The latest articles on DEV Community by Fan() (@fanduzi). https://dev.to/fanduzi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3922190%2F1adc84a3-39f9-41db-a653-af86815b6536.png https://dev.to/fanduzi en Fan() Sat, 09 May 2026 16:58:27 +0000 https://dev.to/fanduzi/automated-sql-migration-review-with-real-cli-output-mysql-postgresql-tidb-17b5 https://dev.to/fanduzi/automated-sql-migration-review-with-real-cli-output-mysql-postgresql-tidb-17b5 <h1> Auditing MySQL ALTER TABLE Risks with a CLI (Real Output Included) </h1> <h2> Background </h2> <p>I'm the author of <a href="https://github.com/Fanduzi/DeltaScope" rel="noopener noreferrer">DeltaScope</a>, an open-source offline SQL audit tool that supports MySQL, TiDB, and PostgreSQL. This post skips the marketing and shows real SQL inputs with real audit outputs — no fabrications.</p> <h2> Scenario 1: An Innocent-Looking Migration File </h2> <p>Consider a migration file <code>migration.sql</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Add columns and index to users table</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">phone</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">);</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">age</span> <span class="nb">INT</span> <span class="k">DEFAULT</span> <span class="mi">0</span><span class="p">;</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">ADD</span> <span class="k">INDEX</span> <span class="n">idx_phone</span> <span class="p">(</span><span class="n">phone</span><span class="p">);</span> <span class="c1">-- Clean up temp data</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">temp_data</span><span class="p">;</span> </code></pre> </div> <p>Audit it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--file</span> migration.sql </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: reject - Statements: 4 - Blockers: 1 - Warnings: 1 - Notices: 0 ## Statement 1 - SQL: ALTER TABLE users ADD COLUMN phone VARCHAR(20) No findings. ## Statement 2 - SQL: ALTER TABLE users ADD COLUMN age INT DEFAULT 0 No findings. ## Statement 3 - SQL: ALTER TABLE users ADD INDEX idx_phone (phone) No findings. ## Statement 4 - SQL: DELETE FROM temp_data ### Findings - [blocker] dml.where.require: UPDATE and DELETE statements must include a WHERE clause Suggestion: add a WHERE clause that narrows the affected rows ### Impact - estimated_ratio: 1.0000 - risk_level: high - confidence: high - source: shape - reason_code: missing_where ## Global Findings - [warning] ddl.alter.merge.mysql.require: multiple ALTER TABLE statements target "users" under mysql mode alter_count: 3, dialect: mysql Suggestion: merge repeated alter statements on the same table into a single ALTER TABLE </code></pre> </div> <p>Two issues:</p> <ol> <li> <code>DELETE FROM temp_data</code> has no WHERE clause — offline mode estimates ratio = 1.0 (full table), flagged as high risk</li> <li>Three ALTER statements target the same table <code>users</code> — MySQL recommends merging them</li> </ol> <p>After fixing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">phone</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">),</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">age</span> <span class="nb">INT</span> <span class="k">DEFAULT</span> <span class="mi">0</span><span class="p">,</span> <span class="k">ADD</span> <span class="k">INDEX</span> <span class="n">idx_phone</span> <span class="p">(</span><span class="n">phone</span><span class="p">);</span> <span class="k">DELETE</span> <span class="k">FROM</span> <span class="n">temp_data</span> <span class="k">WHERE</span> <span class="n">created_at</span> <span class="o">&lt;</span> <span class="s1">'2026-01-01'</span><span class="p">;</span> </code></pre> </div> <p>Re-audit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: pass - Statements: 2 | Blockers: 0 | Warnings: 0 | Notices: 0 </code></pre> </div> <h2> Scenario 2: Changing Column Type + NULL Constraint </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="k">MODIFY</span> <span class="k">COLUMN</span> <span class="n">amount</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--sql</span> <span class="s2">"ALTER TABLE orders MODIFY COLUMN amount VARCHAR(100) NOT NULL"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: reject - [blocker] ddl.alter.modify_column.explicit_nullability_change.forbid: ALTER TABLE modify column explicitly changes nullability for "amount", which this policy forbids Suggestion: keep nullability unchanged for "amount" or relax the policy intentionally after review </code></pre> </div> <p>This statement changes the column type from INT to VARCHAR and also changes the NULL constraint. Type changes may trigger a full table COPY in InnoDB (depending on the direction), and NULL constraint changes can silently break application logic that depends on the constraint.</p> <p>The rule ID is <code>ddl.alter.modify_column.explicit_nullability_change.forbid</code>, default level blocker. Teams that genuinely need this change can adjust the level or add an approval flow in the config.</p> <h2> Scenario 3: Dropping NOT NULL </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">MODIFY</span> <span class="k">COLUMN</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NULL</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--sql</span> <span class="s2">"ALTER TABLE users MODIFY COLUMN email VARCHAR(255) NULL"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: reject - [blocker] ddl.alter.modify_column.explicit_nullability_change.forbid: ALTER TABLE modify column explicitly changes nullability for "email", which this policy forbids Suggestion: keep nullability unchanged for "email" or relax the policy intentionally after review </code></pre> </div> <p>Same rule as Scenario 2. After dropping NOT NULL, application code like <code>if user.Email != ""</code> silently breaks — NULL is not an empty string. This won't throw errors at deploy time, but behavior changes quietly, making it expensive to debug later.