Question 1

How to integrate pgspot into a CI/CD pipeline for PostgreSQL code?

Accepted Answer

Install pgspot via pip in your build environment and run it against SQL files as part of your test suite; use the --summary-only flag for concise output and set exit codes to fail builds on errors, as shown in the usage examples.

Question 2

Can pgspot analyze PL/pgSQL code by default?

Accepted Answer

Yes, pgspot analyzes PL/pgSQL code by default with the --plpgsql option enabled, but you can disable it with --no-plpgsql if needed, providing flexibility for scripts with mixed procedural languages.

Question 3

What are common false positives in pgspot and how to handle them?

Accepted Answer

False positives can occur with benign object creations or custom search_path settings; use the --ignore option to suppress specific error codes or --proc-without-search-path to whitelist functions, as documented in the reference.

Question 4

How does pgspot compare to other PostgreSQL security tools like pgAudit?

Accepted Answer

pgspot focuses on static analysis of SQL scripts pre-deployment to catch vulnerabilities early, while pgAudit is for auditing runtime database activity; they complement each other, with pgspot being proactive and pgAudit reactive.

Question 5

Is pgspot suitable for checking legacy PostgreSQL codebases?

Accepted Answer

Yes, but you may need to use --ignore rules extensively to handle outdated patterns, and configure --sql-accepting for custom functions, though it requires manual setup to avoid overwhelming output.

Question 6

How to extend pgspot for custom SQL-accepting functions in my code?

Accepted Answer

Use the --sql-accepting argument to specify function names that accept SQL strings; pgspot will attempt to unpack and analyze those arguments, but you must manually identify and list all such functions for full coverage.

pgspot

What is pgspot?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions