Builtin Rule Reference

Name: Lexega
Author: Lexega

This page lists all builtin rules that ship with Lexega. These rules are evaluated automatically unless disabled with --no-builtin.

Usage in policies: Reference any rule by its ID:

policies:
  - rule_id: SNW-STG-ENC-OFF  # Stage Encryption Disabled
    action: block
    envs: [prod]

Query Analysis (Q-xxx)

Rule ID	Name	Risk	Description
`Q-NULL-NOTIN`	NOT IN with Nullable Subquery	🟠 High	NULL-logic hazard: NOT IN with subquery on column '{column}'. If subquery returns any NULL, entire predicate evaluates to UNKNOWN and filters all rows. Use NOT EXISTS or ensure subquery has WHERE ... IS NOT NULL.
`Q-NULL-NEQ`	Inequality Drops NULLs	🟡 Medium	NULL-logic warning: <> or != operator on column(s) [{column}] will not match NULL values. If NULLs are valid data, use 'OR column IS NULL' or IS DISTINCT FROM.
`Q-NULL-COUNT`	COUNT on Nullable Column	🟠 High	COUNT({column}) on confirmed nullable column excludes NULL values. This column is nullable per catalog metadata. If counting all rows including NULLs, use COUNT(*) instead. [Catalog-enhanced]
`Q-PRED-CONTRA`	Contradictory Predicate	🔴 Critical	Contradictory equality: predicate can never be true (e.g., WHERE a=1 AND a=2). Query will return zero rows.
`Q-PRED-RANGE`	Impossible Range	🟠 High	Impossible range: predicates define an empty range (e.g., WHERE x>10 AND x<5). Query will return zero rows.
`Q-JOIN-DISTINCT-MASK`	DISTINCT Masking Join Fanout	🟡 Medium	DISTINCT may be masking a join fan-out. If the join produces duplicate rows, DISTINCT hides rather than fixes the issue. Consider verifying join cardinality or using EXISTS.
`Q-JOIN-DISTINCT-MASK-CENH`	DISTINCT Masking Join Fanout (Confirmed)	🟠 High	DISTINCT confirmed to mask a join fan-out. Catalog shows join keys lack unique constraints, meaning the join will produce duplicates. DISTINCT hides this bug rather than fixing it.
`Q-JOIN-FANOUT`	Join Fan-out	🟠 High	Join produces row multiplication (1:N relationship). Aggregates or counts may be inflated. Consider using a subquery or window function.
`Q-JOIN-NULL-CENH`	Nullable JOIN Column	🟠 High	JOIN on nullable column silently excludes NULL values. NULL values in this column will not match, potentially losing data. Consider LEFT JOIN or add IS NOT NULL filter. [Catalog-enhanced]
`Q-JOIN-TYPEMIS-CENH`	JOIN Type Mismatch	🟡 Medium	JOIN on columns with mismatched data types. This causes implicit type conversion and may prevent index usage, resulting in slower queries. [Catalog-enhanced]
`Q-JOIN-FKVIOL-CENH`	FK Relationship Violation	🔴 Critical	JOIN doesn't follow defined foreign key relationship. The FK constraint specifies different columns than those used in the JOIN, which is likely a logic error. [Catalog-enhanced]
`Q-AGG-NONDET`	Non-deterministic Aggregate	🟡 Medium	Non-deterministic expression in GROUP BY context. Results may vary between executions with same data.
`Q-WIN-NONDET`	Non-deterministic Window	🟠 High	Non-deterministic expression in window function. Results may vary between executions with same data.
`Q-WIN-RANK-NOORD`	Ranking Without ORDER BY	🟡 Medium	ROW_NUMBER/RANK/DENSE_RANK without ORDER BY produces arbitrary ordering. Results are non-deterministic.
`Q-WIN-NOPART`	Window Without PARTITION BY	🟡 Medium	Window function without PARTITION BY operates over entire result set. This may cause performance issues or unexpected results.
`Q-SUBQ-SCALAR`	Scalar Subquery in Projection	🟡 Medium	\|
`Q-JOIN-LEFT-FILT`	LEFT JOIN Nullable Side Filtered	🔴 Critical	LEFT JOIN nullable side filtered in WHERE clause. This effectively converts the LEFT JOIN to an INNER JOIN, likely a bug.
`Q-SCAN-NOFILT`	Unfiltered Multi-Table Scan	🟡 Medium	Query reads multiple tables without WHERE or LIMIT clause. This may cause full table scans.
`Q-JOIN-CROSS`	Explicit CROSS JOIN	🟡 Medium	Explicit CROSS JOIN between {left} and {right}. Cartesian product ({product} rows) may cause performance issues on large tables.
`Q-JOIN-CROSS-IMPL`	Implicit CROSS JOIN	🟡 Medium	Implicit join syntax detected (comma-separated FROM): {tables}. Cartesian product ({product} rows) may cause performance issues. Prefer explicit JOINs.
`Q-SCAN-1TBL`	Unfiltered Single Table Scan	🟡 Medium	SELECT without WHERE or LIMIT clause on table. May cause full table scan. Use tables.none_of to allowlist known-small tables.
`Q-JOIN-TEMPORAL`	Temporal Join Without Date Bounds	🟡 Medium	Temporal join without explicit date bounds. This may cause full table scans or incorrect results across time periods.
`Q-JOIN-TEMPORAL-CENH`	Temporal Tables Joined Without Date Filter	🟡 Medium	Tables with temporal columns (DATE/TIMESTAMP) are joined without date filter in WHERE or JOIN ON. This can cause unbounded historical joins with poor performance.
`Q-AGG-EXPLODE`	Aggregate Explosion Risk	🟡 Medium	Multiple joins with aggregation but no WHERE filter. This can cause exponential row explosion and incorrect aggregates.
`Q-AGG-MANYDIM`	Many Dimension Aggregation	🟡 Medium	GROUP BY with many columns (>5) may indicate design issues or produce sparse results.
`Q-AGG-NOFILT`	Unfiltered Aggregate	🟢 Low	Aggregate query without WHERE clause. Consider adding filters to avoid processing entire tables.
`Q-AGG-HICARD`	High-Cardinality GROUP BY	🟡 Medium	GROUP BY includes high-cardinality columns (IDs, emails, etc.). This can generate millions of groups causing memory pressure.
`Q-AGG-NOFILT-CENH`	Large Table Aggregate Without Filter	🟡 Medium	Aggregating a large table (1M+ rows) without WHERE clause. Consider adding time/partition filters to reduce scan size.
`Q-NONDET`	Non-deterministic Query	🟡 Medium	Query contains non-deterministic elements. Results may vary between executions.
`Q-WIN-HICARD`	Window High Cardinality Partition	🟠 High	Window function partitioned on high-cardinality column. May cause performance issues.
`Q-WIN-NOPART-CENH`	Window Without PARTITION BY on Large Table	🟠 High	Window function without PARTITION BY operates on entire large table (1M+ rows) in single partition. Add PARTITION BY to reduce memory pressure.
`Q-WIN-UNBOUNDED`	Window Unbounded Frame Without Partition	🔴 Critical	Window function with unbounded frame and no PARTITION BY. Extremely expensive on large datasets - entire table processed as one partition.
`Q-WIN-MULTIPART`	Multiple Window Partition Schemes	🟡 Medium	Multiple window functions with different PARTITION BY clauses. Query will re-partition data multiple times, causing additional shuffles.
`Q-SUBQ-REPEAT`	Repeated Subquery Pattern	🟡 Medium	Repeated subquery pattern detected. Consider using CTEs or temporary tables for better readability and potential performance improvement.
`Q-SUBQ-CORR-SEL`	Correlated Subquery in SELECT	🟠 High	Correlated subquery in SELECT list (N+1 query pattern). Consider rewriting as JOIN for better performance.
`Q-SUBQ-CORR-WHERE`	Correlated Subquery in WHERE	🟡 Medium	Correlated subquery in WHERE/IN clause. May cause performance issues on large datasets. Consider rewriting with EXISTS or JOIN.
`Q-WIN-USAGE`	Window Function Usage	🟢 Low	Window function usage detected. Verify PARTITION BY and ORDER BY clauses.
`Q-WIN-FRAME`	Frame Specification	🟢 Low	Custom window frame specification detected. Verify boundaries.
`Q-TBL-UNBOUNDED-CENH`	Unbounded Query on Large Table	🟠 High	Unbounded query on large table without WHERE clause. Consider adding filters to reduce data scanned.
`Q-VIEW-REF-CENH`	Query References Views	🟡 Medium	Query references VIEW(s). Views are recomputed on every execution (not materialized).
`Q-TBL-TEMP-REF-CENH`	Query References Temporary Tables (Not Implemented)	🟢 Low	Query references TEMPORARY table(s). Data is session-scoped and not persistent.
`Q-TBL-SELSTAR-WIDE-CENH`	SELECT * on Wide Table	🟡 Medium	SELECT * on wide table (50+ columns). Scanning many unnecessary columns increases I/O and network transfer. Consider explicit column selection.

DML Signals (DML-xxx)

Rule ID	Name	Risk	Description
`DML-WRITE-UNBOUNDED`	Unbounded Write Operation	🔴 Critical	Unbounded write operation detected - no WHERE clause. This affects ALL rows in the target table(s).
`DML-WRITE-XSCHEMA`	Cross-Schema Write Operation	🟡 Medium	Cross-schema write operation detected. Verify schema permissions and change control procedures.
`DML-WRITE-MULTITBL`	Multi-Table Write Operation	🟢 Low	Write operation affects multiple tables. Verify transaction boundaries and rollback plan.

Credential Exposure (CRED-xxx)

Rule ID	Name	Risk	Description
`CRED-AWS-LEAK`	Hardcoded AWS Access Key	🔴 Critical	Hardcoded AWS access key detected (AKIA.../ASIA...). CRITICAL: Never commit credentials to source code. Use secure parameter passing, secrets managers, or storage integrations instead.
`CRED-PWD-LEAK`	Hardcoded Password	🔴 Critical	Hardcoded password detected in SQL. CRITICAL: Use secure parameter passing (e.g., :password_param) or secrets management instead of literal passwords.
`CRED-APIKEY-LEAK`	Hardcoded API Key	🔴 Critical	Hardcoded API key or access token detected. CRITICAL: Store API keys in secure secrets managers, not in SQL code.
`CRED-CONNSTR-LEAK`	Hardcoded Connection String	🔴 Critical	Connection string with embedded credentials detected (user:password@host). CRITICAL: Use secure credential storage instead of embedding credentials in URLs.

Table Operations (TBL-xxx)

Rule ID	Name	Risk	Description
`TBL-RAP-RMV`	Row Access Policy Removed from Table	🟠 High	Row Access Policy removed from table. This may expose sensitive data to unauthorized users.
`TBL-MASK-RMV`	Masking or Projection Policy Removed from Column	🔴 Critical	CRITICAL: Masking or Projection Policy removed from column. This exposes PII or sensitive data.
`TBL-AGGPOL-RMV`	Aggregation or Join Policy Removed from Table	🟡 Medium	Aggregation or Join Policy removed from table. This may allow unrestricted data aggregation or joins.
`TBL-RAP-ADD`	Row Access Policy Added to Table	🟢 Low	Row Access Policy added to table. Positive governance signal.
`TBL-MASK-ADD`	Column Masking or Projection Policy Added	🟢 Low	Column masking or projection policy added. Positive governance signal.
`TBL-TAG-ADD`	Tag Added to Object	🟢 Low	Tag added to object. Positive governance signal.
`TBL-TAG-RMV`	Tag Removed from Object	🟡 Medium	Tag removed from object. Governance metadata may be incomplete.
`TBL-RAP-RMV-ALL`	All Row Access Policies Dropped	🔴 Critical	All Row Access Policies dropped from table. CRITICAL: All row-level access controls removed from this table.
`TBL-DROP`	Table Dropped	🔴 Critical	DROP TABLE detected. Table and all data will be permanently deleted.
`TBL-COL-DROP`	Column Dropped from Table	🟠 High	ALTER TABLE DROP COLUMN detected. Column data and dependent objects may be lost or broken.
`TBL-RENAME`	Table Renamed	🟡 Medium	ALTER TABLE RENAME detected. Downstream references (queries, views, jobs) may break if not updated.
`TBL-COL-ADD`	Column Added to Table	🟢 Low	ALTER TABLE ADD COLUMN detected. Schema expanded; verify downstream contracts and ingestion mappings.
`TBL-REPLACE`	Table Replaced	🟠 High	CREATE OR REPLACE TABLE detected. Existing table definition (and potentially data semantics) is replaced.
`TBL-TRUNCATE`	Table Truncated	🔴 Critical	TRUNCATE TABLE detected. CRITICAL: All rows will be permanently deleted.

