Skip to main content
HashnodeMehdi Makroumi – SQL Performance & Database EngineeringMehdi Makroumi – SQL Performance & Database Engineering

Command Palette

Search for a command to run...

Real-Time SQL Analysis in VS Code: Catch Dangerous Queries

Before You Save the File

Updated
4 min read
Real-Time SQL Analysis in VS Code: Catch Dangerous Queries
M
Makroumi
Backend engineer with a focus on SQL performance, database reliability, and the kind of bugs that only show up at 2am on a Saturday. I spent 18 months building SlowQL, an open source SQL static analyzer with 171 rules across security, performance, reliability, compliance, quality and cost. Zero dependencies. Completely offline. Built after watching one SELECT * on a 10 million row table take down production for an entire weekend. I write about the SQL patterns that look fine in review and destroy you in production. Real incidents, real root causes, and how to catch them before they ship. If you work with databases at scale you've probably already seen most of what I write about. Hopefully a bit earlier than I did.

Most SQL bugs are caught in one of three places. Code review, where a tired engineer might miss them. Staging, where the dataset is too small to reveal the problem. Production, at 2am, where they cause the most damage.

The SlowQL VS Code extension adds a fourth option: your editor, before you even save the file.

What it does

SlowQL for VS Code runs 272 static analysis rules against your SQL as you type. Diagnostics appear in the Problems panel automatically. Open a .sql file and it works. No database connection, no configuration, no pipeline to set up first.

The kind of bugs it catches are the ones that look completely fine until they aren't. A DELETE with no WHERE clause that wipes your entire customers table. A LIKE pattern starting with a wildcard that silently bypasses your index on every single query. A GRANT ALL PRIVILEGES that gives your app user god mode access to your entire database. A cartesian join that returns every row times every row because someone forgot the JOIN condition.

All of it flagged in real time. Before you save. Before you commit. Before anyone reviews it.

What gets flagged

272 rules across six dimensions:

Security catches SQL injection vectors, hardcoded credentials in migration files, privilege escalation and dynamic SQL construction that opens injection surfaces.

Performance catches full table scans, leading wildcards that bypass indexes, functions on indexed columns, N+1 patterns and unbounded queries with no LIMIT.

Reliability catches DELETE and UPDATE without WHERE clauses, missing transactions around multi-statement operations and data loss risks.

Quality catches NULL comparison errors, implicit joins, deprecated syntax and naming violations.

Cost catches cloud warehouse antipatterns. SELECT * on wide tables in BigQuery and Athena, unbounded scans in scheduled jobs, repeated subqueries that could be materialized.

Compliance catches GDPR violations, HIPAA risks, PCI-DSS and SOX compliance issues at the query level.

14 dialects, dialect-specific rules

107 of the 272 rules are dialect-aware. Set your dialect once in VS Code settings and SlowQL fires only the rules relevant to your database engine. No false positives from rules that don't apply to your stack.

PostgreSQL, MySQL, SQL Server, Oracle, SQLite, Snowflake, BigQuery, Redshift, ClickHouse, DuckDB, Presto, Trino, Spark, Databricks.

Schema-aware validation

Point SlowQL at your DDL files and it validates your queries against your actual schema. Catches references to tables and columns that don't exist. Suggests missing indexes on filtered columns.

This is where static analysis stops being generic and starts understanding your specific database. A SELECT on a column that doesn't exist in your schema gets flagged before the query ever runs.

Why offline matters

Everything runs on your machine. Your SQL never leaves your editor. No API calls, no telemetry on your query content, no external service processing your database schema.

This matters more than people realise. Engineers at banks, healthcare companies and fintech teams often cannot pipe their SQL to an external service for analysis. The offline constraint is not a limitation. It is a deliberate design decision that makes SlowQL usable in environments where cloud-based tools are not an option.

Three ways to run it

VS Code extension for real-time diagnostics as you write. Install from the marketplace, open a .sql file, done.

CLI for local analysis and scripting:

pip install slowql
slowql queries.sql

Docker if you don't want to install Python:

docker run --rm -v $(pwd):/src makroumi/slowql /src/queries.sql

GitHub Actions to block dangerous SQL from merging:

- uses: makroumi/slowql-action@v1
  with:
    path: "./sql/**/*.sql"
    fail-on: high

The feedback loop SQL never had

Application code gets linted in the editor, type-checked at compile time and reviewed by automated tools before it merges. SQL gets reviewed by a human who is focused on business logic, not injection surfaces or index bypass patterns.

The SlowQL VS Code extension closes that gap at the earliest possible point in the development cycle. The same query that would have paged you at 2am gets a red squiggly line at 2pm before you even commit it.

SlowQL is open source. VS Code extension, CLI, Docker and GitHub Action all available at github.com/makroumi/slowql

#sql#vscode-extensions#database#security#devtools
9 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

M

Mehdi Makroumi – SQL Performance & Database Engineering

7 posts