Framework-agnostic linter and testing toolkit for Postgres Row-Level Security.
Project description
pgrls
Framework-agnostic linter and testing toolkit for Postgres Row-Level Security.
Status: 0.0.4 — ten rules across error, warning, and info severities (SEC001–SEC008, PERF001, HYG001). The
test/diffcommands are on the roadmap below.
Install
pip install pgrls
Requires Python 3.11+.
Usage
Point pgrls at any Postgres database:
export DATABASE_URL="postgres://user:pass@host:5432/db"
pgrls lint
Or pass the URL directly:
pgrls lint --database-url "postgres://user:pass@host:5432/db"
Limit the scan to specific schemas:
pgrls lint --schemas public,tenant
Point at a non-default config file, or pick an output format:
pgrls lint --config ./config/pgrls.toml --format text
Example output
ERROR SEC001 public.users
Table public.users does not have row-level security enabled.
Add ENABLE ROW LEVEL SECURITY or include the table in
[lint.rules.SEC001].allowlist if it is a public reference table.
pgrls: 1 error.
Exit code is 1 when any violation meets or exceeds fail_on (default warning).
Configuration
Drop a pgrls.toml next to your project. See pgrls.example.toml in the repo for a fully commented version.
[database]
url = "$DATABASE_URL"
schemas = ["public"]
[lint]
disable = []
fail_on = "warning"
[lint.rules.SEC001]
allowlist = ["countries", "currencies"]
Rules
pgrls lint ships these rules:
| ID | Severity | Catches |
|---|---|---|
| SEC001 | error | Tables in scanned schemas with RLS disabled |
| SEC002 | error | Tables with RLS enabled but FORCE ROW LEVEL SECURITY off |
| SEC003 | error | Permissive policies granted to PUBLIC |
| SEC004 | error | Inverted auth check (Lovable CVE pattern) in USING |
| SEC005 | warning | Policy expression has no own-column reference |
| SEC006 | error | INSERT/UPDATE/ALL policies with no WITH CHECK |
| SEC007 | info | All policies on a table are permissive (no RESTRICTIVE floor) |
| SEC008 | warning | Policy USING clause is constant true |
| PERF001 | warning | Auth function called per-row in policy USING (unwrapped) |
| HYG001 | error | Policies referencing columns that don't exist on the table |
For canonical SQL fixes per rule, see AGENTS.md. For per-rule
configuration options (allowlists, etc.), see pgrls.example.toml.
Roadmap
- More lint rules. Continued expansion of the SEC / PERF / HYG catalog. JSON, SARIF, and Markdown output. Polished error messages.
pgrls test. Code-first RLS test DSL for Python, TypeScript, and Go.pgrls diff. Semantic policy diff between branches with DANGEROUS / BREAKING / SAFE classification.
License
MIT — see LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pgrls-0.0.4.tar.gz.
File metadata
- Download URL: pgrls-0.0.4.tar.gz
- Upload date:
- Size: 78.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fdfce6347e471c2b46e6c6be5bb83a6a4cab1b3b292c46e332bce0ea0ab16c4c
|
|
| MD5 |
1595d1e64238d1a92d5803efd6cfdb83
|
|
| BLAKE2b-256 |
c3bf464b541d3fee96c566f3d397853afbbb4efa6f401998ba4e18d8896fd13e
|
File details
Details for the file pgrls-0.0.4-py3-none-any.whl.
File metadata
- Download URL: pgrls-0.0.4-py3-none-any.whl
- Upload date:
- Size: 29.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d19aed0502adb9437945896e2f3fb3773e4f886f2325e01cde94010fa2bcf0d
|
|
| MD5 |
db88f32e336d20614d856311a0a46f17
|
|
| BLAKE2b-256 |
f9ba5f645ddc339690c927b4ff54663b5ef4517c700817a0676ec7ba68fed81e
|
