Builtin Rule Reference

Name: Lexega
Author: Lexega

This page lists all builtin rules that ship with Lexega. These rules are evaluated automatically unless disabled with --no-builtin.

Usage in policies: Reference any rule by its ID:

policies:
  - rule_id: SNW-STG-ENC-OFF  # Stage Encryption Disabled
    action: block
    envs: [prod]

Query Analysis (Q-xxx)

Rule ID	Risk	Description
`Q-JOIN-CROSS-CENH`	🟡 medium	Cross join between {witness.left.name.raw} and {witness.right.name.raw} on a catalog-attested cartesian product of {witness.cartesian_estimate} rows. May cause performance issues on large tables. [Catalog-enhanced]
`Q-SCAN-NOFILT`	🟡 medium	Query reads multiple tables without an effective WHERE filter or LIMIT clause. This may cause full table scans.
`Q-SCAN-1TBL`	🟡 medium	SELECT without an effective WHERE filter or LIMIT clause on table. May cause full table scan. Use tables.none_of to allowlist known-small tables.
`Q-WIN-NOPART`	🟡 medium	Window function without PARTITION BY operates over entire result set. This may cause performance issues or unexpected results.
`Q-WIN-RANK-NOORD`	🟡 medium	ROW_NUMBER/RANK/DENSE_RANK without ORDER BY produces arbitrary ordering. Results are non-deterministic.
`Q-NULL-NOTIN`	🟠 high	NULL-logic hazard: NOT IN with subquery on column '{column}'. If subquery returns any NULL, entire predicate evaluates to UNKNOWN and filters all rows. Use NOT EXISTS or ensure subquery has WHERE ... IS NOT NULL.
`Q-PRED-CONTRA`	🔴 critical	Contradictory equality: predicate can never be true (e.g., WHERE a=1 AND a=2). Query will return zero rows.
`Q-PRED-RANGE`	🟠 high	Impossible range: predicates define an empty range (e.g., WHERE x>10 AND x<5). Query will return zero rows.
`Q-PRED-TAUTOLOGY`	🟡 medium	Tautological predicate: condition is always true (e.g., WHERE x=1 OR x<>1). The WHERE clause provides no filtering.
`Q-PRED-REDUNDANT`	🟢 low	Redundant predicate: condition is already implied by another predicate (e.g., WHERE x>5 AND x>3). The weaker predicate has no effect.
`Q-AGG-MANYDIM`	🟡 medium	GROUP BY with many columns (>5) may indicate design issues or produce sparse results.
`Q-SUBQ-SCALAR`	🟡 medium	\|
`Q-AGG-NOFILT`	🟢 low	Aggregate query without effective WHERE filter. Consider adding filters to avoid processing entire tables.
`Q-SUBQ-CORR-SEL`	🟠 high	Correlated scalar subquery (N+1 query pattern). Consider rewriting as JOIN for better performance.
`Q-SUBQ-CORR-WHERE`	🟡 medium	Correlated subquery in WHERE/IN clause. May cause performance issues on large datasets. Consider rewriting with EXISTS or JOIN.
`Q-AGG-NONDET`	🟡 medium	Non-deterministic expression in GROUP BY context. Results may vary between executions with same data.
`Q-WIN-NONDET`	🟠 high	Non-deterministic expression in window function. Results may vary between executions with same data.
`Q-NONDET`	🟡 medium	Query contains non-deterministic elements. Results may vary between executions.
`Q-WIN-MULTIPART`	🟡 medium	Multiple window functions with different PARTITION BY clauses. Query will re-partition data multiple times, causing additional shuffles.
`Q-TBL-UNBOUNDED-CENH`	🟠 high	Unbounded query on large table — WHERE clause is absent or tautological. Consider adding filters to reduce data scanned. [Catalog-enhanced]
`Q-TBL-SELSTAR-WIDE-CENH`	🟡 medium	SELECT * on wide table (50+ columns). Scanning many unnecessary columns increases I/O and network transfer. Consider explicit column selection. [Catalog-enhanced]
`Q-AGG-NOFILT-CENH`	🟡 medium	Aggregating a large table (1M+ rows) without effective WHERE filter. Consider adding time/partition filters to reduce scan size. [Catalog-enhanced]
`Q-WIN-NOPART-CENH`	🟠 high	Window function without PARTITION BY operates on entire large table (1M+ rows) in single partition. Add PARTITION BY to reduce memory pressure. [Catalog-enhanced]
`Q-WIN-UNBOUNDED-CENH`	🔴 critical	Window function with unbounded frame and no PARTITION BY. Extremely expensive on large datasets - entire table processed as one partition. [Catalog-enhanced]
`Q-WIN-HICARD-CENH`	🟠 high	Window function partitioned on high-cardinality column. May cause performance issues. [Catalog-enhanced]
`Q-WIN-USAGE`	🟢 low	Window function usage detected. Verify PARTITION BY and ORDER BY clauses.
