Integration Options

This guide covers CI/CD integration for PR reviews and pipeline gates. For runtime integration (agents, applications checking SQL before execution), see Runtime / Agent Integration.

Dashboard

The dashboard provides a web UI for viewing analysis results, trends, and findings.

# Start dashboard (reads .lexega/ by default — works out of the box after `init`)
lexega-sql dashboard

# Explicit local directory
lexega-sql dashboard --data-dir .lexega/

# Read from cloud storage (S3, GCS, or Azure)
lexega-sql dashboard --data-dir s3://my-bucket/lexega-data

# Custom port / don't auto-open browser
lexega-sql dashboard --data-dir .lexega/ --port 3000 --no-open

Expected Directory Structure

The dashboard expects decision and report artifacts under decisions/ and reports/ subdirectories. Reports are ingested in JSON, YAML, and SARIF form — the baseline.sarif that init writes shows up automatically.

<data-dir>/
  decisions/
    <run-id>/decision.json
    ...
  reports/
    baseline.sarif
    <run-id>/risk_report.json
    ...

This structure is created automatically when you use --decision-out and --report-out with the right paths:

# Local: write artifacts into the directory the dashboard reads
lexega-sql analyze models/*.sql \
  --policy policy.yml --env prod \
  --decision-out .lexega/decisions/$GITHUB_RUN_ID/ \
  --report-out .lexega/reports/$GITHUB_RUN_ID/

# Cloud: same structure, just an S3/GCS/Azure prefix
lexega-sql analyze models/*.sql \
  --policy policy.yml --env prod \
  --decision-out s3://my-bucket/lexega-data/decisions/$GITHUB_RUN_ID/ \
  --report-out s3://my-bucket/lexega-data/reports/$GITHUB_RUN_ID/

Cloud Storage Support

Pass a cloud URI as --data-dir and the dashboard downloads files on startup and on refresh:

# S3
lexega-sql dashboard --data-dir s3://my-bucket/lexega-data

# GCS
lexega-sql dashboard --data-dir gs://my-bucket/lexega-data

# Azure Blob Storage
lexega-sql dashboard --data-dir az://my-container/lexega-data

Cloud credentials are read from standard environment variables (AWS_* / GOOGLE_APPLICATION_CREDENTIALS / AZURE_STORAGE_*).

Note: The dashboard runs on your machine—your data never leaves your infrastructure. When --data-dir points to a cloud URI, files are downloaded locally for display; no data is sent elsewhere.

CI/CD Integration

License Setup

For CI/CD runners, pass your license key via environment variable:

env:
  LEXEGA_LICENSE_KEY: ${{ secrets.LEXEGA_LICENSE_KEY }}  # GitHub
  # LEXEGA_LICENSE_KEY: $LEXEGA_LICENSE_KEY              # GitLab
  # LEXEGA_LICENSE_KEY: $(LEXEGA_LICENSE_KEY)            # Azure DevOps

The LEXEGA_LICENSE_KEY environment variable is checked before the license file on disk, making it ideal for ephemeral CI runners.

Installing the CLI in CI

CI runners are ephemeral, so install the CLI as the first step of the job. lexega-sql is a single static binary with no runtime dependencies — installation is one download.

Pin the version your team has validated (recommended for CI, so the gate's behavior only changes when you choose to upgrade):

VERSION=v1.7.0                # pick from https://github.com/Lexega/releases/releases
ASSET=lexega-sql-linux-x64    # linux/darwin × x64/arm64
curl -sSL -O "https://github.com/Lexega/releases/releases/download/${VERSION}/${ASSET}"
curl -sSL "https://github.com/Lexega/releases/releases/download/${VERSION}/CHECKSUMS.sha256" | grep " ${ASSET}
quot; | sha256sum -c -
install -m 755 "${ASSET}" /usr/local/bin/lexega-sql

Or always track the latest release:

curl -sSL https://lexega.com/install.sh | sh

The full workflow examples below include the pinned install step.

