Framework-agnostic linter and testing toolkit for Postgres Row-Level Security.
Project description
pgrls
Framework-agnostic linter and testing toolkit for Postgres Row-Level Security.
Status: 0.0.3 — error-severity rules shipping (SEC001, SEC002, SEC003, SEC004, SEC006, HYG001). Warning/info rules and the
test/diffcommands are on the roadmap below.
Install
pip install pgrls
Requires Python 3.11+.
Usage
Point pgrls at any Postgres database:
export DATABASE_URL="postgres://user:pass@host:5432/db"
pgrls lint
Or pass the URL directly:
pgrls lint --database-url "postgres://user:pass@host:5432/db"
Limit the scan to specific schemas:
pgrls lint --schemas public,tenant
Point at a non-default config file, or pick an output format:
pgrls lint --config ./config/pgrls.toml --format text
Example output
ERROR SEC001 public.users
Table public.users does not have row-level security enabled.
Add ENABLE ROW LEVEL SECURITY or include the table in
[lint.rules.SEC001].allowlist if it is a public reference table.
pgrls: 1 error.
Exit code is 1 when any violation meets or exceeds fail_on (default warning).
Configuration
Drop a pgrls.toml next to your project. See pgrls.example.toml in the repo for a fully commented version.
[database]
url = "$DATABASE_URL"
schemas = ["public"]
[lint]
disable = []
fail_on = "warning"
[lint.rules.SEC001]
allowlist = ["countries", "currencies"]
Rules
pgrls lint ships these rules at the error severity:
| ID | Catches |
|---|---|
| SEC001 | Tables in scanned schemas with RLS disabled |
| SEC002 | Tables with RLS enabled but FORCE ROW LEVEL SECURITY off |
| SEC003 | Permissive policies granted to PUBLIC |
| SEC004 | Inverted auth check (Lovable CVE pattern) in USING |
| SEC006 | INSERT/UPDATE/ALL policies with no WITH CHECK |
| HYG001 | Policies referencing columns that don't exist on the table |
For canonical SQL fixes per rule, see AGENTS.md. For per-rule
configuration options (allowlists, etc.), see pgrls.example.toml.
Roadmap
- More lint rules. Full SEC / PERF / HYG catalog, including the marquee SEC004 (inverted auth check / Lovable CVE pattern). JSON, SARIF, and Markdown output. Polished error messages.
pgrls test. Code-first RLS test DSL for Python, TypeScript, and Go.pgrls diff. Semantic policy diff between branches with DANGEROUS / BREAKING / SAFE classification.
License
MIT — see LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pgrls-0.0.3.tar.gz.
File metadata
- Download URL: pgrls-0.0.3.tar.gz
- Upload date:
- Size: 35.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cfef6e9cf88c785ef3514413cc40df51d7ea80827f34f35a9e375217c2d7a125
|
|
| MD5 |
d9b14e34d3f41740c756d529eb4f9f11
|
|
| BLAKE2b-256 |
8b032ff7b8cdcc46832a5f56aa7d73355a3a9d7cc99b67335f1d2dffc8565a73
|
File details
Details for the file pgrls-0.0.3-py3-none-any.whl.
File metadata
- Download URL: pgrls-0.0.3-py3-none-any.whl
- Upload date:
- Size: 21.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac452f86174541838cdd2d68a1de39e6b448b140a114d7773c92f06501356da1
|
|
| MD5 |
ca1a16c24110ce24fa6bfeeb1efad91a
|
|
| BLAKE2b-256 |
e8a8c419fedd1d0266f181d65bbe146fc7484f674389906bcc44f05ced6e5b66
|