View Operations (VIEW-xxx)

Rule ID	Name	Risk	Description
`VIEW-REPLACE`	View Replaced	🟡 Medium	CREATE OR REPLACE VIEW detected. Existing view definition is replaced and downstream logic may change.
`VIEW-CHG`	View Modified	🟡 Medium	ALTER VIEW changes a view definition or attributes. Views control data access patterns; changes affect all queries through the view.
`VIEW-DROP`	View Dropped	🟡 Medium	DROP VIEW removes a view. Dependent queries and applications will break. Check for CASCADE to identify cascading object removal.
`VIEW-CASCADE-DROP`	View Dropped with CASCADE	🟠 High	DROP VIEW ... CASCADE removes the view AND all dependent objects (other views, rules). Cascading drops can silently remove data access controls.

Schema Operations (SCHEMA-xxx)

Rule ID	Name	Risk	Description
`SCHEMA-DROP`	Schema Dropped	🔴 Critical	DROP SCHEMA detected. CRITICAL: All objects in schema will be permanently deleted.
`SCHEMA-CLONE`	Schema Cloned	🟡 Medium	Schema cloned from existing schema. Verify access controls are appropriate for the clone.
`SCHEMA-NAME-CHG`	Schema Renamed	🟡 Medium	Schema renamed. Verify all references to the old name are updated.
`SCHEMA-PROPS-CHG`	Schema Properties Modified	🟡 Medium	Schema properties modified. Configuration change may affect behavior.
`SCHEMA-TAG-ADD`	Schema Tag Set	🟢 Low	Schema tag assigned. Governance metadata updated.
`SCHEMA-TAG-RMV`	Schema Tag Removed	🟡 Medium	Schema tag removed. Governance metadata may be incomplete. Verify tag removal is intentional.

Database Operations (DB-xxx)

Rule ID	Name	Risk	Description
`DB-CLONE`	Database Cloned	🟡 Medium	Database cloned from existing database. Verify access controls are appropriate for the clone.
`DB-DROP`	Database Dropped	🔴 Critical	DROP DATABASE detected. CRITICAL: All schemas, tables, and data within the database will be permanently deleted.
`DB-NAME-CHG`	Database Renamed	🟡 Medium	Database renamed. Verify all references to the old name are updated.
`DB-PROPS-CHG`	Database Properties Modified	🟡 Medium	Database properties modified. Configuration change may affect behavior.
`DB-TAG-ADD`	Database Tag Set	🟢 Low	Database tag assigned. Governance metadata updated.
`DB-TAG-RMV`	Database Tag Removed	🟡 Medium	Database tag removed. Governance metadata may be incomplete. Verify tag removal is intentional.

Masking Policies (MASK-xxx)

Rule ID	Name	Risk	Description
`MASK-ALLOW-ALL`	Masking Policy No-Op Passthrough	🔴 Critical	Masking Policy body passes through the original value without masking. CRITICAL: Policy is effectively a no-op and sensitive data may be exposed.
`MASK-NEW`	Masking Policy Created	🟢 Low	Masking Policy created. Positive governance signal.
`MASK-BODY-CHG`	Masking Policy Logic Changed	🔴 Critical	Masking Policy logic changed. CRITICAL: Data protection logic modified.
`MASK-NAME-CHG`	Masking Policy Renamed	🟠 High	Masking Policy renamed. Dependent columns may be affected.
`MASK-TAG-RMV`	Masking Policy Tag Removed	🟡 Medium	Tag removed from Masking Policy. Governance metadata may be incomplete.
`MASK-TAG-ADD`	Masking Policy Tag Added	🟢 Low	Tag added to Masking Policy. Positive governance signal.
`MASK-COMMENT-ADD`	Masking Policy Comment Added	🟢 Low	Comment added to Masking Policy. Positive documentation signal.
`MASK-COMMENT-RMV`	Masking Policy Comment Removed	🟢 Low	Comment removed from Masking Policy. Documentation lost.
`MASK-DROP`	Masking Policy Dropped	🔴 Critical	Masking Policy dropped. CRITICAL: Column data protection removed. All columns using this policy will be unmasked.

Row Access Policies (RAP-xxx)

Rule ID	Name	Risk	Description
`RAP-NEW`	Row Access Policy Created	🟢 Low	Row Access Policy created. Ensure proper testing and documentation.
`RAP-ALLOW-ALL`	Row Access Policy Allow-All Predicate	🔴 Critical	Row Access Policy predicate is always true. CRITICAL: Policy is effectively a no-op and does not restrict row access. Applies to Snowflake, BigQuery, and PostgreSQL RLS.
`RAP-BODY-CHG`	Row Access Policy Logic Changed	🔴 Critical	Row Access Policy logic changed. CRITICAL: Access control logic modified.
`RAP-NAME-CHG`	Row Access Policy Renamed	🟠 High	Row Access Policy renamed. Dependent objects may be affected.
`RAP-TAG-RMV`	Row Access Policy Tag Removed	🟡 Medium	Tag removed from Row Access Policy. Governance metadata may be incomplete.
`RAP-TAG-ADD`	Row Access Policy Tag Added	🟢 Low	Tag added to Row Access Policy. Positive governance signal.
`RAP-COMMENT-ADD`	Row Access Policy Comment Added	🟢 Low	Comment added to Row Access Policy. Positive documentation signal.
`RAP-COMMENT-RMV`	Row Access Policy Comment Removed	🟢 Low	Comment removed from Row Access Policy. Documentation lost.
`RAP-DROP`	Row Access Policy Dropped	🔴 Critical	Row Access Policy dropped. CRITICAL: Row-level access controls removed. All tables using this policy will no longer filter rows.

Grant & Access (GRT-xxx)

Rule ID	Name	Risk	Description
`GRT-ALL-PRIV`	Grant All Privileges	🟠 High	Avoid GRANT ALL PRIVILEGES. Use specific privilege grants to follow the principle of least privilege.
`GRT-WITH-OPT`	Grant With Grant Option	🟠 High	Avoid WITH GRANT OPTION. This allows the grantee to re-grant privileges and can lead to privilege escalation.
`GRT-TO-PUBLIC`	Grant to PUBLIC	🔴 Critical	Avoid granting privileges to PUBLIC. The PUBLIC role includes all users in the account, which may expose data unintentionally.
`GRT-OWNER-XFER`	Ownership Transfer	🟠 High	Ownership transfer detected. Verify approval and ensure proper access controls remain in place.
`GRT-TO-SHARE`	Grant to Share	🔴 Critical	Data sharing boundary crossed: granting to SHARE exposes data outside the account. Verify data classification and approval.
`GRT-ACCESS-EXP`	Role Grant Expands Effective Access	🟡 Medium	Role hierarchy change detected. Child role inherits privileges from parent role, affecting downstream roles and users.
`GRT-ACCESS-EXP-HI`	Role Grant Significantly Expands Access	🟠 High	HIGH: Role hierarchy change significantly expands effective access. Child role inherits 50+ privileges or affects 10+ users.
`GRT-SYSROLE-EXP`	Critical System Role Grant	🔴 Critical	CRITICAL: Grant involves privileged system role (ACCOUNTADMIN, SECURITYADMIN, SYSADMIN, USERADMIN, PUBLIC). This has account-wide security implications.
`GRT-BROAD-PRIV`	Broad Object Privilege Grant	🟡 Medium	Broad privilege grant detected. Object privilege affects multiple roles and users via role inheritance.
`GRT-BROAD-PRIV-HI`	Very Broad Object Privilege Grant	🟠 High	HIGH: Object privilege grant affects 20+ users via role inheritance. Review if this access scope is intentional.

Functions & Procedures (UDF/PROC/FUNC-xxx)

Rule ID	Name	Risk	Description
`PROC-NEW`	Procedure Created	🟢 Low	Stored procedure created. Verify business logic and access controls.
`PROC-DYNSQL`	Procedure Contains Dynamic SQL	🟠 High	Stored procedure contains EXECUTE IMMEDIATE (dynamic SQL). SQL injection risk if inputs are not validated.
`UDF-NEW`	Function Created	🟢 Low	User-defined function created. Verify return type and usage patterns.
`UDF-DYNSQL`	Function Contains Dynamic SQL	🟠 High	User-defined function contains EXECUTE IMMEDIATE (dynamic SQL). SQL injection risk if inputs are not validated.
`FUNC-DROP`	Function Dropped	🟡 Medium	DROP FUNCTION detected. Function definition removed. Verify no dependencies.
`PROC-DROP`	Procedure Dropped	🟡 Medium	DROP PROCEDURE detected. Procedure definition removed. Verify no dependencies.
`UDF-SECURE-RMV`	Function SECURE Removed	🟠 High	SECURE flag removed from function. Function body is now visible to users with USAGE privilege.
`UDF-EXTACC-CFG`	Function External Access Configured	🟡 Medium	Function configured with external access integrations or secrets. Review access permissions.
`PROC-SECURE-RMV`	Procedure SECURE Removed	🟠 High	SECURE flag removed from procedure. Procedure body is now visible to users with USAGE privilege.
`PROC-EXECAS-OWNER`	Procedure EXECUTE AS OWNER	🟡 Medium	Procedure set to EXECUTE AS OWNER. RISK: If owner has elevated privileges (e.g., deploy role), this grants all callers elevated access. Consider EXECUTE AS CALLER for better privilege isolation.
`PROC-EXECAS-CALLER`	Procedure EXECUTE AS CALLER	🟢 Low	Procedure set to EXECUTE AS CALLER. Runs with invoker's privileges. Safer than OWNER if procedure owner has elevated rights (e.g., deploy role). Context-dependent security.
`PROC-EXECAS-RESTRICT`	Procedure EXECUTE AS RESTRICTED CALLER	🟠 High	Procedure set to EXECUTE AS RESTRICTED CALLER. This is a significant compromise between security models - review carefully.
`PROC-EXTACC-CFG`	Procedure External Access Configured	🟡 Medium	Procedure configured with external access integrations or secrets. Review access permissions.

Dynamic SQL (DYNSQL-xxx)

Rule ID	Name	Risk	Description
`DYNSQL`	Dynamic SQL Execution	🟠 High	EXECUTE IMMEDIATE statement detected (dynamic SQL). SQL injection risk if inputs are not validated. Consider using parameterized queries.

External Tables (EXTTBL-xxx)

Rule ID	Name	Risk	Description
`EXTTBL-NEW`	External Table Created	🟢 Low	External table created. Federated data source registered for querying.

Diff Signals (DIFF-xxx)