Automatic PR Comments

The easiest integration is using --pr-comment to automatically post review results directly to your PR:

GitHub Actions:

name: SQL Review
on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Lexega
        run: |
          curl -sSL -O https://github.com/Lexega/releases/releases/download/v1.7.0/lexega-sql-linux-x64
          curl -sSL https://github.com/Lexega/releases/releases/download/v1.7.0/CHECKSUMS.sha256 | grep ' lexega-sql-linux-x64
#x27; | sha256sum -c -
          sudo install -m 755 lexega-sql-linux-x64 /usr/local/bin/lexega-sql

      - name: SQL Review
        env:
          LEXEGA_LICENSE_KEY: ${{ secrets.LEXEGA_LICENSE_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          lexega-sql review ${{ github.event.pull_request.base.sha }}..${{ github.sha }} . -r --pr-comment

GitLab CI:

sql-review:
  before_script:
    - curl -sSL -O https://github.com/Lexega/releases/releases/download/v1.7.0/lexega-sql-linux-x64
    - curl -sSL https://github.com/Lexega/releases/releases/download/v1.7.0/CHECKSUMS.sha256 | grep ' lexega-sql-linux-x64
#x27; | sha256sum -c -
    - install -m 755 lexega-sql-linux-x64 /usr/local/bin/lexega-sql
  script:
    - lexega-sql review origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME..HEAD . -r --pr-comment
  rules:
    - if: $CI_MERGE_REQUEST_IID
  variables:
    LEXEGA_LICENSE_KEY: $LEXEGA_LICENSE_KEY
    GITLAB_TOKEN: $CI_JOB_TOKEN

Bitbucket Pipelines:

pipelines:
  pull-requests:
    '**':
      - step:
          script:
            - curl -sSL -O https://github.com/Lexega/releases/releases/download/v1.7.0/lexega-sql-linux-x64
            - curl -sSL https://github.com/Lexega/releases/releases/download/v1.7.0/CHECKSUMS.sha256 | grep ' lexega-sql-linux-x64
#x27; | sha256sum -c -
            - install -m 755 lexega-sql-linux-x64 /usr/local/bin/lexega-sql
            - export LEXEGA_LICENSE_KEY=$LEXEGA_LICENSE_KEY
            - export BITBUCKET_TOKEN=$BITBUCKET_TOKEN  # Set as repository variable
            - lexega-sql review origin/$BITBUCKET_PR_DESTINATION_BRANCH..HEAD . -r --pr-comment

The --pr-comment flag automatically detects your CI platform and posts/updates a comment on the PR. It uses a marker to update existing comments on subsequent runs rather than creating duplicates (on GitHub and GitLab; Bitbucket posts a new comment each run).

Policy-Based Blocking

For stricter enforcement, use policies to fail the pipeline. The default policy from lexega-sql init is permissive (warns only). To enable blocking, edit .lexega/policy.yml and change critical: warn to critical: block:

# .lexega/policy.yml (edit to enable blocking)
severity_actions:
  - critical: block   # Change from 'warn' to 'block'
    high: warn
default_action: allow

See Policy Reference for details on scoping severity actions by path or environment.

#!/bin/bash
# Policy-based blocking (exit 2 when policy blocks)
lexega-sql analyze \
  --policy policy.yaml \
  --env prod \
  --decision-out .lexega/decisions/$GITHUB_RUN_ID/ \
  --format json \
  *.sql > report.json

if [ $? -eq 2 ]; then
    echo "Policy blocked. See decision.json for details."
    exit 1
fi

Tip: Set LEXEGA_CI=1 to enforce that --policy is always provided (prevents accidental bypass in CI). When writing artifacts to cloud storage (S3/GCS/Azure), use a unique per-run directory prefix (for example s3://bucket/lexega/decisions/$GITHUB_RUN_ID/) so each run produces distinct artifacts.

Need Help?

Can't find what you're looking for? Check out our GitHub or reach out to support.

GitHub IssuesEmail Support