Overview
Lexega is a policy enforcement layer for SQL. It analyzes queries semantically—not as text—and renders allow/block decisions before execution.
The same engine runs in two modes: CI/CD (review commits, gate merges) and runtime (validate agent or application SQL before it hits the database). Same rules, policy, and decision schema.
Supports Snowflake, PostgreSQL, BigQuery, and Databricks natively with a single binary. No database connection or runtime dependencies required.*
*The optional Catalog Integration feature can pull table metadata from Snowflake to enrich analysis, while the core CLI works fully offline for Snowflake, PostgreSQL, BigQuery, and Databricks.
What It Does
| Capability | Description |
|---|---|
| Risk Detection | Hundreds of built-in rules for patterns like unbounded writes, privilege changes, policy removal, credential exposure |
| Semantic Diff | Detect what actually changed between commits—WHERE removed, JOIN type changed, columns added |
| Policy Enforcement | Block, warn, or allow based on YAML policies. Environment-aware (dev vs prod). |
| Decision Records | Artifacts with SHA256 hashes for integrity verification of SQL, policy, and evaluation results |
Who It's For
- Platform teams adding policy gates to data pipelines
- Developers building agents or tools that generate SQL dynamically
- Security teams needing pre-merge controls and audit evidence
- Data leads who can't manually review every SQL change
Architecture
Written in Rust. Single binary with no runtime dependencies.
Need Help?
Can't find what you're looking for? Check out our GitHub or reach out to support.