Most SQL bugs are caught in one of three places. Code review,
where a tired engineer might miss them. Staging, where the
dataset is too small to reveal the problem. Production, at 2am,
where they cause the most damage.
The SlowQL VS Code extension adds a fourth option: your editor,
before you even save the file.
What it does
SlowQL for VS Code runs 272 static analysis rules against your
SQL as you type. Diagnostics appear in the Problems panel
automatically. Open a .sql file and it works. No database
connection, no configuration, no pipeline to set up first.
The kind of bugs it catches are the ones that look completely
fine until they aren't. A DELETE with no WHERE clause that
wipes your entire customers table. A LIKE pattern starting
with a wildcard that silently bypasses your index on every
single query. A GRANT ALL PRIVILEGES that gives your app user
god mode access to your entire database. A cartesian join
that returns every row times every row because someone forgot
the JOIN condition.
All of it flagged in real time. Before you save. Before you
commit. Before anyone reviews it.
What gets flagged
272 rules across six dimensions:
Security catches SQL injection vectors, hardcoded credentials
in migration files, privilege escalation and dynamic SQL
construction that opens injection surfaces.
Performance catches full table scans, leading wildcards that
bypass indexes, functions on indexed columns, N+1 patterns
and unbounded queries with no LIMIT.
Reliability catches DELETE and UPDATE without WHERE clauses,
missing transactions around multi-statement operations and
data loss risks.
Quality catches NULL comparison errors, implicit joins,
deprecated syntax and naming violations.
Cost catches cloud warehouse antipatterns. SELECT * on wide
tables in BigQuery and Athena, unbounded scans in scheduled
jobs, repeated subqueries that could be materialized.
Compliance catches GDPR violations, HIPAA risks, PCI-DSS
and SOX compliance issues at the query level.
14 dialects, dialect-specific rules
107 of the 272 rules are dialect-aware. Set your dialect
once in VS Code settings and SlowQL fires only the rules
relevant to your database engine. No false positives from
rules that don't apply to your stack.
PostgreSQL, MySQL, SQL Server, Oracle, SQLite, Snowflake,
BigQuery, Redshift, ClickHouse, DuckDB, Presto, Trino,
Spark, Databricks.
Schema-aware validation
Point SlowQL at your DDL files and it validates your queries
against your actual schema. Catches references to tables and
columns that don't exist. Suggests missing indexes on
filtered columns.
This is where static analysis stops being generic and starts
understanding your specific database. A SELECT on a column
that doesn't exist in your schema gets flagged before the
query ever runs.
Why offline matters
Everything runs on your machine. Your SQL never leaves your
editor. No API calls, no telemetry on your query content,
no external service processing your database schema.
This matters more than people realise. Engineers at banks,
healthcare companies and fintech teams often cannot pipe
their SQL to an external service for analysis. The offline
constraint is not a limitation. It is a deliberate design
decision that makes SlowQL usable in environments where
cloud-based tools are not an option.
Three ways to run it
VS Code extension for real-time diagnostics as you write.
Install from the marketplace, open a .sql file, done.
CLI for local analysis and scripting:
pip install slowql
slowql queries.sql
Docker if you don't want to install Python:
docker run --rm -v $(pwd):/src makroumi/slowql /src/queries.sql
GitHub Actions to block dangerous SQL from merging:
- uses: makroumi/slowql-action@v1
with:
path: "./sql/**/*.sql"
fail-on: high
The feedback loop SQL never had
Application code gets linted in the editor, type-checked
at compile time and reviewed by automated tools before it
merges. SQL gets reviewed by a human who is focused on
business logic, not injection surfaces or index bypass
patterns.
The SlowQL VS Code extension closes that gap at the
earliest possible point in the development cycle. The
same query that would have paged you at 2am gets a red
squiggly line at 2pm before you even commit it.
SlowQL is open source. VS Code extension, CLI, Docker
and GitHub Action all available at
github.com/makroumi/slowql
Top comments (0)