ship: sqlaudit v1.0.0 (Round 66, SQL Analysis, Python) -- PROJECT #73

SQL Query Auditor & Optimizer with 27 built-in rules across 5 categories
(performance, security, best-practice, correctness, style).
Zero dependencies. 287 tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JSLEEKR

.gitignore

@@ -0,0 +1,7 @@
+.eggs/
+*.egg-info/
+__pycache__/
+*.pyc
+dist/
+build/
+.pytest_cache/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 JSLEEKR
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,301 @@
+<p align="center">
+  <h1 align="center">sqlaudit</h1>
+  <p align="center">SQL Query Auditor & Optimizer — analyze SQL for performance, security, and best practices</p>
+</p>
+
+<p align="center">
+  <a href="https://www.python.org/"><img src="https://img.shields.io/badge/Python-3.9+-3776AB?style=for-the-badge&logo=python&logoColor=white" alt="Python"></a>
+  <a href="https://github.com/JSLEEKR/sqlaudit/blob/main/LICENSE"><img src="https://img.shields.io/badge/License-MIT-green?style=for-the-badge" alt="License"></a>
+  <a href="https://github.com/JSLEEKR/sqlaudit"><img src="https://img.shields.io/badge/Tests-287-blue?style=for-the-badge" alt="Tests"></a>
+  <a href="https://github.com/JSLEEKR/sqlaudit"><img src="https://img.shields.io/badge/Rules-27-orange?style=for-the-badge" alt="Rules"></a>
+  <a href="https://github.com/JSLEEKR/sqlaudit"><img src="https://img.shields.io/badge/Zero_Dependencies-brightgreen?style=for-the-badge" alt="Zero Dependencies"></a>
+</p>
+
+---
+
+## Why This Exists
+
+Every SQL query you write is a potential performance bottleneck, security vulnerability, or maintenance headache. Code linters catch bugs in Python, Go, and TypeScript — but who catches bugs in your SQL?
+
+**sqlaudit** is a zero-dependency SQL static analyzer that catches:
+- **Performance killers**: `SELECT *`, missing `WHERE` on `DELETE/UPDATE`, leading wildcards in `LIKE`, excessive JOINs
+- **Security risks**: SQL injection patterns, `GRANT ALL`, always-true conditions (`1=1`), comment injection
+- **Correctness bugs**: `= NULL` instead of `IS NULL`, `HAVING` without `GROUP BY`, implicit column lists
+- **Style issues**: inconsistent keyword casing, implicit joins, unnecessary parentheses
+
+No database connection required. No configuration needed. Just point it at SQL and get actionable feedback.
+
+---
+
+## Installation
+
+```bash
+pip install sqlaudit
+```
+
+Or install from source:
+
+```bash
+git clone https://github.com/JSLEEKR/sqlaudit.git
+cd sqlaudit
+pip install -e .
+```
+
+---
+
+## Quick Start
+
+### CLI Usage
+
+```bash
+# Audit a SQL file
+sqlaudit audit -f queries.sql
+
+# Audit a single query
+sqlaudit audit -q "SELECT * FROM users WHERE name = NULL"
+
+# Audit from stdin
+cat migration.sql | sqlaudit audit --stdin
+
+# JSON output for CI/CD integration
+sqlaudit audit -f queries.sql --format json
+
+# Only check security rules
+sqlaudit audit -f queries.sql --category security
+
+# Fail CI pipeline on any error or warning
+sqlaudit audit -f queries.sql --fail-on warning
+
+# Show fix suggestions
+sqlaudit audit -q "DELETE FROM users" --verbose
+
+# List all available rules
+sqlaudit rules
+```
+
+### Python API
+
+```python
+from sqlaudit import Analyzer
+
+analyzer = Analyzer()
+report = analyzer.analyze("""
+    SELECT * FROM users WHERE name = NULL;
+    DELETE FROM audit_logs;
+    INSERT INTO users VALUES (1, 'test');
+""")
+
+print(f"Score: {report.score}/100")
+print(f"Errors: {report.total_errors}")
+print(f"Warnings: {report.total_warnings}")
+
+for query in report.queries:
+    for finding in query.findings:
+        print(f"  [{finding.severity.value}] {finding.rule_id}: {finding.message}")
+        print(f"    Fix: {finding.suggestion}")
+```
+
+### Quick Check
+
+```python
+from sqlaudit import Analyzer
+
+analyzer = Analyzer()
+findings = analyzer.check_query("DELETE FROM important_table")
+
+for f in findings:
+    print(f"{f.rule_id}: {f.message}")
+# P002: DELETE without WHERE clause will affect all rows
+```
+
+---
+
+## Rules Reference
+
+sqlaudit ships with 27 built-in rules across 5 categories.
+
+### Performance (P001-P010)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| P001 | WARNING | `SELECT *` retrieves all columns |
+| P002 | ERROR | `UPDATE/DELETE` without `WHERE` clause |
+| P003 | WARNING | Leading wildcard in `LIKE` prevents index usage |
+| P004 | WARNING | Too many JOINs (>5 tables) |
+| P005 | WARNING | `NOT IN` with subquery (NULL handling issues) |
+| P006 | INFO | Multiple `OR` on same column (use `IN` instead) |
+| P007 | HINT | `SELECT` without `LIMIT` |