Rule ID	Name	Risk	Description
`DIFF-WRITE-WHERE-RMV`	Unbounded Write After WHERE Removed	🔴 Critical	Write statement became unbounded after WHERE clause was removed. CRITICAL: May affect entire table.
`DIFF-LIMIT-RMV-MULTI`	LIMIT Removed (Multi-Table)	🔴 Critical	LIMIT removed from multi-table query. Potential cartesian explosion with {table_count} tables.
`DIFF-LIMIT-RMV`	LIMIT Removed (Single-Table)	🟠 High	LIMIT {previous_limit} removed. Query is now unbounded.
`DIFF-JOIN-CROSS-ADD`	CROSS JOIN Introduced	🔴 Critical	JOIN changed from {from_kind} to CROSS. Cartesian product risk.
`DIFF-SAMPLE-ADD`	SAMPLE Added	🔴 Critical	SAMPLE/TABLESAMPLE added. Query now operates on SUBSET of data!
`DIFF-WHERE-RMV`	WHERE Clause Removed	🟠 High	WHERE clause removed. Query is now unbounded.
`DIFF-JOIN-RMV`	JOIN Removed	🟠 High	JOIN removed. Data relationship lost.
`DIFF-DISTINCT-RMV`	DISTINCT Removed	🟠 High	DISTINCT removed. Query may now return duplicate rows.
`DIFF-JOIN-NARROW`	JOIN Type Narrowed	🟠 High	JOIN changed from {from_kind} to {to_kind}. May silently drop rows.
`DIFF-JOIN-TYPE-CHG`	JOIN Type Changed	🟡 Medium	JOIN type changed from {from_kind} to {to_kind}. Verify result set behavior.
`DIFF-HAVING-RMV`	HAVING Removed	🟠 High	HAVING clause removed. Aggregate filtering lost.
`DIFF-GROUPBY-COL-RMV`	GROUP BY Column Removed	🟠 High	GROUP BY column removed. May cause aggregate explosion or changed grouping.
`DIFF-QUALIFY-RMV-MULTI`	QUALIFY Removed (Multi-Table with Window Functions)	🟠 High	QUALIFY clause removed from multi-table query with window functions. Window function filtering lost.
`DIFF-QUALIFY-RMV`	QUALIFY Removed	🟡 Medium	QUALIFY clause removed. Window function filtering lost.
`DIFF-COL-RMV`	Column Removed	🟢 Low	Column removed from output. Downstream consumers may break.
`DIFF-TBL-RMV`	Table Removed from Query	🟡 Medium	Table removed from query. Data relationship changed.
`DIFF-AGG-FUNC-CHG`	Aggregate Function Changed	🟠 High	Aggregate function changed from {from_function} to {to_function}. Verify business logic.
`DIFF-JOIN-COND-CHG`	JOIN Condition Changed	🟠 High	JOIN condition changed. Data relationship logic altered.
`DIFF-WHERE-COND-CHG`	WHERE Condition Changed	🟠 High	WHERE clause predicates changed. Query filtering logic altered.
`DIFF-WIN-PART-CHG`	Window Partition Changed	🟠 High	Window function partition changed. Results may differ.
`DIFF-ORDERBY-CHG`	ORDER BY Changed	🟢 Low	ORDER BY clause changed. Result ordering affected.
`DIFF-CTE-RMV`	CTE Removed	🟡 Medium	CTE (Common Table Expression) removed. Query structure simplified.
`DIFF-XSCHEMA-ADD`	Cross-Schema Access Introduced	🟡 Medium	Query now accesses tables across different schemas.
`DIFF-LIMIT-INCR`	LIMIT Increased	🟡 Medium	LIMIT increased from {from_limit} to {to_limit}. More data may be returned.
`DIFF-LIMIT-DECR`	LIMIT Decreased	🟢 Low	LIMIT decreased from {from_limit} to {to_limit}. Query is more restrictive. ✓
`DIFF-SETOP-CHG`	SET Operation Changed	🟡 Medium	SET operation changed from {from_op} to {to_op}. Query logic altered.
`DIFF-UNION-TO-UNIONALL`	UNION Changed to UNION ALL	🟠 High	UNION changed to UNION ALL. Deduplication lost - may return duplicate rows.
`DIFF-WHERE-ADD`	WHERE Clause Added	🟢 Low	WHERE clause added. Query is now bounded. ✓
`DIFF-LIMIT-ADD`	LIMIT Added	🟢 Low	LIMIT added. Query is now bounded. ✓
`DIFF-DISTINCT-ADD`	DISTINCT Added	🟢 Low	DISTINCT added. Duplicates will be removed. ✓
`DIFF-QUALIFY-ADD`	QUALIFY Added	🟢 Low	QUALIFY clause added for window function filtering. ✓
`DIFF-HAVING-ADD`	HAVING Added	🟢 Low	HAVING clause added for aggregate filtering. ✓
`DIFF-WRITE-WHERE-ADD`	Write Statement Became Bounded	🟢 Low	Write statement became bounded with WHERE clause. ✓
`DIFF-TBL-ADD`	Table Added	🟢 Low	New table added to query.
`DIFF-JOIN-ADD`	JOIN Added	🟢 Low	New JOIN added to query.
`DIFF-COL-ADD`	Column Added	🟢 Low	New column added to output.
`DIFF-CTE-ADD`	CTE Added	🟢 Low	CTE (Common Table Expression) added. Query structure enhanced.
`DIFF-STMT-KIND-CHG`	Statement Kind Changed	🟠 High	Statement type changed from {from_kind} to {to_kind}. Verify intent.
`DIFF-WIN-FRAME-CHG`	Window Frame Changed	🟠 High	Window frame changed. Running totals, rankings, or cumulative calculations affected.
`DIFF-WIN-PART-RMV`	Window Partition Removed	🟠 High	PARTITION BY removed from window function. Function now operates over entire result set instead of per-group. Rankings, row numbers, and aggregates will be computed globally.
`DIFF-AGG-DISTINCT-RMV`	Aggregate DISTINCT Removed	🟠 High	DISTINCT removed from aggregate function. May now count/sum duplicate values.
`DIFF-AGG-DISTINCT-ADD`	Aggregate DISTINCT Added	🟡 Medium	DISTINCT added to aggregate function. May reduce result values.
`DIFF-AGG-ARG-CHG`	Aggregate Argument Changed	🟡 Medium	Aggregate function input changed from {from_argument} to {to_argument}. Verify correct column.
`DIFF-AGG-ARG-REFACTOR`	Aggregate Argument Refactored	🟢 Low	Aggregate function input refactored. Likely a column extraction.
`DIFF-GROUPBY-COL-ADD`	GROUP BY Column Added	🟡 Medium	GROUP BY column added. Aggregation granularity changed.
`DIFF-AGG-ADD`	Aggregate Added	🟢 Low	New aggregate function added to query.
`DIFF-AGG-RMV`	Aggregate Removed	🟡 Medium	Aggregate function removed from query. Calculation lost.
`DIFF-HAVING-CHG`	HAVING Clause Changed	🟡 Medium	HAVING clause filter logic changed. Aggregate filtering behavior affected.
`DIFF-SAMPLE-RMV`	SAMPLE Removed	🟢 Low	SAMPLE/TABLESAMPLE removed. Query now operates on full data. ✓
`DIFF-SETOP-ADD`	SET Operation Added	🟡 Medium	SET operation (UNION/INTERSECT/EXCEPT) added. Query logic extended.
`DIFF-SETOP-RMV`	SET Operation Removed	🟡 Medium	SET operation removed. Query logic simplified.
`DIFF-SUBQ-PRED-CHG`	Subquery Predicate Changed	🟡 Medium	Predicate changed within a subquery. Subquery filtering behavior affected.
`DIFF-SUBQ-SCOPE-CHG`	Subquery Scope Changed	🟠 High	Subquery scope type changed (e.g., EXISTS→NOT EXISTS). Query logic inverted.

Snowflake (SNW-xxx)

