SlowQL

June 30, 2026 ยท View on GitHub

SlowQL

The fastest offline SQL static analyzer. Built in Rust for zero false positives.

Catch SQL injection, performance regressions, missing indexes, unbounded queries, compliance violations, and 282+ more issues before they reach production. No database connection required.

What SlowQL Does

SlowQL scans SQL files and application source code for security vulnerabilities, performance regressions, reliability risks, cost inefficiencies, compliance violations, and code quality problems. It runs offline without connecting to any database.

Key Properties

  • Zero false positives in proven mode. Verified against Django, Rails, Prisma, Hasura, Supabase, ClickHouse, Vitess, Citus, TimescaleDB, and 19 other open-source projects.
  • Three confidence levels. proven (structurally verified, act without review), contextual (accurate with context, verify before acting), advisory (style hints and best practices).
  • Context-aware. Automatically classifies files as application code, migrations, tests, seeds, framework internals, or documentation. Rules are filtered by context to eliminate noise.
  • Fast. Scans 171k queries (ClickHouse) in 14 seconds. Scans typical application repos in under 1 second (Ryzen i7 U4700, 12GB RAM)
  • Offline. No database connection, no network, no telemetry.

Installation

From source (requires Rust toolchain)

git clone https://github.com/slowql/slowql.git
cd slowql
cargo install --path .

Docker

docker run --rm -v $(pwd):/src ghcr.io/slowql/slowql /src

Quick Start

# Scan a directory (default: proven mode, zero false positives)
slowql src/

# Scan a single SQL file
slowql queries.sql

# Scan with schema validation
slowql src/ --schema db/schema.sql

# Show all findings including hints
slowql src/ --min-confidence advisory

# CI mode with failure threshold
slowql src/ --fail-on high --format github-actions

Confidence Modes

SlowQL uses three confidence levels to separate verified defects from style suggestions.

ModeFlagWhat it shows
ProvendefaultOnly structurally verified findings. Zero false positives by design.
Contextual--min-confidence contextualAdds context-dependent findings. Accurate when schema and usage context are available.
Advisory--min-confidence advisoryAdds style hints, dead code detection, and best-practice suggestions.
# Proven mode (default) - safe for CI gates
slowql src/

# Contextual mode - for code review
slowql src/ --min-confidence contextual

# Advisory mode - for comprehensive audit
slowql src/ --min-confidence advisory

What It Catches

DimensionRulesExamples
Security61SQL injection, privilege escalation, credential exposure, SSRF
Performance73Full table scans, missing indexes, unbounded queries, N+1 joins
Reliability44DELETE without WHERE, missing transactions, race conditions
Quality52Null comparison errors, naming issues, dead code, complexity
Cost33Cloud warehouse optimization, partition pruning, storage waste
Compliance18GDPR, HIPAA, PCI-DSS, SOX, CCPA patterns

Supported Languages and Formats

SQL files

Direct analysis of .sql files. Supports 14 SQL dialects.

Application Code

Extracts SQL strings from source code and analyzes them:

  • Python - triple-quoted strings, f-strings, cursor.execute()
  • TypeScript/JavaScript - template literals, db.query(), knex.raw()
  • Java/Kotlin - prepareStatement(), createNativeQuery()
  • Go - db.Query(), db.Exec()
  • Ruby - connection.execute(), heredocs
  • C# - connection.Execute()
  • MyBatis XML - mapper files with dynamic SQL tags

Framework Support

  • Migrations: Alembic, Django, Flyway, Liquibase, Prisma, Knex
  • dbt: ref() resolution, Jinja template stripping
  • ORMs: Detects query builder patterns vs raw SQL

SQL Dialects

Dialect-aware analysis for 14 database engines:

  • PostgreSQL
  • MySQL
  • SQL Server (T-SQL)
  • Oracle
  • SQLite
  • Snowflake
  • BigQuery
  • Redshift
  • ClickHouse
  • DuckDB
  • Presto
  • Trino
  • Spark
  • Databricks

107 rules are dialect-specific. 175 rules are universal.

Context Classification

SlowQL automatically classifies each file by its role in the project:

ContextEffect
applicationFull rule analysis
migrationOnly security and reliability rules
testOnly security and reliability rules
seedOnly security and reliability rules
exampleOnly security and reliability rules
framework_internalOnly security and reliability rules, with deny list
ddl_schemaOnly security, reliability, and compliance rules
dbt_modelFull analysis minus unbounded SELECT
adhocFull analysis minus context-dependent rules

No configuration needed. Context is inferred from file paths and content patterns.

Schema-Aware Validation

Validate queries against your DDL files:

slowql src/ --schema db/schema.sql
RuleDescription
SCHEMA-TBL-001Table referenced but not defined in schema
SCHEMA-COL-001Column referenced but not in table definition

Safe Autofix

Conservative, exact-text-replacement fixes. No heuristic rewrites.