+| P008 | WARNING | Function on column in `WHERE` prevents index usage |
+| P009 | HINT | `SELECT DISTINCT` with JOINs may indicate bad join |
+| P010 | INFO | `ORDER BY` without `LIMIT` sorts entire result set |
+
+### Security (S001-S007)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| S001 | ERROR | String concatenation (SQL injection risk) |
+| S002 | ERROR | `GRANT ALL PRIVILEGES` (excessive permissions) |
+| S003 | WARNING | `DROP` without `IF EXISTS` |
+| S004 | WARNING | `TRUNCATE` detected (no row-level logging) |
+| S005 | ERROR | Comment patterns inside string literals |
+| S006 | WARNING | `UNION` injection pattern |
+| S007 | WARNING | Always-true condition (`1=1`, `'a'='a'`) |
+
+### Best Practice (B001-B005)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| B001 | WARNING | `INSERT` without column list |
+| B002 | INFO | `SELECT INTO` (non-standard) |
+| B003 | HINT | Multi-table query without aliases |
+| B004 | WARNING | Deeply nested subqueries (depth >= 3) |
+| B005 | INFO | Implicit join (comma-separated `FROM`) |
+
+### Correctness (C001-C003)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| C001 | ERROR | `= NULL` instead of `IS NULL` |
+| C002 | WARNING | `SELECT *` with `GROUP BY` |
+| C003 | ERROR | `HAVING` without `GROUP BY` |
+
+### Style (T001-T002)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| T001 | HINT | Inconsistent keyword casing |
+| T002 | HINT | Unnecessary parentheses in simple conditions |
+
+---
+
+## Advanced Usage
+
+### Category Filtering
+
+```python
+from sqlaudit import Analyzer
+from sqlaudit.rules import Category
+
+# Only security checks
+analyzer = Analyzer(enable_categories=[Category.SECURITY])
+report = analyzer.analyze("SELECT * FROM users")
+```
+
+### Severity Filtering
+
+```python
+from sqlaudit import Analyzer
+from sqlaudit.rules import Severity
+
+# Only errors and warnings (skip info/hint)
+analyzer = Analyzer(min_severity=Severity.WARNING)
+```
+
+### Disable Specific Rules
+
+```python
+analyzer = Analyzer(disable_rules=["P001", "P007", "T001"])
+```
+
+### Custom Rules
+
+```python
+from sqlaudit import Analyzer, Rule, Severity, Category
+
+def check_table_prefix(info):
+    """All tables should use 'app_' prefix."""
+    for table in info.tables:
+        if not table.startswith("app_"):
+            return f"Table '{table}' missing 'app_' prefix"
+    return None
+
+analyzer = Analyzer()
+analyzer.register_rule(Rule(
+    id="CUSTOM001",
+    name="table-prefix",
+    description="Tables must use app_ prefix",
+    severity=Severity.WARNING,
+    category=Category.BEST_PRACTICE,
+    check=check_table_prefix,
+    suggestion="Rename table to use app_ prefix",
+))
+
+report = analyzer.analyze("SELECT * FROM users")
+# Finds: Table 'users' missing 'app_' prefix
+```
+
+### Output Formats
+
+```bash
+# Human-readable text (default)
+sqlaudit audit -q "SELECT * FROM t" --format text
+
+# JSON for programmatic consumption
+sqlaudit audit -q "SELECT * FROM t" --format json
+
+# CSV for spreadsheet import
+sqlaudit audit -q "SELECT * FROM t" --format csv
+
+# Summary only (score + counts)
+sqlaudit audit -q "SELECT * FROM t" --format summary
+```
+
+### CI/CD Integration
+
+```yaml
+# GitHub Actions example
+- name: SQL Audit
+  run: |
+    pip install sqlaudit
+    sqlaudit audit -f migrations/*.sql --format json --fail-on warning
+```
+
+```bash
+# Pre-commit hook
+#!/bin/bash
+SQL_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.sql$')
+if [ -n "$SQL_FILES" ]; then
+    sqlaudit audit -f $SQL_FILES --fail-on error --no-color
+fi
+```
+
+---
+
+## Scoring
+
+sqlaudit assigns a score from 0-100 based on findings:
+
+| Severity | Point Deduction |
+|----------|----------------|
+| ERROR | -10 per finding |
+| WARNING | -5 per finding |
+| INFO | -2 per finding |
+| HINT | -1 per finding |
+
+A **pass rate** is also computed: percentage of queries with zero errors or warnings.
+
+---
+
+## Architecture
+
+```
+sqlaudit/
+  parser.py     # SQL tokenizer + query parser (zero dependencies)
+  rules.py      # Rule engine with 27 built-in rules
+  analyzer.py   # Main analyzer (parser + rules + report)
+  report.py     # Report data model (Finding, QueryResult, Report)
+  formatter.py  # Output formatters (text, JSON, CSV, summary)
+  cli.py        # Command-line interface
+```
+
+The architecture is designed for extensibility:
+- **Parser** produces a `QueryInfo` object with structured query metadata
+- **Rules** are pure functions: `(QueryInfo) -> Optional[str]`
+- **Custom rules** can be registered at runtime
+- **Formatters** are pluggable for any output format
+
+---
+
+## License
+
+MIT