Rule ID	Name	Risk	Description
`SNW-STG-ENC-OFF`	Stage Encryption Disabled	🔴 Critical	Encryption disabled on stage. CRITICAL: This exposes data at rest to potential breaches.
`SNW-STG-ENC-ON`	Stage Encryption Enabled	🟢 Low	Encryption enabled on stage. Positive security signal.
`SNW-STG-CRED-CHG`	Stage Credentials Changed	🟠 High	Storage credentials changed on stage. Verify authorization and audit trail.
`SNW-STG-TAG-SET`	Stage Tag Set	🟢 Low	Tag set on stage. Positive governance signal for metadata tracking.
`SNW-STG-TAG-RMV`	Stage Tag Removed	🟡 Medium	Tag removed from stage. Verify governance metadata tracking is maintained.
`SNW-STG-INTG-CHG`	Stage Integration Changed	🟡 Medium	Storage integration changed on stage. Verify access controls.
`SNW-STG-INTG-SET`	Stage Integration Set	🟢 Low	Storage integration set on stage. External storage access configured.
`SNW-ROLE-PRIV-USE`	Privileged Role Hardcoded in Script	🔴 Critical	CRITICAL: Privileged role should not be hardcoded in scripts. Use role grants or session variables instead.
`SNW-GRT-PRIV-ROLE`	Privileged Role Grant	🔴 Critical	Privilege escalation detected: granting privileged system role. This gives full administrative control and should require explicit approval.
`SNW-API-INTG-NEW`	API Integration Created	🔴 Critical	CRITICAL: API Integration created. New external API access established. Verify endpoint security.
`SNW-API-INTG-NOPFX`	API Prefix Restrictions Missing or Removed	🟡 Medium	API Integration created or modified WITHOUT prefix restrictions. Unrestricted API access may be granted. Consider setting API_ALLOWED_PREFIXES or API_BLOCKED_PREFIXES.
`SNW-API-INTG-ON`	API Integration Enabled	🟢 Low	API Integration enabled. Info: Integration is active.
`SNW-API-INTG-CREDRMV`	API Key UNSET from API Integration	🟠 High	API Key UNSET from API Integration. HIGH: Authentication credential removed. Verify this change is intentional.
`SNW-API-INTG-CREDCHG`	API Credential Changed	🟠 High	API credential changed on API Integration. HIGH: Authentication credential or cloud IAM reference modified. Audit trail required.
`SNW-API-INTG-OFF`	API Integration Disabled	🟠 High	API Integration disabled. HIGH: Integration is no longer active. Verify dependent services are not impacted.
`SNW-MASK-EXEMPT`	Masking Policy EXEMPT_OTHER_POLICIES Enabled	🔴 Critical	Masking Policy created with EXEMPT_OTHER_POLICIES = TRUE. CRITICAL: May bypass other data protection policies.
`SNW-NETPOL-NEW`	Network Policy Created	🔴 Critical	Network Policy created. CRITICAL: New network access controls established.
`SNW-NETPOL-IPALLOW-CFG`	Network Policy ALLOWED_IP_LIST Configured	🟢 Low	Network Policy ALLOWED_IP_LIST configured. IP allowlist established.
`SNW-NETPOL-IPBLOCK-CFG`	Network Policy BLOCKED_IP_LIST Configured	🟢 Low	Network Policy BLOCKED_IP_LIST configured. IP blocklist established.
`SNW-NETPOL-RULELIST-CFG`	Network Policy ALLOWED_NETWORK_RULE_LIST Configured	🟡 Medium	Network Policy ALLOWED_NETWORK_RULE_LIST configured. Network rules referenced.
`SNW-NETPOL-SET`	Network Policy SET Operation	🔴 Critical	Network Policy SET operation. CRITICAL: This replaces the entire IP/rule list. Verify authorization and review new configuration.
`SNW-NETPOL-ADD`	Network Policy ADD Operation	🟠 High	Network Policy ADD operation. Network rules or IPs added.
`SNW-NETPOL-RMV`	Network Policy REMOVE Operation	🔴 Critical	Network Policy REMOVE operation. CRITICAL: Network restrictions removed.
`SNW-NETPOL-NAME-CHG`	Network Policy Renamed	🟠 High	Network Policy renamed. Dependent objects may be affected.
`SNW-NETPOL-TAG-ADD`	Network Policy Tag Added	🟢 Low	Tag added to Network Policy. Positive governance signal.
`SNW-NETPOL-TAG-RMV`	Network Policy Tag Removed	🟡 Medium	Tag removed from Network Policy. Governance metadata may be incomplete.
`SNW-NETPOL-COMMENT-RMV`	Network Policy Comment Removed	🟢 Low	Comment removed from Network Policy. Documentation cleared.
`SNW-NETPOL-DROP`	Network Policy Dropped	🔴 Critical	Network Policy dropped. CRITICAL: Network access controls removed.
`SNW-STGINTG-NEW`	Storage Integration Created	🟠 High	Storage Integration created. HIGH: Grants external cloud storage access. Verify credentials and allowed locations.
`SNW-STGINTG-NEW-OFF`	Storage Integration Created but Disabled	🟡 Medium	Storage Integration created but disabled. MEDIUM: Verify this is intentional staging.
`SNW-STGINTG-OFF`	Storage Integration Disabled	🔴 Critical	Storage Integration disabled. CRITICAL: External data access cut off. Verify dependent pipelines won't fail.
`SNW-STGINTG-ON`	Storage Integration Enabled	🟢 Low	Storage Integration enabled. Positive security signal - external access restored.
`SNW-STGINTG-AWS-CHG`	AWS Role ARN Changed	🔴 Critical	AWS Role ARN changed. CRITICAL: Cloud credentials modified. Verify new role has correct permissions.
`SNW-STGINTG-AZURE-CHG`	Azure Tenant ID Changed	🔴 Critical	Azure Tenant ID changed. CRITICAL: Cloud credentials modified. Verify new tenant has correct permissions.
`SNW-STGINTG-LOC-CHG`	Storage Allowed Locations Changed	🟠 High	Storage allowed locations changed. HIGH: Data access scope modified. Verify new locations are authorized.
`SNW-STGINTG-BLOCKLOC-CHG`	Storage Blocked Locations Changed	🟠 High	Storage blocked locations changed. HIGH: Data access restrictions modified. Verify block list is still secure.
`SNW-STGINTG-TAG-ADD`	Storage Integration Tag Added	🟢 Low	Storage Integration tag added. Positive governance signal.
`SNW-STGINTG-TAG-RMV`	Storage Integration Tag Removed	🟡 Medium	Storage Integration tag removed. MEDIUM: Governance metadata lost. Verify this is intentional.
`SNW-STGINTG-DROP`	Storage Integration Dropped	🔴 Critical	Storage Integration dropped. CRITICAL: External data access permanently removed. Verify dependent stages/pipes won't fail.
`SNW-NOTIFINTG-NEW`	Notification Integration Created	🟢 Low	Notification integration created. External notification configured.
`SNW-SESSPOL-IDLE-LONG`	Session Policy Long Idle Timeout	🟠 High	Session Policy created with long idle timeout (>24 hours). HIGH: Consider shorter timeout for better security.
`SNW-SESSPOL-UIIDLE-LONG`	Session Policy Long UI Idle Timeout	🟠 High	Session Policy created with long UI idle timeout (>24 hours). HIGH: Consider shorter timeout for better security.
`SNW-SESSPOL-IDLE-UNSET`	Session Idle Timeout UNSET	🔴 Critical	Session idle timeout UNSET. CRITICAL: Sessions can remain active indefinitely. This weakens security posture significantly.
`SNW-SESSPOL-UIIDLE-UNSET`	UI Idle Timeout UNSET	🔴 Critical	UI idle timeout UNSET. CRITICAL: UI sessions can remain active indefinitely. Verify this doesn't create unattended access risk.
`SNW-SESSPOL-IDLE-LONGSET`	Session Idle Timeout SET to Long Duration	🟠 High	Session idle timeout SET to long duration (>24 hours). HIGH: Consider shorter timeout for better security.
`SNW-SESSPOL-UIIDLE-LONGSET`	UI Idle Timeout SET to Long Duration	🟠 High	UI idle timeout SET to long duration (>24 hours). HIGH: Consider shorter timeout for better security.
`SNW-SESSPOL-IDLE-CHG`	Session Idle Timeout Modified	🟡 Medium	Session idle timeout modified. Review new timeout value.
`SNW-SESSPOL-DROP`	Session Policy Dropped	🔴 Critical	Session Policy dropped. CRITICAL: Session governance controls removed. All roles/users referencing this policy lose session management.
`SNW-SESSPOL-NEW`	Session Policy Created	🟢 Low	Session Policy created. Positive governance signal — session timeout controls configured.
`SNW-SESSPOL-NAME-CHG`	Session Policy Renamed	🟡 Medium	Session Policy renamed. Verify all roles/users referencing this policy are updated.
`SNW-SESSPOL-TAG-ADD`	Session Policy Tag Set	🟢 Low	Session Policy tag set. Positive governance signal — metadata tag added.
`SNW-SESSPOL-TAG-RMV`	Session Policy Tag Removed	🟡 Medium	Session Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-SESSPOL-COMMENT-ADD`	Session Policy Comment Set	🟢 Low	Comment added to Session Policy. Positive documentation signal.
`SNW-SESSPOL-COMMENT-RMV`	Session Policy Comment Removed	🟢 Low	Comment removed from Session Policy. Documentation lost.
`SNW-NOTIFINTG-CHG`	Notification Integration Modified	🟢 Low	Notification integration modified. Verify configuration.
`SNW-EXTACC-NEW`	External Access Integration Created	🟡 Medium	External access integration created. Network egress configured.
`SNW-EXTACC-DROP`	External Access Integration Dropped	🟠 High	External access integration dropped. Network egress removed.
`SNW-EXTACC-OFF`	External Access Integration Disabled	🟠 High	External access integration disabled. Network egress suspended.
`SNW-EXTACC-ON`	External Access Integration Enabled	🟡 Medium	External access integration enabled. Network egress activated.
`SNW-EXTACC-HOSTS-CHG`	External Access Allowed Hosts Changed	🔴 Critical	External access allowed hosts changed. CRITICAL: Network egress scope modified.
`SNW-EXTACC-NETRULES-CHG`	External Access Network Rules Changed	🟠 High	External access network rules changed. Verify egress restrictions.
`SNW-EXTACC-SECRETS-CHG`	External Access Secrets Changed	🔴 Critical	External access allowed secrets changed. CRITICAL: Credential access modified.
`SNW-EXTACC-SECRET-RMV`	External Access Secret Removed	🟠 High	External access secret removed from allowed list.
`SNW-EXTACC-NETRULE-ADD`	External Access Network Rule Added	🟡 Medium	Network rule added to external access integration.
`SNW-EXTACC-NETRULE-RMV`	External Access Network Rule Removed	🟠 High	Network rule removed from external access integration.
`SNW-EXTACC-COMMENT-CHG`	External Access Comment Changed	🟢 Low	External access integration comment changed.
`SNW-EXTACC-TAG-ADD`	External Access Tag Added	🟢 Low	Tag added to external access integration. Positive governance.
`SNW-EXTACC-TAG-RMV`	External Access Tag Removed	🟡 Medium	Tag removed from external access integration.
`SNW-EXTACC-NAME-CHG`	External Access Name Changed	🟠 High	External access integration renamed. Dependent objects may break.
`SNW-EXTACC-OWNER-CHG`	External Access Owner Changed	🟠 High	External access integration ownership changed.
`SNW-EXTACC-CHG`	External Access Modified	🟡 Medium	External access integration modified. Verify configuration.
`SNW-AUTHPOL-NEW`	Authentication Policy Created	🟢 Low	Authentication policy created. Identity verification configured.
`SNW-AUTHPOL-DROP`	Authentication Policy Dropped	🔴 Critical	Authentication policy dropped. CRITICAL: Identity verification controls removed.
`SNW-AUTHPOL-OFF`	Authentication Policy Disabled	🔴 Critical	Authentication policy disabled. CRITICAL: Identity verification suspended.
`SNW-AUTHPOL-CHG`	Authentication Policy Modified	🟠 High	Authentication policy modified. Verify identity verification settings.
`SNW-AUTHPOL-METHODS-CHG`	Authentication Methods Changed	🔴 Critical	Authentication policy methods changed. CRITICAL: Identity verification approach modified.
`SNW-AUTHPOL-MFA-CHG`	Authentication MFA Requirement Changed	🔴 Critical	Authentication policy MFA requirements changed. CRITICAL: Multi-factor security modified.
`SNW-AUTHPOL-CLIENT-CHG`	Authentication Client Types Changed	🟠 High	Authentication policy client types changed. Connection method restrictions modified.
`SNW-AUTHPOL-SECINTG-CHG`	Authentication Security Integrations Changed	🔴 Critical	Authentication policy security integrations changed. CRITICAL: SSO/SAML configuration modified.
`SNW-AUTHPOL-ON`	Authentication Policy Enabled	🟢 Low	Authentication policy enabled. Positive security signal.
`SNW-PWDPOL-HISTORY-UNSET`	Password History UNSET	🟠 High	Password history UNSET. HIGH: Reverts to default (0), users can reuse passwords immediately.
`SNW-AUTHPOL-MFA-OFF`	Authentication Policy MFA Not Required	🔴 Critical	Authentication Policy created without MFA requirement. CRITICAL: Multi-factor authentication not enforced, accounts vulnerable to credential compromise.
`SNW-PWDPOL-RETRIES-UNSET`	Password Max Retries Unset	🔴 Critical	Password max retries UNSET. CRITICAL: Reverts to default, may allow unlimited login attempts enabling brute-force attacks.
`SNW-PWDPOL-LOCKOUT-UNSET`	Password Lockout Unset	🔴 Critical	Password lockout time UNSET. CRITICAL: Reverts to default, may remove account lockout protection enabling brute-force attacks.
`SNW-PWDPOL-NEW`	Password Policy Created	🟡 Medium	Password Policy created. Positive security signal - password controls in place.
`SNW-PWDPOL-MINLEN-CRIT`	Password Policy Critical Weak Min Length	🔴 Critical	Password Policy created with CRITICAL weak minimum length (<8 characters). This violates basic security standards.
`SNW-PWDPOL-MINLEN-WEAK`	Password Policy Weak Min Length	🟠 High	Password Policy created with weak minimum length (8-11 characters). HIGH: CIS/CISA recommend ≥12 characters (NIST SP 800-63B requires ≥8).
`SNW-PWDPOL-COMPLEX-WEAK`	Password Policy Weak Complexity	🟠 High	Password Policy created with weak complexity requirements (<2 character classes). HIGH: Passwords may be easily guessable.
`SNW-PWDPOL-NOEXPIRY`	Password Policy No Expiration	🔴 Critical	Password Policy created with NO expiration (PASSWORD_MAX_AGE_DAYS = 0). CRITICAL: Passwords never expire.
`SNW-PWDPOL-EXPIRY-LONG`	Password Policy Long Expiration	🟠 High	Password Policy created with long expiration (>180 days). HIGH: Consider shorter expiration period.
`SNW-PWDPOL-RETRIES-HIGH`	Password Policy High Max Retries	🔴 Critical	Password Policy created with high max retries (>10). CRITICAL: Account brute-force risk.
`SNW-PWDPOL-RETRIES-CHG`	Password Policy Moderate Max Retries	🟠 High	Password Policy created with moderate max retries (6-10). HIGH: Consider limiting to 5 or fewer.
`SNW-PWDPOL-LOCKOUT-SHORT`	Password Policy Short Lockout Time	🟠 High	Password Policy created with short lockout time (<5 minutes). HIGH: Account brute-force window too small.
`SNW-PWDPOL-NOHIST`	Password Policy No History	🟠 High	Password Policy created with NO history (PASSWORD_HISTORY = 0). HIGH: Users can reuse passwords immediately.