</p> <h2> Scenario 4: Dropping Primary Key </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">DROP</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--sql</span> <span class="s2">"ALTER TABLE users DROP PRIMARY KEY"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: reject - [blocker] ddl.alter.drop_primary_key.forbid: ALTER TABLE drop primary key is forbidden for "primary" Suggestion: avoid drop primary key in this change or relax the policy intentionally </code></pre> </div> <p>InnoDB uses the primary key as the clustered index. Dropping it forces a full table rebuild. Default policy rejects this outright. If you need to change the primary key scheme, the correct approach is to ADD the new primary key column first, then DROP the old one in a separate step.</p> <h2> Scenario 5: Sloppy CREATE TABLE </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">t1</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">bigint</span> <span class="nb">unsigned</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="n">AUTO_INCREMENT</span><span class="p">,</span> <span class="n">name</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span><span class="p">;</span> </code></pre> </div> <p>This SQL executes fine, but the audit finds 8 issues:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--sql</span> <span class="s2">"CREATE TABLE t1 (id bigint unsigned NOT NULL AUTO_INCREMENT, name varchar(100), PRIMARY KEY(id)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: review - Statements: 1 | Blockers: 0 | Warnings: 8 - [warning] ddl.table.comment.require: table comment is required - [warning] ddl.table.audit_columns.require: should include a created-time audit column with DEFAULT CURRENT_TIMESTAMP - [warning] ddl.table.audit_columns.require: should include an updated-time audit column with DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP - [warning] ddl.column.comment.require: column "id" must include a comment - [warning] ddl.column.comment.require: column "name" must include a comment - [warning] ddl.column.default.require: column "id" should define a default value - [warning] ddl.column.default.require: column "name" should define a default value - [warning] ddl.column.not_null.require: column "name" should be declared NOT NULL </code></pre> </div> <p>Missing table comment, missing audit columns (created_at / updated_at), missing column comments, missing default values, name allows NULL. A "working" CREATE TABLE has 8 compliance issues — every column added later compounds the debt.</p> <p>Corrected version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">t1</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">bigint</span> <span class="nb">unsigned</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="n">AUTO_INCREMENT</span> <span class="k">COMMENT</span> <span class="s1">'primary key'</span><span class="p">,</span> <span class="n">name</span> <span class="nb">varchar</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="s1">''</span> <span class="k">COMMENT</span> <span class="s1">'display name'</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">datetime</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">COMMENT</span> <span class="s1">'created at'</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">datetime</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">ON</span> <span class="k">UPDATE</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">COMMENT</span> <span class="s1">'updated at'</span><span class="p">,</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COMMENT</span><span class="o">=</span><span class="s1">'demo table'</span><span class="p">;</span> </code></pre> </div> <h2> Scenario 6: Three PostgreSQL Migration Pitfalls </h2> <p>PostgreSQL has a different DDL locking model than MySQL. Some risks are PG-specific. Take this migration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="k">ALTER</span> <span class="k">COLUMN</span> <span class="n">amount</span> <span class="k">TYPE</span> <span class="nb">TEXT</span><span class="p">;</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="k">ALTER</span> <span class="k">COLUMN</span> <span class="n">amount</span> <span class="k">DROP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_status</span> <span class="k">ON</span> <span class="n">orders</span> <span class="p">(</span><span class="n">status</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--dialect</span> postgresql <span class="nt">--file</span> pg_migration.sql </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: reject - Statements: 3 | Blockers: 1 | Warnings: 4 ## Statement 1: ALTER TABLE orders ALTER COLUMN amount TYPE TEXT - [warning] ddl.alter.set_data_type.forbid: ALTER TABLE set data type is forbidden for "amount" - [warning] ddl.pg.alter.set_data_type.rewrite.warn: ALTER COLUMN "amount" SET DATA TYPE carries table rewrite risk on PostgreSQL Suggestion: Assess table size and lock impact first. For large tables, use a phased migration: add a shadow column with the new type, backfill in batches, switch application reads, then drop the old column. ## Statement 2: ALTER TABLE orders ALTER COLUMN amount DROP NOT NULL - [blocker] ddl.alter.drop_not_null.explicit_nullability_change.forbid: ALTER TABLE drop not null explicitly changes nullability for "amount" - [warning] ddl.alter.drop_not_null.forbid: ALTER TABLE drop not null is forbidden for "amount" ## Statement 3: CREATE INDEX idx_status ON orders (status) - [warning] ddl.pg.create_index.concurrently.require: CREATE INDEX "idx_status" without CONCURRENTLY can block writes on PostgreSQL Suggestion: Use CREATE INDEX CONCURRENTLY to build the index without blocking writes. Note that CONCURRENTLY cannot run inside a transaction; run it as a standalone migration step. </code></pre> </div> <p>Three issues:</p> <p><strong>Statement 1: Type change triggers table rewrite</strong></p> <p><code>SET DATA TYPE</code> in PostgreSQL acquires an ACCESS EXCLUSIVE lock (blocks all reads and writes) and rewrites the entire table. DeltaScope suggests a phased migration: add a shadow column with the new type, backfill in batches, switch application reads, then drop the old column. This is a PG-only rule (<code>ddl.pg.alter.set_data_type.rewrite.warn</code>) — it won't fire under the MySQL dialect.</p> <p><strong>Statement 2: Dropping NOT NULL</strong></p> <p>Same risk as MySQL — application code depends on the NOT NULL constraint. But PG syntax uses <code>ALTER COLUMN ... DROP NOT NULL</code> instead of MySQL's <code>MODIFY COLUMN</code>. DeltaScope recognizes PG syntax and fires the corresponding rule.</p> <p><strong>Statement 3: CREATE INDEX without CONCURRENTLY</strong></p> <p>This is a PG-specific pitfall. A regular <code>CREATE INDEX</code> holds a write-blocking lock for the entire index build. <code>CREATE INDEX CONCURRENTLY</code> builds the index without blocking writes, but it can't run inside a transaction. DeltaScope checks for this and reminds you that CONCURRENTLY must be a standalone migration step.</p> <p>One more PG-specific scenario — adding a CHECK constraint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="k">ADD</span> <span class="k">CONSTRAINT</span> <span class="n">chk_amount</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--dialect</span> postgresql <span class="nt">--sql</span> <span class="s2">"ALTER TABLE orders ADD CONSTRAINT chk_amount CHECK (amount &gt; 0)"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: review - [warning] ddl.pg.alter.add_check.not_valid.require: CHECK constraint "chk_amount" without NOT VALID validates all existing rows immediately on PostgreSQL Suggestion: Use a two-step approach: 1) ADD CONSTRAINT ... NOT VALID to register the constraint without scanning existing rows. 2) VALIDATE CONSTRAINT in a separate step — it holds only a SHARE UPDATE EXCLUSIVE lock. </code></pre> </div> <p>By default, PG scans the entire table to validate the constraint at <code>ADD CONSTRAINT</code> time, holding an ACCESS EXCLUSIVE lock on large tables. The correct approach: first register the constraint as <code>NOT VALID</code> (no scan), then run <code>VALIDATE CONSTRAINT</code> separately (only holds SHARE UPDATE EXCLUSIVE lock, doesn't block reads or writes).</p> <p>These rules (<code>ddl.pg.alter.set_data_type.rewrite.warn</code>, <code>ddl.pg.create_index.concurrently.require</code>, <code>ddl.pg.alter.add_check.not_valid.require</code>) are exclusive to the PostgreSQL dialect. Switch with <code>--dialect postgresql</code> — they won't fire under MySQL or TiDB.</p> <h2> Scenario 7: Dialect Differences — MySQL vs TiDB </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">;</span> </code></pre> </div> <p>MySQL default audit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>deltascope audit <span class="nt">--sql</span> <span class="s2">"ALTER TABLE users ADD COLUMN email VARCHAR(255) NOT NULL"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: pass </code></pre> </div> <p>TiDB dialect audit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>deltascope audit <span class="nt">--dialect</span> tidb <span class="nt">--sql</span> <span class="s2">"ALTER TABLE users ADD COLUMN email VARCHAR(255) NOT NULL"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Verdict: pass </code></pre> </div> <p>Both pass for a single statement. But if a migration file has three ALTER statements on the same table, the MySQL dialect fires a warning (suggesting merge), while the TiDB dialect does not (because TiDB DDL is online — no table locking, no need to merge). This is what <code>--dialect</code> is for — different engines have different best practices, and audit rules should follow the engine.</p> <p>Three dialects are currently supported: <code>mysql</code> (default), <code>tidb</code>, <code>postgresql</code>.</p> <h2> CI Integration </h2> <p>All of the above checks belong in CI, not in manual review. GitHub Actions config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">SQL Audit</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">migrations/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">audit</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install DeltaScope</span> <span class="na">run</span><span class="pi">:</span> <span class="s">curl -fsSL https://raw.githubusercontent.com/Fanduzi/DeltaScope/main/install.sh | sh</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Audit</span> <span class="na">run</span><span class="pi">:</span> <span class="s">deltascope audit --file ./migrations/ --format github-actions --fail-on warning</span> </code></pre> </div> <p>Three CI output formats:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format</th> <th>Flag</th> <th>Use case</th> </tr> </thead> <tbody> <tr> <td>GitHub Actions</td> <td><code>--format github-actions</code></td> <td>PR annotations</td> </tr> <tr> <td>GitLab Code Quality</td> <td><code>--format gitlab-codequality</code></td> <td>Code Quality artifact</td> </tr> <tr> <td>SARIF</td> <td><code>--format sarif</code></td> <td>GitHub Code Scanning</td> </tr> </tbody> </table></div> <p>For more accurate audits using live table structure (e.g., checking for redundant indexes), use metadata-aware mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="se">\</span> <span class="nt">--sql</span> <span class="s2">"ALTER TABLE orders ADD INDEX idx_status (status)"</span> <span class="se">\</span> <span class="nt">--host</span> 127.0.0.1 <span class="nt">--port</span> 3306 <span class="nt">--user</span> root <span class="nt">--ask-password</span> <span class="nt">--schema</span> app </code></pre> </div> <p>This connects to the database to read table statistics but <strong>never executes any DDL or DML</strong> — read-only metadata access.