pyproject.toml

@@ -0,0 +1,37 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "sqlaudit"
+version = "1.0.0"
+description = "SQL Query Auditor & Optimizer — analyze SQL for performance, security, and best practices"
+readme = "README.md"
+license = {text = "MIT"}
+requires-python = ">=3.9"
+authors = [{name = "JSLEEKR", email = "93jslee@gmail.com"}]
+keywords = ["sql", "audit", "security", "performance", "optimizer", "linter"]
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Database",
+    "Topic :: Software Development :: Quality Assurance",
+]
+
+[project.scripts]
+sqlaudit = "sqlaudit.cli:main"
+
+[project.optional-dependencies]
+dev = ["pytest>=7.0", "pytest-cov"]
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

src/sqlaudit/__init__.py

@@ -0,0 +1,19 @@
+"""sqlaudit - SQL Query Auditor & Optimizer."""
+
+__version__ = "1.0.0"
+
+from sqlaudit.analyzer import Analyzer
+from sqlaudit.rules import RuleEngine, Rule, Severity, Category
+from sqlaudit.report import Report, Finding
+from sqlaudit.formatter import format_report
+
+__all__ = [
+    "Analyzer",
+    "RuleEngine",
+    "Rule",
+    "Severity",
+    "Category",
+    "Report",
+    "Finding",
+    "format_report",
+]

src/sqlaudit/__main__.py

@@ -0,0 +1,6 @@
+"""Allow running as python -m sqlaudit."""
+
+from sqlaudit.cli import main
+
+if __name__ == "__main__":
+    main()