`SNW-PWDPOL-MINLEN-CRITWEAK`	Password Min Length Set to Weak	🔴 Critical	Password minimum length SET to CRITICAL weak value (<8). This violates basic security standards.
`SNW-PWDPOL-MINLEN-WEAKEN`	Password Min Length Weakened	🟠 High	Password minimum length weakened (8-11 characters). HIGH: CIS/CISA recommend ≥12 characters (NIST SP 800-63B requires ≥8).
`SNW-PWDPOL-EXPIRY-OFF`	Password Expiration Disabled	🔴 Critical	Password expiration DISABLED (PASSWORD_MAX_AGE_DAYS = 0). CRITICAL: Passwords never expire.
`SNW-PWDPOL-EXPIRY-LONGSET`	Password Expiration Set to Long	🟠 High	Password expiration SET to long duration (>180 days). HIGH: Consider shorter period.
`SNW-PWDPOL-RETRIES-INCR`	Password Max Retries Increased	🔴 Critical	Password max retries INCREASED (>10). CRITICAL: Account brute-force risk significantly increased.
`SNW-PWDPOL-LOCKOUT-CUT`	Password Lockout Time Shortened	🟠 High	Password lockout time SHORTENED (<5 minutes). HIGH: Brute-force attack window reduced too much.
`SNW-PWDPOL-HIST-OFF`	Password History Disabled	🟠 High	Password history DISABLED (PASSWORD_HISTORY = 0). HIGH: Users can reuse passwords immediately.
`SNW-PWDPOL-MINLEN-UNSET`	Password Minimum Length Unset	🔴 Critical	Password minimum length UNSET. CRITICAL: Reverts to default (8 characters), weakening security.
`SNW-PWDPOL-EXPIRY-UNSET`	Password Expiration Unset	🔴 Critical	Password expiration UNSET. CRITICAL: Reverts to default, may remove expiration entirely.
`SNW-PWDPOL-NAME-CHG`	Password Policy Renamed	🟠 High	Password Policy renamed. HIGH: This may break user/role assignments referencing this policy.
`SNW-PWDPOL-DROP`	Password Policy Dropped	🔴 Critical	Password Policy dropped. CRITICAL: Password strength controls removed. Verify this doesn't weaken authentication security.
`SNW-PWDPOL-TAG-ADD`	Password Policy Tag Set	🟢 Low	Password Policy tag set. Positive governance signal — metadata tag added.
`SNW-PWDPOL-TAG-RMV`	Password Policy Tag Removed	🟡 Medium	Password Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-PWDPOL-COMMENT-RMV`	Password Policy Comment Removed	🟢 Low	Comment removed from Password Policy. Documentation lost.
`SNW-PWDPOL-MINLEN-CFG`	Password Policy Min Length Configured	🟢 Low	Password Policy minimum length configured. Positive governance signal.
`SNW-PWDPOL-COMPLEX-CFG`	Password Policy Complexity Configured	🟢 Low	Password Policy complexity requirements configured. Positive governance signal.
`SNW-PWDPOL-LOCKOUT-CFG`	Password Policy Lockout Configured	🟢 Low	Password Policy lockout configured. Positive governance signal — brute-force protection active.
`SNW-PWDPOL-HIST-CFG`	Password Policy History Configured	🟢 Low	Password Policy history configured. Positive governance signal — password reuse prevented.
`SNW-PWDPOL-EXPIRY-CFG`	Password Policy Expiration Configured	🟢 Low	Password Policy expiration configured. Passwords will expire per policy.
`SNW-PWDPOL-EXPIRY-FAIR`	Password Policy Moderate Expiration	🟢 Low	Password Policy has moderate expiration period (30-89 days). Consider tighter expiration for sensitive environments.
`SNW-PWDPOL-EXPIRY-STALE`	Password Policy Long Expiration	🟡 Medium	Password Policy has long expiration period (>=90 days). Passwords remain valid for extended periods.
`SNW-PWDPOL-LOCKOUT-WEAK`	Password Policy Short Lockout	🟡 Medium	Password Policy has short lockout time (<5 minutes). Brute-force attacks have reduced penalty window.
`SNW-PWDPOL-MAXLEN-LOW`	Password Policy Max Length Restrictive	🟡 Medium	Password Policy has restrictive maximum length. Users cannot create long, complex passwords.
`SNW-AGGPOL-NEW`	Aggregation Policy Created	🟠 High	Aggregation Policy created. HIGH: This controls minimum group sizes for aggregation queries to prevent small group disclosures. Verify MIN_GROUP_SIZE is adequate for your privacy requirements.
`SNW-AGGPOL-NOCONST`	Aggregation Policy No Aggregation Constraint	🔴 Critical	Aggregation Policy uses NO_AGGREGATION_CONSTRAINT. CRITICAL: This removes all aggregation protections, allowing small group queries that may disclose sensitive information.
`SNW-AGGPOL-GRPSZ-CRIT`	Aggregation Policy Min Group Size Critical	🔴 Critical	Aggregation Policy has dangerously low MIN_GROUP_SIZE (< 3). CRITICAL: Groups smaller than 3 can easily lead to re-identification.
`SNW-AGGPOL-GRPSZ-LOW`	Aggregation Policy Min Group Size Low	🟠 High	Aggregation Policy has low MIN_GROUP_SIZE (3-4). HIGH: While better than 1-2, groups of 3-4 still pose re-identification risks.
`SNW-AGGPOL-GRPSZ-STRONG`	Aggregation Policy Strong Min Group Size	🟢 Low	Aggregation Policy has strong MIN_GROUP_SIZE (≥10). LOW: Good privacy protection. This significantly reduces re-identification risk.
`SNW-AGGPOL-COND`	Aggregation Policy Uses Conditional Logic	🟡 Medium	Aggregation Policy uses conditional logic (CASE expressions). MEDIUM: Conditional policies can have different protections for different scenarios. Verify all branches have adequate MIN_GROUP_SIZE values.
`SNW-AGGPOL-NOCONST-CHG`	Aggregation Policy Changed to No Constraint	🔴 Critical	Aggregation Policy body changed to NO_AGGREGATION_CONSTRAINT. CRITICAL: Protection removed entirely. This exposes data to unrestricted aggregation queries.
`SNW-AGGPOL-TAG-ADD`	Aggregation Policy Tag Set	🟢 Low	Aggregation Policy tag set. LOW: Metadata tag added to policy. Informational only.
`SNW-AGGPOL-TAG-RMV`	Aggregation Policy Tag Removed	🟡 Medium	Aggregation Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-AGGPOL-COMMENT-ADD`	Aggregation Policy Comment Set	🟢 Low	Comment added to Aggregation Policy. Positive documentation signal.
`SNW-AGGPOL-COMMENT-RMV`	Aggregation Policy Comment Removed	🟢 Low	Comment removed from Aggregation Policy. Documentation lost.
`SNW-AGGPOL-CHG`	Aggregation Policy Altered	🟡 Medium	Aggregation Policy altered. MEDIUM: Policy modified. Review changes to ensure they maintain adequate privacy protections.
`SNW-AGGPOL-NAME-CHG`	Aggregation Policy Renamed	🟡 Medium	Aggregation Policy renamed. MEDIUM: Policy name changed. Verify references to this policy are updated in dependent objects and documentation.
`SNW-AGGPOL-DROP`	Aggregation Policy Dropped	🔴 Critical	Aggregation Policy dropped. CRITICAL: Aggregation protections removed. This removes minimum group size constraints, potentially exposing sensitive data through small group aggregations.
`SNW-PROJPOL-NEW`	Projection Policy Created	🟢 Low	Projection policy created. Column visibility controls configured.
`SNW-PROJPOL-DROP`	Projection Policy Dropped	🟠 High	Projection policy dropped. Column visibility controls removed.
`SNW-PROJPOL-CHG`	Projection Policy Modified	🟡 Medium	Projection policy modified. Review changes to ensure column visibility controls remain adequate.
`SNW-PROJPOL-NAME-CHG`	Projection Policy Renamed	🟡 Medium	Projection policy renamed. Verify references to this policy are updated in dependent objects.
`SNW-PROJPOL-ALLOWLIST`	Projection Policy Allow List Configured	🟡 Medium	Projection policy uses PROJECTION_CONSTRAINT with ALLOW list. Verify the allowed projections are appropriate for data sensitivity.
`SNW-PROJPOL-ENFORCE-OFF`	Projection Policy Enforcement Disabled	🔴 Critical	Projection policy enforcement disabled (ENFORCEMENT = 'NONE'). CRITICAL: Column visibility controls are not enforced.
`SNW-PROJPOL-ENFORCE-ON`	Projection Policy Enforcement Enabled	🟢 Low	Projection policy enforcement enabled. Positive governance signal — column visibility controls are active.
`SNW-PROJPOL-COND`	Projection Policy Uses Conditional Logic	🟡 Medium	Projection policy uses conditional logic (CASE expressions). Verify all branches maintain appropriate column visibility controls.
`SNW-PROJPOL-TAG-ADD`	Projection Policy Tag Set	🟢 Low	Projection Policy tag set. Positive governance signal — metadata tag added.
`SNW-PROJPOL-TAG-RMV`	Projection Policy Tag Removed	🟡 Medium	Projection Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-PROJPOL-COMMENT-ADD`	Projection Policy Comment Set	🟢 Low	Comment added to Projection Policy. Positive documentation signal.
`SNW-PROJPOL-COMMENT-RMV`	Projection Policy Comment Removed	🟢 Low	Comment removed from Projection Policy. Documentation lost.
`SNW-UNKNOWN`	Unknown Syntax Detected	🟠 High	Unknown syntax detected. Cannot verify compliance for this statement. Review against latest Snowflake documentation.
`SNW-EXPORT-UNBOUNDED`	Unbounded Data Export	🟠 High	COPY INTO exports data to external location without filtering. Full table contents may be exposed.
`SNW-STG-DROP`	Stage Dropped	🟡 Medium	DROP STAGE detected. Stage and any staged files will be removed.
`SNW-DB-FROM-SHARE`	Database Created From Share	🟠 High	Database created from share. Data is being accessed from external provider. Verify data governance compliance.
`SNW-DB-REPLICA`	Database Created As Replica	🟡 Medium	Database created as replica. Data is being replicated from another region/account.
`SNW-DB-SWAP`	Database Swapped	🟠 High	Database swapped with another database. All objects exchanged between databases. Verify access controls.
`SNW-DB-RETENTION-CHG`	Database Data Retention Changed	🟠 High	Database data retention period changed. Time Travel and Fail-safe capabilities may be affected.
`SNW-DB-REPL-ON`	Database Replication Enabled	🟠 High	Database replication enabled. Data will be replicated to other accounts/regions. Verify compliance with data residency requirements.
`SNW-DB-REPL-OFF`	Database Replication Disabled	🟠 High	Database replication disabled. Disaster recovery capabilities reduced.
`SNW-DB-FAILOVER-ON`	Database Failover Enabled	🟡 Medium	Database failover enabled. Account can be promoted as failover target.
`SNW-DB-FAILOVER-OFF`	Database Failover Disabled	🟠 High	Database failover disabled. Disaster recovery failover capability removed.
`SNW-DB-FAILOVER-PROMOTE`	Database Failover Promoted	🔴 Critical	CRITICAL: Database promoted to primary. This is a failover event. The database is now writable and replication direction has changed.
`SNW-DB-REFRESH`	Database Refreshed	🟡 Medium	Database refresh initiated from primary. Local changes may be overwritten.
`SNW-SCHEMA-MGDACC-NEW`	Schema Created With Managed Access	🟢 Low	Schema created with MANAGED ACCESS. Centralized privilege management enabled - only schema owner can grant privileges.
`SNW-SCHEMA-DROP`	Schema Dropped (Specific)	🔴 Critical	DROP SCHEMA detected. CRITICAL: All tables, views, and objects within the schema will be permanently deleted.
`SNW-SCHEMA-SWAP`	Schema Swapped	🟠 High	Schema swapped with another schema. All objects exchanged between schemas. Verify access controls.
`SNW-SCHEMA-RETENTION-CHG`	Schema Data Retention Changed	🟠 High	Schema data retention period changed. Time Travel and Fail-safe capabilities for all objects in schema may be affected.
`SNW-SCHEMA-MGDACC-ON`	Schema Managed Access Enabled	🟢 Low	Schema MANAGED ACCESS enabled. Centralized privilege management now active - only schema owner can grant privileges on objects.
`SNW-SCHEMA-MGDACC-OFF`	Schema Managed Access Disabled	🟠 High	Schema MANAGED ACCESS disabled. Object owners can now grant privileges. Review privilege grants for compliance.
`SNW-DYNTBL-NEW`	Dynamic Table Created	🟢 Low	Dynamic table created. Materialized view with automatic refresh.
`SNW-DYNTBL-PARSE-ERR`	Dynamic Table Query Parse Error	🟡 Medium	Dynamic table query could not be parsed. Lineage extraction incomplete.
`SNW-DYNTBL-DROP`	Dynamic Table Dropped	🟠 High	Dynamic table dropped. Materialized view and automatic refresh removed.
`SNW-DYNTBL-SUSP`	Dynamic Table Suspended	🟢 Low	Dynamic table suspended. Automatic refresh paused.
`SNW-DYNTBL-RESUME`	Dynamic Table Resumed	🟢 Low	Dynamic table resumed. Automatic refresh reactivated.
`SNW-DYNTBL-NAME-CHG`	Dynamic Table Renamed	🟡 Medium	Dynamic table renamed. Update dependent references.
`SNW-DYNTBL-SWAP`	Dynamic Table Swapped	🟡 Medium	Dynamic table swapped with another. Verify data integrity.
`SNW-DYNTBL-TAG-ADD`	Dynamic Table Tag Set	🟢 Low	Tag set on dynamic table. Positive governance signal for metadata tracking.
`SNW-DYNTBL-TAG-RMV`	Dynamic Table Tag Removed	🟡 Medium	Tag removed from dynamic table. Verify governance metadata tracking is maintained.
`SNW-DYNTBL-RAP-ADD`	Dynamic Table Row Access Policy Applied	🟡 Medium	Row access policy applied to dynamic table. Access controls configured.
`SNW-DYNTBL-RAP-RMV`	Dynamic Table Row Access Policy Removed	🟠 High	Row access policy removed from dynamic table. Access controls weakened.
`SNW-DYNTBL-MASK-ADD`	Dynamic Table Masking Policy Applied	🟡 Medium	Masking policy applied to dynamic table column. Data protection configured.
`SNW-DYNTBL-MASK-RMV`	Dynamic Table Masking Policy Removed	🟠 High	Masking policy removed from dynamic table column. Data protection weakened.
`SNW-TASK-NEW`	Task Created	🟢 Low	Scheduled task created. Automated SQL execution configured.
`SNW-TASK-DROP`	Task Dropped	🟠 High	Scheduled task dropped. Automated workflow removed.
`SNW-TASK-RESUME`	Task Resumed	🟡 Medium	Task resumed. Automated execution is now active.
`SNW-TASK-SUSPEND`	Task Suspended	🟢 Low	Task suspended. Automated execution paused.
`SNW-TASK-BODY-CHG`	Task Body Modified	🟡 Medium	Task SQL body modified. Review the new logic for correctness.
`SNW-TASK-DEP-CHG`	Task Dependencies Modified	🟡 Medium	Task dependency chain modified. Verify DAG execution order.
`SNW-TASK-EXECAS`	Task Execute Privilege Configured	🟠 High	Task EXECUTE AS configured. Verify privilege escalation is intentional.
`SNW-TASK-PARSE-ERR`	Task Body Parse Error	🟡 Medium	Task body SQL could not be parsed. Lineage extraction incomplete.
`SNW-STREAM-NEW`	Stream Created	🟢 Low	Stream created. CDC tracking enabled on source object.
`SNW-STREAM-DROP`	Stream Dropped	🟠 High	Stream dropped. CDC tracking removed - downstream consumers may be affected.
`SNW-STREAM-APPENDONLY`	Stream Append Only Mode	🟢 Low	Stream configured with APPEND_ONLY mode. Only INSERT operations will be tracked.
`SNW-STREAM-INSERTONLY`	Stream Insert Only Mode	🟢 Low	Stream configured with INSERT_ONLY mode for external table.