</p> <h2> JSON Output </h2> <p>For CI scripts that need machine-readable results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>deltascope audit <span class="nt">--sql</span> <span class="s2">"ALTER TABLE orders MODIFY COLUMN amount VARCHAR(100) NOT NULL"</span> <span class="nt">--format</span> json </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"verdict"</span><span class="p">:</span><span class="w"> </span><span class="s2">"reject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"statements"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"blockers"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"warnings"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"notices"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"statements"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"index"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ddl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"raw_sql"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ALTER TABLE orders MODIFY COLUMN amount VARCHAR(100) NOT NULL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"findings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rule_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ddl.alter.modify_column.explicit_nullability_change.forbid"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blocker"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ALTER TABLE modify column explicitly changes nullability for </span><span class="se">\"</span><span class="s2">amount</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"suggestion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"keep nullability unchanged for </span><span class="se">\"</span><span class="s2">amount</span><span class="se">\"</span><span class="s2"> or relax the policy intentionally after review"</span><span class="p">,</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"modify_column"</span><span class="p">,</span><span class="w"> </span><span class="nl">"change_kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"explicit_nullability_change"</span><span class="p">,</span><span class="w"> </span><span class="nl">"column_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"amount"</span><span class="p">,</span><span class="w"> </span><span class="nl">"table"</span><span class="p">:</span><span class="w"> </span><span class="s2">"orders"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"offline"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dialect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mysql"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dialect_source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Script logic: <code>verdict == "reject"</code> → block, <code>"review"</code> → require human acknowledgment, <code>"pass"</code> → allow.</p> <h2> Rule Configuration </h2> <p>151 built-in rules (run <code>deltascope rules</code> to list all), configurable via YAML:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deltascope.yaml</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Require DBA sign-off for DROP COLUMN</span> <span class="na">ddl.alter.drop_column.forbid</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">level</span><span class="pi">:</span> <span class="s">blocker</span> <span class="c1"># Enforce idx_ prefix on secondary indexes</span> <span class="na">ddl.alter.add_index.secondary.prefix.require</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">level</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">params</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">idx_</span> <span class="c1"># Teams that don't need audit columns can disable</span> <span class="na">ddl.table.audit_columns.require</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>Commit the config to the repo — CI loads it automatically.</p> <p><strong>Links:</strong></p> <ul> <li>Website: <a href="https://deltascope.pages.dev" rel="noopener noreferrer">https://deltascope.pages.dev</a> </li> <li>GitHub: <a href="https://github.com/Fanduzi/DeltaScope" rel="noopener noreferrer">https://github.com/Fanduzi/DeltaScope</a> </li> <li>Rule reference: <a href="https://github.com/Fanduzi/DeltaScope/blob/main/configs/deltascope.example.yaml" rel="noopener noreferrer">https://github.com/Fanduzi/DeltaScope/blob/main/configs/deltascope.example.yaml</a> </li> <li>CI integration docs: <a href="https://github.com/Fanduzi/DeltaScope/tree/main/docs/recipe" rel="noopener noreferrer">https://github.com/Fanduzi/DeltaScope/tree/main/docs/recipe</a> </li> </ul> <p>Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> brew tap Fanduzi/deltascope <span class="o">&amp;&amp;</span> brew <span class="nb">install</span> <span class="nt">--cask</span> deltascope <span class="c"># Linux</span> curl <span class="nt">-fsSL</span> https://raw.githubusercontent.com/Fanduzi/DeltaScope/main/install.sh | sh </code></pre> </div> cli database showdev sql