CLI Reference
Installation
Binary is distributed as lexega-sql (or lexega-sql.exe on Windows).
Commands
Init (Project Setup)
# Initialize in current directory
lexega-sql init
# Preview without writing files
lexega-sql init --dry-run
# Include CI workflow (GitHub Actions or GitLab CI)
lexega-sql init --with-ci
# Initialize specific directory
lexega-sql init /path/to/project
Creates:
.lexega/policy.yml— Permissive baseline policy (warns on critical/high, nothing blocked).lexega/exceptions.yml— Scaffold for approved overrides.lexega/baseline.sarif— SARIF evidence snapshot
See Policy Reference for details on policy configuration.
Semantic Diff (Primary Command)
# Diff between git refs
lexega-sql diff main..HEAD models/
# Recursive directory scan
lexega-sql diff main..HEAD models/ -r
# Output as JSON for CI
lexega-sql diff main..HEAD models/ --format json
# With policy enforcement
lexega-sql diff main..HEAD models/ --policy policy.yaml
# Compare specific files
lexega-sql diff main..HEAD file1.sql file2.sql
# Markdown output for PR comments
lexega-sql diff main..HEAD models/ --format markdown
Code Review (Git Integration)
# Review recent commits
lexega-sql review HEAD~10..HEAD
# Review with output directory
lexega-sql review HEAD~5..HEAD --report-out /tmp/reports
# Review with minimum severity filter
lexega-sql review HEAD~1..HEAD --min-severity high
# Markdown format for PR automation
lexega-sql review HEAD~1..HEAD --format markdown
# Post review as PR comment (GitHub, GitLab, Bitbucket)
lexega-sql review HEAD~1..HEAD --pr-comment
The --pr-comment flag automatically detects your CI platform and posts the review as a PR/MR comment. Supported platforms:
| Platform | Detection | Required Variables |
|---|---|---|
| GitHub Actions | GITHUB_ACTIONS=true | GITHUB_TOKEN |
| GitLab CI | GITLAB_CI=true | GITLAB_TOKEN or CI_JOB_TOKEN |
| Bitbucket Pipelines | BITBUCKET_PIPELINE_UUID | BITBUCKET_TOKEN |
If run outside CI, falls back to stdout output with a warning.
Risk Analysis
# Analyze single file
lexega-sql analyze file.sql
# Analyze with catalog metadata
lexega-sql analyze --catalog catalog.json file.sql
# Analyze stdin
cat file.sql | lexega-sql analyze --stdin
# Output as JSON
lexega-sql analyze --format json -q file.sql > report.json
# Filter signals by minimum severity
lexega-sql analyze --min-severity critical file.sql
# With custom rules
lexega-sql analyze --custom-rules rules.yaml file.sql
# With policy enforcement (exit code 2 if blocked)
lexega-sql analyze --policy policy.yaml --env prod file.sql
# Disable all built-in rules (custom rules only)
lexega-sql analyze --no-builtin --custom-rules rules.yaml file.sql
Dashboard (Visualization)
# Start dashboard (local directory)
lexega-sql dashboard --data-dir .lexega/
# Read from cloud storage
lexega-sql dashboard --data-dir s3://my-bucket/lexega-data
# Custom port, don't auto-open browser
lexega-sql dashboard --data-dir .lexega/ --port 8080 --no-open
# Custom bind address (e.g. expose on network)
lexega-sql dashboard --data-dir .lexega/ --host 0.0.0.0 --port 3000
The data directory must contain decisions/ and reports/ subdirectories with JSON artifacts. See Integration Options for the expected structure and cloud storage details.
Format
# Format file (implicit format command)
lexega-sql fmt file.sql
# Format in-place
lexega-sql fmt -w file.sql
# Format stdin to stdout
cat file.sql | lexega-sql fmt --stdin
# Format with specific style
lexega-sql fmt --style compact file.sql
# Check mode (exit 0 if no changes needed)
lexega-sql fmt --check file.sql
# Verify safety without writing
lexega-sql fmt --verify-only file.sql
Dialect Selection
Lexega defaults to Snowflake dialect. Use --dialect for PostgreSQL, BigQuery, or Databricks:
# Format PostgreSQL
lexega-sql fmt --dialect postgresql query.sql
# Analyze PostgreSQL
lexega-sql analyze --dialect postgresql query.sql
# Diff PostgreSQL files
lexega-sql diff main..HEAD models/ -r --dialect postgresql
# Review PostgreSQL
lexega-sql review main..HEAD models/ -r --dialect postgresql
# Analyze BigQuery
lexega-sql analyze --dialect bigquery query.sql
# Analyze Databricks
lexega-sql analyze --dialect databricks query.sql
Supported values: snowflake (default), postgresql, bigquery, databricks.
Catalog Management
# Pull catalog from Snowflake (requires sidecar)
lexega-sql catalog pull --out catalog.json
# Inspect catalog file
lexega-sql catalog inspect catalog.json
# Diff two catalogs
lexega-sql catalog diff old.json new.json
Policy Management
# Generate starter policy from a risk report
lexega-sql policy init --from-report report.json
# Specify action (allow/warn/block) and environment
lexega-sql policy init --from-report report.json --action warn --env prod
Policy Lint
# Validate policy file
lexega-sql policy-lint policy.yaml
# Also validate exceptions file
lexega-sql policy-lint policy.yaml --exceptions exceptions.yaml
# Treat warnings as errors (for CI)
lexega-sql policy-lint policy.yaml --strict
License Management
# Check license status
lexega-sql license status
# Activate license
lexega-sql license activate <KEY>
# Remove license
lexega-sql license remove
Environment Variables
| Variable | Description |
|---|---|
LEXEGA_LICENSE_KEY | License key for CI/CD (checked before file on disk) |
LEXEGA_CI | Set to 1 for strict mode (policy block = exit code 2) |
GITHUB_TOKEN | For --pr-comment on GitHub Actions |
GITLAB_TOKEN | For --pr-comment on GitLab CI |
Tip: The
--dialectflag is available on all commands (fmt,analyze,diff,review). Default issnowflake. Use--dialect postgresql,--dialect bigquery, or--dialect databricksas needed.
CI/CD License Setup:
Store your license key as a secret and pass it via environment variable:
# GitHub Actions
env:
LEXEGA_LICENSE_KEY: ${{ secrets.LEXEGA_LICENSE_KEY }}
# GitLab CI
variables:
LEXEGA_LICENSE_KEY: $LEXEGA_LICENSE_KEY
# Azure DevOps
env:
LEXEGA_LICENSE_KEY: $(LEXEGA_LICENSE_KEY)
Exit Codes
0: Success1: Parse error, CLI argument error, file I/O error, or verification failure2: Policy blocked (when using--policyand the policy returnsblock)
Note: Exit code 2 is for explicit policy blocks. The policy layer is the only way to fail CI — use
--policywith a policy bundle. SetLEXEGA_CI=1to require--policyin CI environments (prevents accidental bypass).
Need Help?
Can't find what you're looking for? Check out our GitHub or reach out to support.