{"id":14779516,"url":"https://github.com/timescale/pgspot","last_synced_at":"2025-05-07T04:58:43.451Z","repository":{"id":36973834,"uuid":"457896639","full_name":"timescale/pgspot","owner":"timescale","description":"Spot vulnerabilities in postgres SQL scripts","archived":false,"fork":false,"pushed_at":"2025-05-06T23:19:28.000Z","size":222,"stargazers_count":107,"open_issues_count":6,"forks_count":8,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-05-07T04:58:38.455Z","etag":null,"topics":["postgresql","python","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"postgresql","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/timescale.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-02-10T18:17:46.000Z","updated_at":"2025-04-28T09:03:41.000Z","dependencies_parsed_at":"2023-01-17T11:16:24.117Z","dependency_job_id":"c57450cb-2f8f-4e17-92b5-40a83e1be686","html_url":"https://github.com/timescale/pgspot","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timescale%2Fpgspot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timescale%2Fpgspot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timescale%2Fpgspot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timescale%2Fpgspot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/timescale","download_url":"https://codeload.github.com/timescale/pgspot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252816948,"owners_count":21808704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["postgresql","python","security"],"created_at":"2024-09-17T01:00:51.690Z","updated_at":"2025-05-07T04:58:43.434Z","avatar_url":"https://github.com/timescale.png","language":"Python","readme":"## pgspot\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/timescale/pgspot/actions\"\u003e\u003cimg alt=\"Actions Status\" src=\"https://github.com/timescale/pgspot/workflows/Test/badge.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/timescale/pgspot/blob/main/LICENSE\"\u003e\u003cimg alt=\"License: PostgreSQL\" src=\"https://img.shields.io/github/license/timescale/pgspot\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pypi.org/project/pgspot/\"\u003e\u003cimg alt=\"PyPI\" src=\"https://img.shields.io/pypi/v/pgspot\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pepy.tech/project/pgspot\"\u003e\u003cimg alt=\"Downloads\" src=\"https://pepy.tech/badge/pgspot\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/psf/black\"\u003e\u003cimg alt=\"Code style: black\" src=\"https://img.shields.io/badge/code%20style-black-000000.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.bestpractices.dev/projects/8009\"\u003e\u003cimg src=\"https://www.bestpractices.dev/projects/8009/badge\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nSpot vulnerabilities in PostgreSQL extension scripts.\n\npgspot checks extension scripts for following PostgreSQL security best\npractices. In addition to checking extension scripts it can also be\nused to check security definer functions or any other PostgreSQL SQL code.\n\npgspot checks for the following vulnerabilities:\n- search_path-based attacks\n- unsafe object creation\n\nConsult the [reference] for detailed documentation of the vulnerabilities which\npgspot detects, and their potential mitigations.\n\n[reference]: https://github.com/timescale/pgspot/blob/main/REFERENCE.md\n\n## Useful links\n- [PostgreSQL security recommendations for extensions](https://www.postgresql.org/docs/current/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY)\n- [PostgreSQL security recommendations for SECURITY DEFINER functions](https://www.postgresql.org/docs/current/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY)\n\n## Installation\n\npip install pgspot\n\n## Requirements\n\n- python \u003e= 3.10\n- [pglast](https://github.com/lelit/pglast)\n- [libpg_query](https://github.com/pganalyze/libpg_query) (through pglast)\n\nTo install the runtime requirements, use `pip install -r requirements.txt`.\n\n\n### Usage\n\n```\n\u003e pgspot -h\nusage: pgspot [-h] [-a] [--proc-without-search-path PROC] [--summary-only] [--plpgsql | --no-plpgsql] [--explain EXPLAIN] [--ignore IGNORE] [--sql-accepting SQL_FN] [FILE ...]\n\nSpot vulnerabilities in PostgreSQL SQL scripts\n\npositional arguments:\n  FILE                  file to check for vulnerabilities\n\noptions:\n  -h, --help            show this help message and exit\n  -a, --append          append files before checking\n  --proc-without-search-path PROC\n                        whitelist functions without explicit search_path\n  --summary-only        only print number of errors, warnings and unknowns\n  --plpgsql, --no-plpgsql\n                        Analyze PLpgSQL code (default: True)\n  --explain EXPLAIN     Describe an error/warning code\n  --ignore IGNORE       Ignore error or warning code\n  --ignore-lang LANG    Ignore unknown procedural language\n  --sql-accepting SQL_FN\n                        Specify one or more sql-accepting functions\n```\n\n```\n\u003e pgspot --ignore PS017 \u003c\u003c\u003c\"CREATE TABLE IF NOT EXISTS foo();\"\nPS012: Unsafe table creation: foo\n\nErrors: 1 Warnings: 0 Unknown: 0\n```\n\n#### SQL-accepting functions\n\nIt is a common pattern that SQL-accepting functions exist, which take a\nstring-like argument which will be executed as SQL. This can \"hide\" some SQL\nfrom pgspot, as the string-like argument masks the SQL. With the\n`--sql-accepting` argument, pgspot can be told about such functions.\n\nAssuming a function named `execute_sql` which takes a SQL string as its first\nargument, and executes it. With `pgspot --sql-accepting=execute_sql` we can\ntell pgspot `execute_sql` may accept SQL. pgspot will attempt to unpack and\nevaluate all arguments to that function as SQL.\n","funding_links":[],"categories":["Recently Updated","Python","Programming Languages","Utilities"],"sub_categories":["[Sep 16, 2024](/content/2024/09/16/README.md)"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimescale%2Fpgspot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftimescale%2Fpgspot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimescale%2Fpgspot/lists"}