BigQuery (BQ-xxx)

Rule ID	Name	Risk	Description
`BQ-EXPORT-UNBOUNDED`	Unbounded Data Export (BigQuery)	🟠 High	EXPORT DATA exports query results to external storage without WHERE filtering. Full table contents may be exposed.
`BQ-EXPORT-AWS-LEAK`	Hardcoded AWS Key in EXPORT DATA	🔴 Critical	Hardcoded AWS access key detected in EXPORT DATA statement. Use secure credential management instead.
`BQ-EXPORT-PWD-LEAK`	Hardcoded Password in EXPORT DATA	🔴 Critical	Hardcoded password detected in EXPORT DATA statement. Use secure parameter passing instead.
`BQ-EXPORT-APIKEY-LEAK`	Hardcoded API Key in EXPORT DATA	🔴 Critical	Hardcoded API key or access token detected in EXPORT DATA statement. Store API keys in secure secrets managers.
`BQ-EXPORT-CONNSTR-LEAK`	Hardcoded Connection String in EXPORT DATA	🔴 Critical	Connection string with embedded credentials detected in EXPORT DATA statement. Use secure credential storage.
`BQ-LOAD-EXTSTORE`	External Cloud Storage in LOAD DATA (BigQuery)	🟡 Medium	LOAD DATA references external cloud storage (GCS/S3/Azure). Verify source data integrity and access controls.
`BQ-LOAD-AWS-LEAK`	Hardcoded AWS Key in LOAD DATA	🔴 Critical	Hardcoded AWS access key detected in LOAD DATA statement. Use secure credential management instead.
`BQ-LOAD-PWD-LEAK`	Hardcoded Password in LOAD DATA	🔴 Critical	Hardcoded password detected in LOAD DATA statement. Use secure parameter passing instead.
`BQ-LOAD-APIKEY-LEAK`	Hardcoded API Key in LOAD DATA	🔴 Critical	Hardcoded API key or access token detected in LOAD DATA statement. Store API keys in secure secrets managers.
`BQ-LOAD-CONNSTR-LEAK`	Hardcoded Connection String in LOAD DATA	🔴 Critical	Connection string with embedded credentials detected in LOAD DATA statement. Use secure credential storage.
`BQ-SNAP-TBL-NEW`	Snapshot Table Created	🟢 Low	Snapshot table created. Point-in-time clone of source table.
`BQ-SNAP-TBL-DROP`	Snapshot Table Dropped	🟡 Medium	Snapshot table dropped. Point-in-time recovery path removed for this dataset.
`BQ-SEARCHIDX-NEW`	Search Index Created	🟢 Low	Search index created for full-text search capabilities.
`BQ-SEARCHIDX-DROP`	Search Index Dropped	🟡 Medium	Search index dropped. Full-text search performance on this table may degrade.
`BQ-VECIDX-NEW`	Vector Index Created	🟢 Low	Vector index created for ML embedding similarity search.
`BQ-VECIDX-CHG`	Vector Index Modified	🟢 Low	Vector index modified (e.g., REBUILD). Validate embedding search quality/performance baselines.
`BQ-VECIDX-DROP`	Vector Index Dropped	🟡 Medium	Vector index dropped. ML embedding search performance on this table may degrade.
`BQ-EXTTBL-EXTSTORE`	External Cloud Storage in External Table (BigQuery)	🟡 Medium	CREATE EXTERNAL TABLE references external cloud storage (GCS/S3/Azure). Verify source integrity and access boundaries.
`BQ-EXTTBL-AWS-LEAK`	Hardcoded AWS Key in External Table	🔴 Critical	Hardcoded AWS access key detected in CREATE EXTERNAL TABLE. Use secure credential management instead.
`BQ-EXTTBL-PWD-LEAK`	Hardcoded Password in External Table	🔴 Critical	Hardcoded password detected in CREATE EXTERNAL TABLE. Use secure parameter passing instead.
`BQ-EXTTBL-APIKEY-LEAK`	Hardcoded API Key in External Table	🔴 Critical	Hardcoded API key or access token detected in CREATE EXTERNAL TABLE. Store API keys in secure secrets managers.
`BQ-EXTTBL-CONNSTR-LEAK`	Hardcoded Connection String in External Table	🔴 Critical	Connection string with embedded credentials detected in CREATE EXTERNAL TABLE. Use secure credential storage.
`BQ-MODEL-NEW`	ML Model Created	🟢 Low	BigQuery ML model created. Training data pipeline established.
`BQ-MODEL-DROP`	ML Model Dropped	🟡 Medium	BigQuery ML model dropped. Dependent prediction queries will fail.
`BQ-MODEL-CHG`	ML Model Modified	🟢 Low	BigQuery ML model options modified.
`BQ-MODEL-EXPORT`	ML Model Exported	🟡 Medium	BigQuery ML model exported to external storage. Model artifacts leaving BigQuery.
`BQ-MODEL-UNBOUNDED`	Unbounded BQML Training Query	🟠 High	BQML training query has no WHERE/filter conditions. Model may train on unintended full datasets.
`BQ-MODEL-EXPORT-EXTSTORE`	External Cloud Storage in EXPORT MODEL (BigQuery)	🟡 Medium	EXPORT MODEL writes artifacts to external cloud storage. Verify destination boundaries and retention controls.
`BQ-MODEL-AWS-LEAK`	Hardcoded AWS Key in BQML Statement	🔴 Critical	Hardcoded AWS access key detected in CREATE/ALTER/EXPORT MODEL. Use secure credential management instead.
`BQ-MODEL-PWD-LEAK`	Hardcoded Password in BQML Statement	🔴 Critical	Hardcoded password detected in CREATE/ALTER/EXPORT MODEL. Use secure parameter passing instead.
`BQ-MODEL-APIKEY-LEAK`	Hardcoded API Key in BQML Statement	🔴 Critical	Hardcoded API key or access token detected in CREATE/ALTER/EXPORT MODEL. Store API keys in secure secrets managers.
`BQ-MODEL-CONNSTR-LEAK`	Hardcoded Connection String in BQML Statement	🔴 Critical	Connection string with embedded credentials detected in CREATE/ALTER/EXPORT MODEL. Use secure credential storage.
`BQ-ASSERT-CFG`	ASSERT Statement Present	🟢 Low	ASSERT statement present. Data quality/runtime invariant check is enforced.
`BQ-ASSERT-NODESC`	ASSERT Missing Description	🟢 Low	ASSERT statement missing descriptive message. Failures may be harder to triage in logs and runtime pipelines.
`BQ-MODEL-REMOTE`	ML Model Remote Connection	🟠 High	BigQuery ML model uses REMOTE WITH CONNECTION. Model calls external endpoint — review connection security and data exposure.

PostgreSQL (PG-xxx)

Rule ID	Name	Risk	Description
`PG-RLS-CHG`	PG RLS Policy Modified	🟡 Medium	Row-level security policy modified. Review the updated USING/WITH CHECK expressions to ensure data access remains correctly restricted.
`PG-RLS-NAME-CHG`	PG RLS Policy Renamed	🟢 Low	Row-level security policy renamed. Verify dependent references are updated.
`PG-RLS-DROP`	PG RLS Policy Dropped	🔴 Critical	Row-level security policy dropped. CRITICAL: Row-level data protection removed. All rows may become visible to users who were previously restricted.
`PG-RLS-CASCADE-DROP`	PG RLS Policy Dropped with CASCADE	🔴 Critical	Row-level security policy dropped with CASCADE. CRITICAL: Cascading removal may affect dependent objects beyond this policy.
`PG-RLS-PERMISSIVE`	PG RLS Policy Is Permissive	🟡 Medium	RLS policy created as PERMISSIVE. Multiple permissive policies are combined with OR, which may be less restrictive than intended. Consider RESTRICTIVE policies for tighter control.
`PG-RLS-WEAK-CHECK`	PG RLS Policy Allow-All Write Check	🔴 Critical	PostgreSQL RLS policy WITH CHECK expression is always true. CRITICAL: Policy does not restrict write operations — any row can be inserted or updated.
`PG-TRIG-NEW`	PG Trigger Created	🟡 Medium	Trigger created. Triggers execute automatically and can have significant performance and security implications. Review the trigger function.
`PG-TRIG-NAME-CHG`	PG Trigger Renamed	🟢 Low	Trigger renamed. Update any references to this trigger.
`PG-TRIG-CHG`	PG Trigger Modified	🟡 Medium	Trigger altered (dependency changed). Review the updated trigger configuration.
`PG-TRIG-DROP`	PG Trigger Dropped	🟠 High	Trigger dropped. Automated logic previously enforced by this trigger will no longer execute. Verify data integrity.
`PG-TRIG-CASCADE-DROP`	PG Trigger Dropped with CASCADE	🔴 Critical	Trigger dropped with CASCADE. Cascading removal may affect dependent objects.
`PG-COPY-FROM`	PG COPY FROM (Data Import)	🟡 Medium	COPY FROM imports data into a table. Verify the data source is trusted and the target table is correct.
`PG-COPY-TO`	PG COPY TO (Data Export)	🟠 High	COPY TO exports data from a table. This may expose sensitive data — verify authorization and destination.
`PG-COPY-PROGRAM`	PG COPY PROGRAM (Shell Execution)	🔴 Critical	COPY with PROGRAM executes a shell command on the server. CRITICAL SECURITY RISK: This allows arbitrary command execution with database server privileges.
`PG-DOMAIN-NOTNULL-DROP`	PG Domain NOT NULL Dropped	🟠 High	NOT NULL constraint removed from domain. Columns using this domain may now accept NULL values, potentially causing data quality issues.
`PG-DOMAIN-CONSTR-DROP`	PG Domain Constraint Dropped	🟠 High	Constraint removed from domain. Data validation enforced by this constraint is no longer active.
`PG-DOMAIN-CONSTR-CASCADE-DROP`	PG Domain Constraint Dropped with CASCADE	🔴 Critical	Domain constraint dropped with CASCADE. Cascading removal may affect dependent objects and columns.
`PG-DOMAIN-CHG`	PG Domain Modified	🟡 Medium	Domain altered. Review changes to ensure data type semantics remain correct.
`PG-DOMAIN-NAME-CHG`	PG Domain Renamed	🟢 Low	Domain renamed. Verify all dependent columns and types reference the new name.
`PG-DOMAIN-OWNER-CHG`	PG Domain Owner Changed	🟡 Medium	Domain ownership changed. Verify the new owner has appropriate permissions.
`PG-DOMAIN-DROP`	PG Domain Dropped	🟠 High	Domain dropped. Columns using this domain type will be affected.
`PG-DOMAIN-CASCADE-DROP`	PG Domain Dropped with CASCADE	🔴 Critical	Domain dropped with CASCADE. All dependent columns, constraints, and types will be removed.
`PG-SYS-CFG-CHG`	PG ALTER SYSTEM (Server Config Change)	🔴 Critical	ALTER SYSTEM modifies server-level configuration parameters. CRITICAL: This affects all databases and users on the server. Changes take effect after reload/restart.
`PG-TBLSPC-CHG`	PG ALTER TABLESPACE (Storage Configuration Change)	🟡 Medium	ALTER TABLESPACE modifies storage configuration (location, options, ownership). Review impact on I/O performance and storage allocation.
`PG-OWNED-DROP`	PG DROP OWNED (Mass Object Removal)	🔴 Critical	DROP OWNED removes all objects owned by the specified roles. CRITICAL: This is a mass deletion operation that can cause significant data loss.
`PG-OWNED-REASSIGN`	PG REASSIGN OWNED (Ownership Transfer)	🟠 High	REASSIGN OWNED transfers ownership of all objects from one role to another. Verify the target role has appropriate permissions.
`PG-IDX-NAME-CHG`	PG Index Renamed	🟢 Low	Index renamed. Update any references to this index.
`PG-IDX-CHG`	PG Index Modified	🟡 Medium	Index altered (tablespace or properties changed). Review impact on query performance.
`PG-IDX-REBUILD`	PG REINDEX	🟡 Medium	REINDEX rebuilds indexes. This may cause temporary performance impact and lock contention.
`PG-MATVIEW-REFRESH`	PG Materialized View Refreshed	🟢 Low	Materialized view refreshed. This rebuilds the cached data from the underlying query.
`PG-TBL-LOCK`	PG LOCK TABLE	🟠 High	Explicit table lock acquired. This can cause blocking and deadlocks. Verify the lock mode is appropriate.
`PG-SESSION-DISCARD`	PG DISCARD (Session State Reset)	🟡 Medium	DISCARD resets session state (plans, sequences, temporary objects). Verify this is intentional.
`PG-RULE-NEW`	PG CREATE RULE (Query Rewrite)	🟠 High	CREATE RULE defines a query rewrite rule. Rules silently transform queries, which can lead to unexpected behavior. Consider triggers as a more transparent alternative.
`PG-PUB-CHG`	PG Publication Modified	🟡 Medium	Logical replication publication modified. Changes affect which data is replicated to subscribers.
`PG-SUB-CHG`	PG Subscription Modified	🟡 Medium	Logical replication subscription modified. Changes affect data replication from the publisher.
`PG-ANON-EXEC`	PG Anonymous Code Block Executed	🟠 High	DO $ block executes anonymous code. Cannot be tracked by name, audited, or rolled back. Review for privilege escalation, data modification, and unintended side effects.
`PG-EXT-NEW`	PG Extension Installed	🟠 High	CREATE EXTENSION installs server-side code (C functions, operators, types). Some extensions (e.g. dblink, postgres_fdw, pg_stat_statements) grant powerful capabilities. Requires superuser or trusted extension support.
`PG-EXT-CASCADE-NEW`	PG Extension Installed with CASCADE	🔴 Critical	CREATE EXTENSION ... CASCADE installs the extension AND all its dependencies automatically. Dependencies are installed without explicit review, increasing the attack surface.
`PG-ROLE-NEW`	Role Created	🟡 Medium	CREATE ROLE/USER adds a new database principal. Review granted privileges, login capability, and role membership to prevent privilege creep.
`PG-ROLE-CHG`	Role Modified	🟠 High	ALTER ROLE/USER modifies a database principal's attributes. Changes to privilege flags (SUPERUSER, CREATEDB, CREATEROLE, REPLICATION, LOGIN) can significantly affect security posture.
`PG-ROLE-DROP`	Role Dropped	🟠 High	DROP ROLE/USER removes a database principal. Dependent objects (owned tables, grants) may become inaccessible. Use REASSIGN OWNED before dropping.
`PG-EXT-DROP`	Extension Dropped	🟠 High	DROP EXTENSION removes a PostgreSQL extension. Security extensions (pgcrypto, pg_audit) may be silently removed, weakening data protection.
`PG-EXT-CASCADE-DROP`	Extension Dropped with CASCADE	🔴 Critical	DROP EXTENSION ... CASCADE removes the extension AND all dependent objects. This can silently drop functions, views, and columns that depend on extension types.
`PG-RULE-CHG`	Rule Modified	🟡 Medium	ALTER RULE modifies a PostgreSQL query rewrite rule. Rules can redirect INSERT/UPDATE/DELETE to different tables, affecting data integrity.
`PG-RULE-DROP`	Rule Dropped	🟠 High	DROP RULE removes a query rewrite rule. If the rule enforced data routing or security constraints, those protections are removed.
`PG-RULE-CASCADE-DROP`	Rule Dropped with CASCADE	🟠 High	DROP RULE ... CASCADE removes the rule AND all dependent objects. Cascading drops can affect data integrity constraints.
`PG-TRIG-OFF`	Trigger Disabled	🔴 Critical	ALTER TABLE ... DISABLE TRIGGER disables a trigger. CRITICAL: Audit triggers, referential integrity triggers, and security enforcement triggers will stop firing. This is a common attack vector.
`PG-ROLE-SET`	Session Role Changed	🟠 High	SET ROLE or SET SESSION AUTHORIZATION changes the current session identity. This can escalate privileges or impersonate other users.
`PG-SESSION-CHG`	Session State Changed	🟡 Medium	SET or RESET modifies session configuration (search_path, etc.). search_path changes can enable schema hijacking attacks.
`PG-SESSION-SET`	Session Parameter Set	🟢 Low	SET modifies a session configuration parameter.
`PG-IDX-DROP`	Index Dropped	🟢 Low	DROP INDEX removes an index. May degrade query performance on dependent queries.
`PG-IDX-CASCADE-DROP`	Index Dropped with CASCADE	🟡 Medium	DROP INDEX ... CASCADE removes an index and all dependent objects.
`PG-SEQ-DROP`	Sequence Dropped	🟢 Low	DROP SEQUENCE removes a sequence generator. Columns using this sequence for defaults will break.
`PG-SEQ-CASCADE-DROP`	Sequence Dropped with CASCADE	🟡 Medium	DROP SEQUENCE ... CASCADE removes the sequence and all dependent objects (columns with DEFAULT nextval, etc.).
`PG-TYPE-DROP`	Type Dropped	🟢 Low	DROP TYPE removes a user-defined type. Columns or functions using this type will break.
`PG-TYPE-CASCADE-DROP`	Type Dropped with CASCADE	🟡 Medium	DROP TYPE ... CASCADE removes the type and all dependent columns, functions, and casts.
`PG-TBLSPC-NEW`	Tablespace Created	🟢 Low	CREATE TABLESPACE defines a new storage location for database objects.
`PG-TBLSPC-DROP`	Tablespace Dropped	🟡 Medium	DROP TABLESPACE removes a storage location. Objects in this tablespace must be relocated first.