`Q-PROP-CONTRA`	🔴 critical	Cross-scope contradiction: consumer predicate contradicts upstream CTE/subquery constraint. Query will always return zero rows from the upstream source.
`Q-SUBQ-REPEAT`	🟡 medium	Repeated subquery pattern detected. Consider using CTEs or temporary tables for better readability and potential performance improvement.
`Q-WIN-FRAME`	🟢 low	Custom window frame specification detected. Verify boundaries.
`Q-JOIN-TYPEMIS-CENH`	🟡 medium	JOIN on columns with mismatched data types. This causes implicit type conversion and may prevent index usage, resulting in slower queries. [Catalog-enhanced]
`Q-JOIN-NULL-CENH`	🟠 high	JOIN on nullable column silently excludes NULL values. NULL values in this column will not match, potentially losing data. Consider LEFT JOIN or add IS NOT NULL filter. [Catalog-enhanced]
`Q-FLOW-DROP-REF`	🔴 critical	Statement references a table or view that was dropped by a prior statement in this script. This statement will fail at runtime.
`Q-FLOW-RENAME-REF`	🟠 high	Statement references a table by its old name after it was renamed by a prior statement in this script. Use the new name or reorder the statements.
`Q-FLOW-COL-DROP`	🔴 critical	Statement references a column that was dropped by a prior ALTER TABLE statement in this script. This statement will fail at runtime.
`Q-FLOW-TAINT`	⚪ info	Output column derives from a classified source (catalog tag). When materialized by a privileged role (e.g. dbt service account), source masking policies do not protect the destination table. Ensure the destination has its own masking policy or access controls.
`Q-NULL-COUNT-CENH`	🟠 high	COUNT({column}) on confirmed nullable column excludes NULL values. This column is nullable per catalog metadata. If counting all rows including NULLs, use COUNT(*) instead. [Catalog-enhanced]
`Q-VIEW-REF-CENH`	🟡 medium	Query references VIEW(s). Views are recomputed on every execution (not materialized). [Catalog-enhanced]
`Q-AGG-HICARD`	🟡 medium	GROUP BY includes high-cardinality columns (IDs, emails, etc.). This can generate millions of groups causing memory pressure.
`Q-NULL-NEQ`	🟡 medium	NULL-logic warning: <> or != operator on column(s) [{witness.column.name.raw}] will not match NULL values. If NULLs are valid data, use 'OR column IS NULL' or IS DISTINCT FROM.
`Q-JOIN-FKVIOL-CENH`	🔴 critical	JOIN doesn't follow defined foreign key relationship. The FK constraint specifies different columns than those used in the JOIN, which is likely a logic error. [Catalog-enhanced]
`Q-JOIN-LEFT-FILT`	🔴 critical	LEFT JOIN nullable side filtered in WHERE clause. This effectively converts the LEFT JOIN to an INNER JOIN, likely a bug.
`Q-JOIN-TEMPORAL-CENH`	🟡 medium	Temporal join without explicit date bounds. This may cause full table scans or incorrect results across time periods. [Catalog-enhanced]
`Q-MULTI-TEMPORAL-CENH`	🟡 medium	Tables with temporal columns (DATE/TIMESTAMP) are joined without date filter in WHERE or JOIN ON. This can cause unbounded historical joins with poor performance. [Catalog-enhanced]
`Q-JOIN-DISTINCT-MASK`	🟡 medium	DISTINCT may be masking a join fan-out. If the join produces duplicate rows, DISTINCT hides rather than fixes the issue. Consider verifying join cardinality or using EXISTS.
`Q-JOIN-DISTINCT-MASK-CENH`	🟠 high	DISTINCT confirmed to mask a join fan-out. Catalog shows join keys lack unique constraints, meaning the join will produce duplicates. DISTINCT hides this bug rather than fixing it. [Catalog-enhanced]
`Q-JOIN-FANOUT-CENH`	🟠 high	Join produces row multiplication (1:N relationship). Aggregates or counts may be inflated. Consider using a subquery or window function. [Catalog-enhanced]
`Q-AGG-EXPLODE-CENH`	🟡 medium	Multiple joins with aggregation but no effective WHERE filter. This can cause exponential row explosion and incorrect aggregates. [Catalog-enhanced]

DML Signals (DML-xxx)

Rule ID	Risk	Description
`DML-WRITE-UNBOUNDED`	🔴 critical	Unbounded write operation detected - the statement has no WHERE clause or its WHERE clause matches every row. This affects ALL rows in the target table(s).
`DML-WRITE-XSCHEMA`	🟡 medium	Cross-schema write operation detected. Verify schema permissions and change control procedures.
`DML-WRITE-MULTITBL`	🟢 low	Write operation affects multiple tables. Verify transaction boundaries and rollback plan.

