PostgreSQL DDL Audit Tool for Safer Migrations

DeltaScope is an offline-first PostgreSQL DDL audit tool and PostgreSQL migration risk checker that reviews schema changes, access grants, and other DDL/DCL statements before they reach your database. It works entirely from static SQL text — no live connection needed.

How it works

Pass your PostgreSQL SQL to DeltaScope with --dialect postgresql. It parses the statement, evaluates all applicable rules, and returns structured findings.

$ deltascope audit --dialect postgresql \
    --sql "GRANT ALL PRIVILEGES ON TABLE users TO analyst;"

Verdict: review
Statements: 1
Blockers:   0
Warnings:   1
Notices:    1

Statement 1: GRANT TABLE
- [notice]  ddl.pg.grant.table_privilege.notice: granting privilege on table "users"
- [warning] ddl.pg.grant.table_privilege.all.warn: granting ALL PRIVILEGES is broader than needed

PostgreSQL schema change review coverage

DeltaScope covers PostgreSQL-specific DDL including CREATE TABLE with constraints, ALTER TABLE operations, composite type lifecycle, extension lifecycle, and table-level privilege DCL grants.

Key PostgreSQL checks

blocker Dropping columns or tables
warning Granting ALL PRIVILEGES where specific rights would suffice (ddl.pg.grant.table_privilege.all.warn)
notice Table privilege grants flagged for review (ddl.pg.grant.table_privilege.notice)
warning Missing column defaults or comments
notice Composite type changes, extension lifecycle events

PostgreSQL migration risk checker in CI

# Audit a PostgreSQL migration file in CI
deltascope audit \
  --dialect postgresql \
  --file ./migrations/20260409_add_column.sql \
  --format github-actions \
  --fail-on warning

Supported output formats: json, github-actions, sarif, gitlab-codequality, text.

SQL Migration Risk Checker → MySQL DDL Audit Tool → Releases → Quick Start →

What DeltaScope is not

DeltaScope is not pgAudit. pgAudit records database activity after execution. DeltaScope reviews static SQL text before execution.
It does not validate whether roles or tables actually exist in a live database.
It is not a schema diff tool or a migration runner.

Frequently asked questions

Does it need a PostgreSQL connection?

No. DeltaScope parses SQL text offline. The optional metadata-aware mode can connect to read table statistics, but the default mode requires no network access.

Which PostgreSQL DDL does it cover?

CREATE TABLE (with constraints, references, check clauses), ALTER TABLE (add/drop/modify column, rename), GRANT table privileges, composite type lifecycle, extension lifecycle, DROP TABLE, TRUNCATE TABLE, and CREATE VIEW.

What is the ddl.pg.grant.table_privilege rule?

It reviews GRANT statements on tables. The notice variant (ddl.pg.grant.table_privilege.notice) flags any table privilege grant for awareness. The all.warn variant (ddl.pg.grant.table_privilege.all.warn) warns when ALL PRIVILEGES is granted because it is typically broader than necessary.

Can I use it alongside MySQL auditing?

Yes. Switch dialects with --dialect postgresql or --dialect mysql. The same engine, config format, and CI integrations work for both.

How does it differ from pgAudit?

pgAudit is a PostgreSQL extension that logs activity after SQL runs. DeltaScope is a pre-execution static analyzer. They are complementary: use DeltaScope to catch risks before deployment and pgAudit for post-deployment observability.