Databricks (DBX-xxx)

Rule ID	Name	Risk	Description
`DBX-SCHEMA-MGLOC`	Schema Managed Location Set	🟡 Medium	Schema created with MANAGED LOCATION. Data storage location overrides catalog/metastore default. Verify external location permissions.
`DBX-SCHEMA-LOC`	Schema Location Set	🟢 Low	Schema created with custom LOCATION. Data will be stored at specified path instead of default warehouse directory.
`DBX-SCHEMA-OWNER-CHG`	Schema Ownership Transferred	🟠 High	Schema ownership transferred via OWNER TO. New owner gains full control including DROP privileges. Verify authorization.
`DBX-SCHEMA-PREDOPT-CHG`	Schema Predictive Optimization Changed	🟢 Low	Schema predictive optimization setting changed. This affects automatic optimization behavior for objects in the schema.
`DBX-SCHEMA-COLLAT-CHG`	Schema Default Collation Changed	🟢 Low	Schema default collation changed. New objects in the schema will use the updated collation. Existing objects are not affected.
`DBX-SCHEMA-DBPROPS-CHG`	Schema DBPROPERTIES Modified	🟡 Medium	Schema DBPROPERTIES modified. Database properties affect schema metadata and may impact behavior.
`DBX-TBL-OPT`	Delta Table Optimization	🟢 Low	OPTIMIZE compacts small files in a Delta table. May be resource-intensive on large tables — schedule during off-peak hours.
`DBX-VACUUM-ZERO`	VACUUM with Zero Retention	🔴 Critical	VACUUM RETAIN 0 HOURS. CRITICAL: All historical data files will be permanently deleted immediately, destroying time travel capability and breaking any concurrent operations. This is irreversible data loss.
`DBX-VACUUM-LOWRET`	VACUUM with Low Retention	🟠 High	VACUUM with retention period below 7 days (168 hours). This may delete data files needed for time travel or concurrent operations, leading to data loss or query failures.
`DBX-TBL-CLUSTER-OFF`	Clustering Removed (CLUSTER BY NONE)	🟠 High	CLUSTER BY NONE disables liquid clustering on a Delta table. Newly inserted or updated data will no longer be clustered, degrading query performance over time. OPTIMIZE will no longer recluster data. Verify this is intentional.
`DBX-TBL-RESTORE`	Delta Table Restore	🟠 High	RESTORE reverts a Delta table to a previous version. This is a data-modifying operation that replaces the current table state with a prior snapshot — downstream consumers may see unexpected data.
`DBX-CAT-NEW`	Catalog Created	🟢 Low	CREATE CATALOG provisions a new Unity Catalog namespace. All schemas, tables, and other objects within will inherit its permissions and default settings.
`DBX-CAT-OWNER-CHG`	Catalog Ownership Transfer	🟠 High	ALTER CATALOG ... OWNER TO transfers full administrative control of the catalog. The new owner gains MANAGE permissions on all objects within. Verify the target principal is authorized.
`DBX-CAT-CASCADE-DROP`	Catalog Dropped with CASCADE	🔴 Critical	DROP CATALOG CASCADE destroys the catalog AND all contained schemas, tables, views, and functions. This is an irreversible bulk data-loss operation.
`DBX-CAT-DROP`	Catalog Dropped	🟠 High	DROP CATALOG removes a Unity Catalog namespace. The catalog must be empty unless CASCADE is specified. Verify no downstream dependencies exist.
`DBX-CAT-TAG-CHG`	Catalog Tags Modified	🟡 Medium	Catalog-level tags modified. Tags control governance policies (masking, row filters) across all objects in the catalog. Verify tag values are intentional.
`DBX-CAT-TAG-RMV`	Catalog Tags Removed	🟡 Medium	Catalog-level tags removed. Removing tags may disable governance policies (masking, row filtering) that depend on them.
`DBX-CAT-PREDOPT-CHG`	Catalog Predictive Optimization Changed	🟢 Low	Predictive optimization setting changed on catalog. This affects automatic maintenance operations (OPTIMIZE, VACUUM) for all tables within the catalog.
`DBX-VOL-NEW`	Volume Created	🟢 Low	CREATE VOLUME provisions a new Unity Catalog volume for file storage. External volumes reference cloud storage; managed volumes are fully governed by Unity Catalog.
`DBX-VOL-OWNER-CHG`	Volume Ownership Transfer	🟠 High	ALTER VOLUME ... OWNER TO transfers full administrative control of the volume. The new owner gains MANAGE permissions on the volume and its contents.
`DBX-VOL-DROP`	Volume Dropped	🟠 High	DROP VOLUME removes a Unity Catalog volume. Managed volumes lose stored files after 7 days; external volumes lose only metadata. This cannot be undone.
`DBX-VOL-NAME-CHG`	Volume Renamed	🟡 Medium	ALTER VOLUME ... RENAME TO changes the volume name. Existing file paths referencing /Volumes/catalog/schema/old_name will break.
`DBX-VOL-TAG-CHG`	Volume Tags Modified	🟢 Low	Volume-level tags modified. Tags enable governance classification and policy enforcement on the volume.
`DBX-VOL-TAG-RMV`	Volume Tags Removed	🟡 Medium	Volume-level tags removed. Removing tags may disable governance policies that depend on them for the volume.
`DBX-GRT-CAT-ALLPRIV`	Grant All Privileges on Catalog	🔴 Critical	GRANT ALL PRIVILEGES ON CATALOG detected. This grants every privilege on the entire Unity Catalog namespace — including all schemas, tables, views, and volumes within it. Use fine-grained grants (e.g., USE CATALOG, CREATE SCHEMA) instead.
`DBX-GRT-CAT-MANAGE`	Grant MANAGE on Catalog	🔴 Critical	GRANT MANAGE ON CATALOG detected. MANAGE provides broad administrative control over Unity Catalog objects and permissions. Verify this grant is explicitly approved.
`DBX-GRT-SCHEMA-MANAGE`	Grant MANAGE on Schema	🟠 High	GRANT MANAGE ON SCHEMA detected. MANAGE allows delegated privilege administration within the schema. Ensure least-privilege scope and approval.
`DBX-GRT-VOL-MANAGE`	Grant MANAGE on Volume	🟠 High	GRANT MANAGE ON VOLUME detected. This enables broad administration over Unity Catalog volume access and metadata. Verify governance intent.
`DBX-RVK-CAT-ALLPRIV`	Revoke All Privileges on Catalog	🟠 High	REVOKE ALL PRIVILEGES ON CATALOG detected. This can immediately remove broad access and disrupt workloads. Verify blast radius and rollout timing.
`DBX-RVK-CAT-MANAGE`	Revoke MANAGE on Catalog	🟡 Medium	REVOKE MANAGE ON CATALOG detected. Catalog-level administrative control is being removed from a principal. Verify this is expected and staged to avoid operational disruption.
`DBX-TBL-CLONE-SHALLOW`	Shallow Clone Created	🟡 Medium	SHALLOW CLONE created. Shallow clones share underlying data files with the source table — they do not duplicate data. If the source table is VACUUM'd or dropped, the clone may become unreadable. Prefer DEEP CLONE for durable, independent copies.
`DBX-EXTLOC-NEW`	External Location Created	🟡 Medium	External location created. This maps a cloud storage path to a Unity Catalog location with a storage credential. Verify the URL and credential are authorized.
`DBX-EXTLOC-URL-CHG`	External Location URL Modified	🟡 Medium	External location URL modified. This changes the mapped cloud storage path for the location. Verify the new URL is intended and access boundaries remain correct.
`DBX-EXTLOC-CRED-CHG`	External Location Credential Modified	🟠 High	External location storage credential changed. This alters which cloud principal accesses the storage path. Verify least-privilege access and authorization boundaries.
`DBX-EXTLOC-OWNER-CHG`	External Location Ownership Changed	🟠 High	External location ownership transferred. The new owner gains administrative control over the location and its storage mapping. Verify this transfer is authorized.
`DBX-EXTLOC-DROP`	External Location Dropped	🟠 High	External location dropped. Unity Catalog objects relying on this location may lose access to underlying cloud storage. Verify dependency impact before dropping.
`DBX-MERGE-SCHEMA-EVO`	Merge Schema Evolution Enabled	🟡 Medium	MERGE WITH SCHEMA EVOLUTION enabled. Target Delta table schema may be automatically altered to match source columns. Validate schema-governance controls and downstream compatibility.
`DBX-CRED-NEW`	Storage Credential Created	🟡 Medium	Storage credential created. This grants cloud storage access (e.g., IAM role, service account) to Unity Catalog. Verify the credential is authorized and follows least-privilege principles.
`DBX-CRED-DROP`	Storage Credential Dropped	🟠 High	Storage credential dropped. External locations and tables depending on this credential will lose access. Verify no active resources depend on this credential.
`DBX-CRED-OWNER-CHG`	Storage Credential Ownership Changed	🟠 High	Storage credential ownership transferred. The new owner gains full control over cloud storage access. Verify this transfer is authorized.
`DBX-CRED-NAME-CHG`	Storage Credential Renamed	🟡 Medium	Storage credential renamed. External locations referencing the old name may need to be updated.
`DBX-CONN-NEW`	Connection Created	🟡 Medium	External connection created. This establishes a federated connection to an external data system (e.g., PostgreSQL, MySQL, Snowflake). Verify the connection type, host, and credentials are authorized.
`DBX-CONN-DROP`	Connection Dropped	🟠 High	External connection dropped. Foreign catalogs and federated queries depending on this connection will fail. Verify no active resources depend on this connection.
`DBX-CONN-OWNER-CHG`	Connection Ownership Changed	🟠 High	External connection ownership transferred. The new owner gains full control over the federated connection and its credentials. Verify this transfer is authorized.
`DBX-CONN-NAME-CHG`	Connection Renamed	🟡 Medium	External connection renamed. Foreign catalogs and queries referencing the old connection name may need to be updated.
`DBX-CONN-CHG`	Connection Options Modified	🟡 Medium	External connection options changed. Connection credentials (host, port, password) have been modified. Verify the new options are correct and authorized.
`DBX-TBL-PROPS-CHG`	Table Properties Modified	🟡 Medium	Delta table properties modified via SET TBLPROPERTIES. Properties like delta.deletedFileRetentionDuration, delta.logRetentionDuration, or delta.appendOnly control data retention, time travel, and mutability. Verify the new values are authorized and won't cause data loss.
`DBX-TBL-PROPS-RMV`	Table Properties Removed	🟠 High	Delta table properties removed via UNSET TBLPROPERTIES. Removing properties like delta.deletedFileRetentionDuration or delta.appendOnly resets them to system defaults, which may reduce retention periods or re-enable mutations on append-only tables.
`DBX-TBL-CACHE`	Table Cached	🟢 Low	CACHE TABLE caches a table or query result in Spark's in-memory cache. This consumes cluster memory and may affect other workloads. Schedule during off-peak hours for large tables.
`DBX-TBL-UNCACHE`	Table Uncached	🟢 Low	UNCACHE TABLE removes a table from Spark's in-memory cache. Subsequent queries will read from storage, which may increase latency.
`DBX-FLOW-NEW`	Flow Created	🟢 Low	CREATE FLOW defines a Lakeflow CDC pipeline (AUTO CDC INTO or APPLY CHANGES INTO). Verify keys, sequencing, and SCD mode align with data governance expectations.
`DBX-GRT-CAT-MODIFY`	Grant MODIFY on Catalog	🔴 Critical	GRANT MODIFY ON CATALOG detected. MODIFY in Databricks combines INSERT, UPDATE, and DELETE privileges on ALL current and future tables in the catalog. This is equivalent to granting full DML on every table. Use schema- or table-level grants instead.
`DBX-GRT-SCHEMA-MODIFY`	Grant MODIFY on Schema	🟠 High	GRANT MODIFY ON SCHEMA detected. MODIFY combines INSERT, UPDATE, and DELETE on all current and future tables in the schema. Verify this scope is intended.
`DBX-GRT-EXTUSE-LOC`	Grant EXTERNAL USE LOCATION	🔴 Critical	GRANT EXTERNAL USE LOCATION detected. This allows temporary credential vending for external processing engines to access Unity Catalog external locations. CRITICAL data exfiltration risk — ALL PRIVILEGES intentionally excludes this privilege.
`DBX-GRT-EXTUSE-SCHEMA`	Grant EXTERNAL USE SCHEMA	🔴 Critical	GRANT EXTERNAL USE SCHEMA detected. This allows temporary credential vending for external engines to access tables via Iceberg REST APIs. CRITICAL data exfiltration risk — ALL PRIVILEGES intentionally excludes this privilege.
`DBX-GRT-EXTLOC-WRFILES`	Grant WRITE FILES on External Location	🟠 High	GRANT WRITE FILES detected. This allows direct writes to cloud object storage configured as an external location. Databricks recommends using WRITE VOLUME instead for governed access.
`DBX-GRT-EXTLOC-RDFILES`	Grant READ FILES on External Location	🟡 Medium	GRANT READ FILES detected. This allows direct reads from cloud object storage configured as an external location. Databricks recommends using READ VOLUME instead for governed access.
`DBX-GRT-CRED-CREATE`	Grant CREATE STORAGE CREDENTIAL	🟠 High	GRANT CREATE STORAGE CREDENTIAL detected. This allows the grantee to create new cloud storage credentials in the metastore — a highly privileged infrastructure operation.
`DBX-GRT-EXTLOC-CREATE`	Grant CREATE EXTERNAL LOCATION	🟠 High	GRANT CREATE EXTERNAL LOCATION detected. This allows the grantee to map new cloud storage paths into Unity Catalog — a privileged infrastructure operation.
`DBX-GRT-SHARE-SETPERM`	Grant SET SHARE PERMISSION	🟠 High	GRANT SET SHARE PERMISSION detected. Combined with USE SHARE and USE RECIPIENT, this enables the grantee to share data with external organizations via Delta Sharing. Verify data-sharing authorization.