Credential Exposure (CRED-xxx)

Rule ID	Risk	Description
`CRED-AWS-LEAK`	🔴 critical	Hardcoded AWS access key detected (AKIA.../ASIA...). Never commit credentials to source code. Use secure parameter passing, secrets managers, or storage integrations instead.
`CRED-PWD-LEAK`	🔴 critical	Hardcoded password detected in SQL. Use secure parameter passing (e.g., :password_param) or secrets management instead of literal passwords.
`CRED-APIKEY-LEAK`	🔴 critical	Hardcoded API key or access token detected. Store API keys in secure secrets managers, not in SQL code.
`CRED-CONNSTR-LEAK`	🔴 critical	Connection string with embedded credentials detected (user:password@host). Use secure credential storage instead of embedding credentials in URLs.

Table Operations (TBL-xxx)

Rule ID	Risk	Description
`TBL-DROP`	🔴 critical	DROP TABLE detected. Table and all data will be permanently deleted.
`TBL-TRUNCATE`	🔴 critical	TRUNCATE TABLE detected. All rows will be permanently deleted.
`TBL-REPLACE`	🟠 high	CREATE OR REPLACE TABLE detected. Existing table definition (and potentially data semantics) is replaced.
`TBL-RENAME`	🟡 medium	ALTER TABLE RENAME detected. Downstream references (queries, views, jobs) may break if not updated.
`TBL-COL-ADD`	🟢 low	ALTER TABLE ADD COLUMN detected. Schema expanded; verify downstream contracts and ingestion mappings.
`TBL-COL-DROP`	🟠 high	ALTER TABLE DROP COLUMN detected. Column data and dependent objects may be lost or broken.
`TBL-MASK-ADD`	🟢 low	Column masking or projection policy added. Positive governance signal.
`TBL-MASK-RMV`	🔴 critical	Masking or Projection Policy removed from column. This exposes PII or sensitive data.
`TBL-RAP-ADD`	🟢 low	Row Access Policy added to table. Positive governance signal.
`TBL-RAP-RMV`	🟠 high	Row Access Policy removed from table. This may expose sensitive data to unauthorized users.
`TBL-RAP-RMV-ALL`	🔴 critical	All Row Access Policies dropped from table. All row-level access controls removed from this table.
`TBL-AGGPOL-RMV`	🟡 medium	Aggregation or Join Policy removed from table. This may allow unrestricted data aggregation or joins.
`TBL-TAG-ADD`	🟢 low	Tag added to object. Positive governance signal.
`TBL-TAG-RMV`	🟡 medium	Tag removed from object. Governance metadata may be incomplete.

View Operations (VIEW-xxx)

Rule ID	Risk	Description
`VIEW-REPLACE`	🟡 medium	CREATE OR REPLACE VIEW detected. Existing view definition is replaced and downstream logic may change.
`VIEW-CHG`	🟡 medium	ALTER VIEW changes a view definition or attributes. Views control data access patterns; changes affect all queries through the view.
`VIEW-DROP`	🟡 medium	DROP VIEW removes a view. Dependent queries and applications will break. Check for CASCADE to identify cascading object removal.
`VIEW-CASCADE-DROP`	🟠 high	DROP VIEW ... CASCADE removes the view AND all dependent objects (other views, rules). Cascading drops can silently remove data access controls.

Schema Operations (SCHEMA-xxx)

Rule ID	Risk	Description
`SCHEMA-DROP`	🔴 critical	DROP SCHEMA detected. All objects in schema will be permanently deleted.
`SCHEMA-NAME-CHG`	🟡 medium	Schema renamed. Verify all references to the old name are updated.
`SCHEMA-PROPS-CHG`	🟡 medium	Schema properties modified. Configuration change may affect behavior.
`SCHEMA-TAG-ADD`	🟢 low	Schema tag assigned. Governance metadata updated.
`SCHEMA-TAG-RMV`	🟡 medium	Schema tag removed. Governance metadata may be incomplete. Verify tag removal is intentional.
`SCHEMA-CLONE`	🟡 medium	Schema cloned from existing schema. Verify access controls are appropriate for the clone.