# Preview fixes
slowql queries.sql --diff

# Apply fixes (creates .bak backup)
slowql queries.sql --fix

# Apply and write report
slowql queries.sql --fix --fix-report fixes.json
RuleBeforeAfter
QUAL-NULL-001WHERE x = NULLWHERE x IS NULL
QUAL-STYLE-002EXISTS (SELECT * FROM t)EXISTS (SELECT 1 FROM t)

Inline Suppression

Suppress rules directly in SQL comments:

SELECT * FROM archive;  -- slowql-disable-line PERF-SCAN-001

-- slowql-disable-next-line SEC-INJ-001
SELECT id FROM sessions WHERE id = \$1;

-- slowql-disable PERF-SCAN
SELECT * FROM logs;
-- slowql-enable PERF-SCAN

-- slowql-disable-file

Baseline Mode

Adopt SlowQL on existing codebases without drowning in warnings:

# Create baseline of current issues
slowql src/ --update-baseline .slowql-baseline

# Only report new issues
slowql src/ --baseline .slowql-baseline

Git-Aware Analysis

Only analyze changed files:

slowql . --git-diff
slowql . --since main

Output formats

FormatFlagUse case
ConsoledefaultHuman-readable terminal output
JSON--format jsonCI/CD pipelines, custom tooling
SARIF--format sarifGitHub Code Scanning, IDE integration
GitHub Actions--format github-actionsPR annotations

Export to files:

slowql src/ --export json --export html --export csv --out reports/

Configuration

SlowQL discovers configuration from slowql.yaml, slowql.toml, .slowql.yaml, .slowql.toml, or pyproject.toml (under [tool.slowql]).

analysis:
  dialect: postgresql
  enabled_dimensions:
    - security
    - performance
    - reliability
    - cost
    - quality
  disabled_rules: []
  # min_confidence: proven

severity:
  fail_on: high

compliance:
  frameworks:
    - gdpr

schema:
  path: db/schema.sql

Generate a starter config:

slowql --init

Custom Rules

Define organization-specific rules in YAML:

 rules:
 - id: ORG-001
   name: "Require tenant_id filter"
   severity: high
   dimension: security
   pattern: "SELECT.*FROM\\s+orders\\b(?!.*tenant_id)"
   message: "All queries on orders table must filter by tenant_id"

Load with config:

analysis:
  custom_rules: .slowql-rules.yaml

CI integration

GitHub Actions

- name: SlowQL Analysis
  run: |
    slowql src/ --fail-on high --format github-actions

Pre-commit

repos:
  - repo: https://github.com/slowql/slowql
    rev: v2.0.0
    hooks:
      - id: slowql
        args: [--fail-on, high]

CLI Reference

Usage: slowql [OPTIONS] [FILES]...

Arguments:
  [FILES]...  Input SQL files or directories

Options:
  -d, --dialect <DIALECT>          SQL dialect
  -s, --schema <SCHEMA>            Path to DDL schema file
      --format <FORMAT>            Output format [console, json, sarif, github-actions]
      --export <EXPORT>            Export results to file (json, html, csv, sarif)
      --out <OUT>                  Output directory for exports [default: reports]
      --fail-on <FAIL_ON>          Fail at or above this severity
      --diff                       Preview safe autofix diff
      --fix                        Apply safe autofixes (.bak backup created)
      --baseline <BASELINE>        Path to baseline file
      --update-baseline <PATH>     Create or update baseline file
      --list-rules                 List all available rules
      --explain <RULE>             Show documentation for a specific rule
      --git-diff                   Only analyze files changed in git
      --since <REV>                Analyze files changed since a git revision
      --min-confidence <LEVEL>     Minimum confidence: proven, contextual, advisory
      --include-nonprod            Include test/example/seed contexts in output
      --compare                    Detect similar queries across files
      --init                       Create a slowql.yaml config file
      --verbose                    Enable verbose output
  -h, --help                       Print help
  -V, --version                    Print version

Exit Codes

CodeMeaning
0No issues found (or below threshold)
1Issues found at medium or low severity
2Issues found at high severity
3Issues found at critical severity

Explore Rules

# List all rules
slowql --list-rules

# Filter by dimension
slowql --list-rules --filter-dimension security

# Filter by dialect
slowql --list-rules --filter-dialect postgresql

# Explain a specific rule
slowql --explain PERF-SCAN-001

Architecture

Files -> Walker -> Context Classifier -> Parser -> Rule Engine -> Issues -> Reporter
                                           |           |             |
                                      Extractor    Schema        Autofix
                                    (app code)   Validator     (safe only)
  • Walker: Traverses directories, filters by supported extensions
  • Context Classifier: Classifies files by role (application, test, migration, etc.)
  • Parser: Splits SQL statements, detects dialect, extracts tables/columns
  • Extractor: Pulls SQL from Python, TypeScript, Java, Go, Ruby, C#, MyBatis XML
  • Rule Engine: 282+ rules across 6 dimensions with confidence levels
  • Schema Validator: Optional DDL-based table/column existence checks
  • Autofix: Conservative text-replacement fixes with backup
  • Reporter: Console, JSON, SARIF, GitHub Actions, HTML, CSV

Verified Against

SlowQL v2.0.0 was hardened against these open-source repositories with zero false positives in proven mode: (AMD Ryzen i7 U4700 12GB RAM)

RepositoryQueriesTime
ClickHouse171,53314s
graphql-engine84,10154s
citus64,4685s
timescaledb30,7752.5s
spark19,8922s
sqlfluff14,9791s
vitess2,3120.5s
postgrest2,3220.4s
mybatis-31,7030.3s
metabase1,3100.5s
supabase8170.3s
django2010.2s
rails1640.2s
prisma-engines1670.1s
sqlmap1420.1s
+ 13 more

Development

git clone https://github.com/slowql/slowql.git
cd slowql
cargo build
cargo test

625 tests covering rules, extractors, context classification, CLI, and integration scenarios.

License

AGPL-3.0. See LICENSE.

Copyright (C) 2025-2026 El Mehdi Makroumi.