Informational (INFO-xxx)

Rule ID	Name	Risk	Description
`INFO-Q-PRED-TEMPORAL`	Temporal Query Pattern	⚪ Info	Temporal predicate detected using CURRENT_DATE/CURRENT_TIMESTAMP. Results change daily, affecting cache hit rates.
`INFO-DB-NEW`	Database Created	⚪ Info	Database created. New database provisioned.
`INFO-DB-UNDROP`	Database Recovered	⚪ Info	Database recovered using UNDROP. Previously dropped database has been restored.
`INFO-SCHEMA-NEW`	Schema Created	⚪ Info	Schema created. New schema provisioned.
`INFO-SCHEMA-UNDROP`	Schema Recovered	⚪ Info	Schema recovered using UNDROP. Previously dropped schema has been restored.
`INFO-TBL-UNDROP`	Table Recovered	⚪ Info	Table recovered using UNDROP. Previously dropped table has been restored.
`INFO-UDF-SECURE-ADD`	Function Secured	⚪ Info	Function secured. Function body is now hidden from users without ownership.
`INFO-PROC-SECURE-ADD`	Procedure Secured	⚪ Info	Procedure secured. Procedure body is now hidden from users without ownership.
`INFO-PG-RLS-NEW`	PG Row-Level Security Policy Created	⚪ Info	Row-level security policy created. Positive governance signal — data access is being restricted at the row level.
`INFO-PG-DOMAIN-NEW`	PG Domain Created	⚪ Info	Domain created. Positive governance signal — custom type constraints are being defined.
`INFO-PG-DOMAIN-CONSTR-ADD`	PG Domain Constraint Added	⚪ Info	Constraint added to domain. Positive governance signal — data validation is being strengthened.
`INFO-PG-TRIG-ON`	Trigger Enabled	⚪ Info	ALTER TABLE ... ENABLE TRIGGER restores trigger firing. Positive signal: security/audit enforcement re-activated.
`INFO-PG-IDX-NEW`	Index Created	⚪ Info	CREATE INDEX adds an index. Positive governance signal — improves query performance.
`INFO-PG-SEQ-NEW`	Sequence Created	⚪ Info	CREATE SEQUENCE defines a new sequence generator.
`INFO-PG-SEQ-CHG`	Sequence Modified	⚪ Info	ALTER SEQUENCE modifies a sequence generator. Changes to INCREMENT, RESTART, or ownership may affect dependent tables.
`INFO-PG-TYPE-NEW`	Type Created	⚪ Info	CREATE TYPE defines a new composite, enum, or range type.
`INFO-PG-TYPE-CHG`	Type Modified	⚪ Info	ALTER TYPE modifies a user-defined type (add/rename values, change owner, etc.).
`INFO-PG-COMMENT-CHG`	Comment Changed	⚪ Info	COMMENT ON modifies object metadata. Positive governance signal — improves documentation.
`INFO-PG-MAINT-VACUUM`	Maintenance Executed (VACUUM)	⚪ Info	VACUUM reclaims storage and updates statistics. Routine maintenance operation.
`INFO-PG-MAINT-ANALYZE`	Maintenance Executed (ANALYZE)	⚪ Info	ANALYZE updates table statistics for the query planner. Routine maintenance operation.
`INFO-PG-MAINT-CLUSTER`	Maintenance Executed (CLUSTER)	⚪ Info	CLUSTER reorders table data according to an index. May cause brief lock on the table.
`INFO-PG-NOTIFY-SUB`	Notification Channel Subscribed	⚪ Info	LISTEN subscribes to a notification channel.
`INFO-PG-NOTIFY-SEND`	Notification Sent	⚪ Info	NOTIFY sends a notification on a channel.
`INFO-PG-NOTIFY-UNSUB`	Notification Channel Unsubscribed	⚪ Info	UNLISTEN unsubscribes from a notification channel.
`INFO-PG-AGG-NEW`	Aggregate Created	⚪ Info	CREATE AGGREGATE defines a new aggregate function.
`INFO-PG-OP-NEW`	Operator Created	⚪ Info	CREATE OPERATOR defines a new operator.
`INFO-DBX-TBL-HIST`	Delta Table History Review	⚪ Info	DESCRIBE HISTORY retrieves the provenance log for a Delta table. This is a read-only audit operation — no data is modified.
`INFO-DBX-TBL-REPAIR`	Partition Metadata Repair	⚪ Info	REPAIR TABLE (MSCK REPAIR TABLE) updates the Hive metastore partition metadata for a partitioned table. This is a metadata maintenance operation; it does not rewrite table data.
`INFO-DBX-TBL-CLUSTER-CFG`	Clustering Configured	⚪ Info	Liquid clustering configured on Delta table. Run OPTIMIZE to apply clustering to existing data.
`INFO-TBL-CLONE`	Table Cloned	⚪ Info	Table cloned. CLONE creates a copy of a table. In Snowflake, clones are zero-copy and share storage until modified. In Databricks, SHALLOW clones share data files while DEEP clones duplicate them.
`INFO-DBX-CAT-COMMENT-CHG`	Catalog Comment Changed	⚪ Info	COMMENT ON CATALOG modifies Unity Catalog metadata. Positive governance signal — improves catalog documentation and discoverability.
`INFO-DBX-VOL-COMMENT-CHG`	Volume Comment Changed	⚪ Info	COMMENT ON VOLUME modifies Unity Catalog volume metadata. Positive governance signal — improves storage documentation.
`INFO-DBX-CONN-COMMENT-CHG`	Connection Comment Changed	⚪ Info	COMMENT ON CONNECTION modifies Unity Catalog connection metadata. Positive governance signal — documents external data source purpose and ownership.
`INFO-DBX-TBL-CACHE-LAZY`	Table Lazy Cached	⚪ Info	CACHE LAZY TABLE registers a table for deferred caching — data is only cached on first access. Lower impact than eager CACHE TABLE.

Generated from builtin_rules.yaml at build time.