL-STYLE-002 EXISTS (SELECT * FROM t) EXISTS (SELECT 1 FROM t)
QUAL-MYSQL-003 LOCK IN SHARE MODE FOR SHARE
QUAL-TSQL-001 SET ANSI_NULLS OFF SET ANSI_NULLS ON
QUAL-ORA-002 SELECT 1 FROM DUAL SELECT 1

CLI Usage

Primary Flags

--input-file       Path to SQL file or directory
--schema           Path to DDL schema file
--fail-on          Failure threshold: critical, high, medium, low, info, never
--non-interactive  Suppress spinners and interactive prompts

Output Control

--format                        Primary output: console, github-actions, sarif
--export                        Export to disk: json, html, csv, sarif
--out                           Directory for exported reports
--diff                          Preview safe autofix diff
--fix                           Apply safe autofixes (single file, creates .bak)
--fix-report                    Write JSON report of fixes
--list-rules                    List all 272 rules with severity, dimension, and dialect
--list-rules --filter-dimension Filter by dimension (security, performance, etc.)
--list-rules --filter-dialect   Filter by dialect (postgresql, mysql, etc.)
--explain RULE-ID               Show full documentation for a specific rule

Exit Codes

0    No issues found or issues below failure threshold
2    Issues found meet or exceed --fail-on threshold
3    Runtime error or tool failure

Configuration

SlowQL discovers configuration from slowql.toml, .slowql.toml, slowql.yaml, .slowql.yaml, or pyproject.toml (under [tool.slowql]).

severity:
  fail_on: high
  warn_on: medium

analysis:
  dialect: postgresql
  enabled_dimensions:
    - security
    - performance
    - reliability
  disabled_rules:
    - PERF-SCAN-001

schema:
  path: db/schema.sql

output:
  format: console
  verbose: false
  show_fixes: true

cost:
  cloud_provider: none

compliance:
  frameworks:
    - gdpr

CI Integration

GitHub Action (Official)

- uses: makroumi/slowql-action@v1
  with:
    path: "./sql/**/*.sql"
    schema: "db/schema.sql"
    fail-on: high
    format: github-actions

Direct CLI in CI

- name: SlowQL Analysis
  run: |
    pip install slowql
    slowql --non-interactive --input-file sql/ --schema db/schema.sql --fail-on high --format github-actions

Pre-commit

repos:
  - repo: https://github.com/makroumi/slowql
    rev: v1.5.0
    hooks:
      - id: slowql
        args: [--fail-on, high]

VS Code Extension

Install slowql-vscode from the VS Code Marketplace for real-time SQL analysis in your editor. The extension uses the SlowQL LSP server for diagnostics.

Architecture

SlowQL is a modular pipeline:

SQL Files → Parser (sqlglot) → AST → Analyzers → Rules → Issues → Reporters
                                 ↑                          ↓
                           Schema Inspector            AutoFixer
                           (DDL parsing)           (safe text fixes)

Parser. Uses sqlglot for multi-dialect SQL parsing. Handles statement splitting, dialect detection, and AST generation.

Engine. Orchestrates parsing, analyzer execution, schema validation, and result aggregation.

Analyzers. Six domain-specific analyzers (Security, Performance, Reliability, Compliance, Cost, Quality), each loading rules from the catalog.

Rules. 272 detection rules implemented as PatternRule (regex), ASTRule (sqlglot AST traversal), or custom Rule subclasses.

Schema Inspector. Parses DDL files into a schema model. Enables table/column existence checks and index suggestions.

Reporters. Console (rich TUI), GitHub Actions annotations, SARIF 2.1.0, JSON, HTML, CSV.

AutoFixer. Conservative text-based fix engine. Span-based and exact-text replacements only.

Development

git clone https://github.com/makroumi/slowql.git
pip install -e ".[dev]"

pytest
ruff check .
mypy src/slowql

License

Apache License 2.0. See LICENSE.

Issues: github.com/makroumi/slowql/issues

Discussions: github.com/makroumi/slowql/discussions

Back to top

About

SQL static analyzer for performance, security, compliance and cost. 272 rules. Completely offline. Works in CI pipelines.

Topics

mysql python cli security devops performance sql static-analysis postgresql ci-cd query-optimization anti-patterns devsecops database-security sql-analyzer database-optimization developer-tool sql-linter ai-tools observibility

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

83 stars

Watchers

1 watching

Forks

8 forks
Report repository

Releases 4

Release v1.5.0 Latest
Mar 12, 2026
+ 3 releases

Packages

 
 
 

Contributors

Languages