sql-check is a powerful static analysis tool designed to detect potential slow queries, SQL anti-patterns, and performance risks directly in your source code. It treats your codebase like a database log, auditing SQL statements before they even reach production.
- Multi-Language Support: Automatically extracts SQL from Go, Python, C++, and generic file types.
- Schema Awareness: Loads your database schema (
.sqlDDL) to provide context-aware auditing (e.g., index usage checks). - Advanced Extraction: Intelligent regex-based extractor handles SQL inside double quotes, single quotes, and backticks.
- Deep Auditing:
- ❌ Fatal Risks: Unsafe
UPDATE/DELETEwithoutWHERE. ⚠️ Performance Warnings: Index misses (leftmost prefix), implicit type conversions, deep pagination, negative queries (!=,NOT IN), and leading wildcards inLIKE.- 💡 Best Practices: Detects
SELECT *usage.
- ❌ Fatal Risks: Unsafe
- Rich Reporting: Outputs beautiful console logs or detailed HTML reports.
Prerequisites: Go 1.20+
# Clone the repository
git clone https://github.com/yourusername/sql-check.git
cd sql-check
# Build the binary
go build -o sql-check cmd/sql-check/main.goScan the current directory for SQL issues:
./sql-check --src .Provide a schema file to enable powerful index checking rule:
./sql-check --src ./backend --schema ./db/schema.sqlExport the results to a shareable HTML file:
./sql-check --src . --schema schema.sql --report html --out audit-report.htmlExclude test files or specific folders:
./sql-check --src . --exclude "*_test.go" --exclude "migrations"The tool operates in pipeline phases:
- Scanner: Concurrent file system walker (Producer-Consumer model).
- Extractor: regex-based engine identifies SQL strings in code.
- Parser: Uses
tidb/parserto convert SQL text into Abstract Syntax Trees (AST). - Auditor: Runs a suite of rules against the AST and loaded Schema.
- IndexMissRule: Checks if
WHEREcolumns hit any table index. - ImplicitConversionRule: Checks simple type mismatches (e.g., String col vs Int value).
- IndexMissRule: Checks if
- Reporter: Formats the findings.
| Rule Name | Level | Description |
|---|---|---|
NO_WHERE_CLAUSE |
FATAL | UPDATE or DELETE with no condition (Full Table Write). |
INDEX_MISS |
WARN | Query condition does not hit any index prefix. |
IMPLICIT_CONVERSION |
WARN | Comparison between different types (triggers full scan). |
DEEP_PAGINATION |
WARN | LIMIT offset, count where offset > 5000. |
LEADING_WILDCARD |
WARN | LIKE '%abc' prevents index usage. |
NEGATIVE_QUERY |
WARN | Usage of != or NOT IN. |
SELECT_STAR |
SUGGESTION | Usage of SELECT *. |
Contributions are welcome! Please submit a Pull Request or open an Issue.
MIT License