{"id":13600915,"url":"https://github.com/houqp/sqlvet","last_synced_at":"2025-04-09T05:09:53.497Z","repository":{"id":42465539,"uuid":"228723879","full_name":"houqp/sqlvet","owner":"houqp","description":"Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.","archived":false,"fork":false,"pushed_at":"2024-09-17T06:16:33.000Z","size":117,"stargazers_count":492,"open_issues_count":9,"forks_count":25,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-02T04:03:01.168Z","etag":null,"topics":["golang","linter","security","sql","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/houqp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-18T00:14:36.000Z","updated_at":"2025-01-05T18:15:41.000Z","dependencies_parsed_at":"2023-12-26T07:47:41.414Z","dependency_job_id":"de8e28be-57a6-4602-8132-30df9e352818","html_url":"https://github.com/houqp/sqlvet","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/houqp%2Fsqlvet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/houqp%2Fsqlvet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/houqp%2Fsqlvet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/houqp%2Fsqlvet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/houqp","download_url":"https://codeload.github.com/houqp/sqlvet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247980837,"owners_count":21027808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","linter","security","sql","static-analysis"],"created_at":"2024-08-01T18:00:50.833Z","updated_at":"2025-04-09T05:09:53.474Z","avatar_url":"https://github.com/houqp.png","language":"Go","readme":"# Sqlvet\n\n[![goreportcard](https://goreportcard.com/badge/github.com/houqp/sqlvet)](https://goreportcard.com/report/github.com/houqp/sqlvet)\n[![codecov](https://codecov.io/gh/houqp/sqlvet/branch/master/graphs/badge.svg?branch=master)](https://codecov.io/gh/houqp/sqlvet)\n[![build-status](https://github.com/houqp/sqlvet/workflows/build/badge.svg)](https://github.com/houqp/sqlvet/actions)\n\nSqlvet performs static analysis on raw SQL queries in your Go code base to\nsurface potential runtime errors at build time.\n\nFeature highlights:\n\n* Check for SQL syntax error\n* Identify unsafe queries that could potentially lead to SQL injections\n* For INSERT statements, make sure column count matches value count\n* Validate table names\n* Validate column names\n\nTODO:\n* Validate query function argument count and types\n* Support MySQL syntax\n* Type check value list in UPDATE query\n* Trace wrapper function call\n\n\n## Usage\n\n### Installation\n\nGo less than 1.18:\n\n\n```sh\n$ go get github.com/houqp/sqlvet\n```\n\nGo greater or equal 1.18:\n\n\n```sh\n$ go install github.com/houqp/sqlvet@latest\n```\n\n### Zero conf\n\nSqlVet should work out of the box for any Go project using go modules:\n\n```\n$ sqlvet .\n[!] No schema specified, will run without table and column validation.\nChecked 10 SQL queries.\n🎉 Everything is awesome!\n```\n\nNote: unreachable code will be skipped.\n\n\n### Schema validation\n\nTo enable more in-depth analysis, create a `sqlvet.toml` config file at the\nroot of your project and specify the path to a database schema file:\n\n```\n$ cat ./sqlvet.toml\nschema_path = \"schema/full_schema.sql\"\n\n$ sqlvet .\nLoaded DB schema from schema/full_schema.sql\n        table alembic_version with 1 columns\n        table incident with 13 columns\n        table usr with 4 columns\nExec @ ./pkg/incident.go:75:19\n        UPDATE incident SET oops = $1 WHERE id = $2\n\n        ERROR: column `oops` is not defined in table `incident`\n\nChecked 10 SQL queries.\nIdentified 1 errors.\n```\n\n### Customer query functions and libraries\n\nBy default, sqlvet checks all calls to query function in `database/sql`,\n   `github.com/jmoiron/sqlx`, `github.com/jinzhu/gorm` and `go-gorp/gorp`\n   libraries. You can however configure it to white-list arbitrary query\n   functions like below:\n\n```toml\n[[sqlfunc_matchers]]\n  pkg_path = \"github.com/mattermost/gorp\"\n  [[sqlfunc_matchers.rules]]\n    query_arg_name = \"query\"\n    query_arg_pos  = 0\n  [[sqlfunc_matchers.rules]]\n    query_arg_name = \"sql\"\n    query_arg_pos  = 0\n```\n\nThe above config tells sqlvet to analyze any function/method from\n`github.com/mattermost/gorp` package that has the first parameter named either\n`query` or `sql`.\n\nYou can also match query functions by names:\n\n```toml\n[[sqlfunc_matchers]]\n  pkg_path = \"github.com/jmoiron/sqlx\"\n  [[sqlfunc_matchers.rules]]\n    func_name = \"NamedExecContext\"\n    query_arg_pos  = 1\n```\n\nThe above config tells sqlvet to analyze the second parameter of any\nfunction/method named `NamedExecContext` in `github.com/jmoiron/sqlx` package.\n\n\n### Ignore false positives\n\nTo skip a false positive, annotate the relevant line with `sqlvet: ignore`\ncomment:\n\n```go\nfunc foo() {\n    Db.Query(fmt.Sprintf(\"SELECT %s\", \"1\")) // sqlvet: ignore\n}\n```\n\n\n## Acknowledgements\n\nSqlvet was inspired by [safesql](https://github.com/stripe/safesql) and\n[sqlc](https://github.com/kyleconroy/sqlc).\n","funding_links":[],"categories":["Go","Multiple languages"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhouqp%2Fsqlvet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhouqp%2Fsqlvet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhouqp%2Fsqlvet/lists"}