Database Operations (DB-xxx)

Rule ID	Risk	Description
`DB-CLONE`	🟡 medium	Database cloned from existing database. Verify access controls are appropriate for the clone.
`DB-NAME-CHG`	🟡 medium	Database renamed. Verify all references to the old name are updated.
`DB-PROPS-CHG`	🟡 medium	Database properties modified. Configuration change may affect behavior.
`DB-TAG-ADD`	🟢 low	Database tag assigned. Governance metadata updated.
`DB-TAG-RMV`	🟡 medium	Database tag removed. Governance metadata may be incomplete. Verify tag removal is intentional.
`DB-DROP`	🔴 critical	DROP DATABASE detected. All schemas, tables, and data within the database will be permanently deleted.

Masking Policies (MASK-xxx)

Rule ID	Risk	Description
`MASK-NEW`	🟢 low	Masking Policy created. Positive governance signal.
`MASK-ALLOW-ALL`	🔴 critical	Masking Policy body passes through the original value without masking. Policy is effectively a no-op and sensitive data may be exposed.
`MASK-BODY-CHG`	🔴 critical	Masking Policy logic changed. Data protection logic modified.
`MASK-NAME-CHG`	🟠 high	Masking Policy renamed. Dependent columns may be affected.
`MASK-TAG-RMV`	🟡 medium	Tag removed from Masking Policy. Governance metadata may be incomplete.
`MASK-TAG-ADD`	🟢 low	Tag added to Masking Policy. Positive governance signal.
`MASK-COMMENT-ADD`	🟢 low	Comment added to Masking Policy. Positive documentation signal.
`MASK-COMMENT-RMV`	🟢 low	Comment removed from Masking Policy. Documentation lost.
`MASK-DROP`	🔴 critical	Masking Policy dropped. Column data protection removed. All columns using this policy will be unmasked.

Row Access Policies (RAP-xxx)

Rule ID	Risk	Description
`RAP-NEW`	🟢 low	Row Access Policy created. Ensure proper testing and documentation.
`RAP-ALLOW-ALL`	🔴 critical	Row Access Policy predicate is always true. Policy is effectively a no-op and does not restrict row access. Applies to Snowflake, BigQuery, and PostgreSQL RLS.
`RAP-BODY-CHG`	🔴 critical	Row Access Policy logic changed. Access control logic modified.
`RAP-NAME-CHG`	🟠 high	Row Access Policy renamed. Dependent objects may be affected.
`RAP-TAG-RMV`	🟡 medium	Tag removed from Row Access Policy. Governance metadata may be incomplete.
`RAP-TAG-ADD`	🟢 low	Tag added to Row Access Policy. Positive governance signal.
`RAP-COMMENT-ADD`	🟢 low	Comment added to Row Access Policy. Positive documentation signal.
`RAP-COMMENT-RMV`	🟢 low	Comment removed from Row Access Policy. Documentation lost.
`RAP-DROP`	🔴 critical	Row Access Policy dropped. Row-level access controls removed. All tables using this policy will no longer filter rows.

Grant & Access (GRT-xxx)

Rule ID	Risk	Description
`GRT-WITH-OPT`	🟠 high	Avoid WITH GRANT OPTION. This allows the grantee to re-grant privileges and can lead to privilege escalation.
`GRT-ALL-PRIV`	🟠 high	Avoid GRANT ALL PRIVILEGES. Use specific privilege grants to follow the principle of least privilege.
`GRT-TO-PUBLIC`	🔴 critical	Avoid granting privileges to PUBLIC. The PUBLIC role includes all users in the account, which may expose data unintentionally.
`GRT-TO-SHARE`	🔴 critical	Data sharing boundary crossed: granting to SHARE exposes data outside the account. Verify data classification and approval.
`GRT-OWNER-XFER`	🟠 high	Ownership transfer detected. Verify approval and ensure proper access controls remain in place.
`GRT-SYSROLE-EXP`	🔴 critical	Grant involves privileged system role (ACCOUNTADMIN, SECURITYADMIN, SYSADMIN, USERADMIN, PUBLIC). This has account-wide security implications.
`GRT-ACCESS-EXP-HI`	🟠 high	Role hierarchy change significantly expands effective access. Child role inherits 50+ privileges or affects 10+ users.
`GRT-ACCESS-EXP`	🟡 medium	Role hierarchy change detected. Child role inherits privileges from parent role, affecting downstream roles and users.
`GRT-BROAD-PRIV-HI`	🟠 high	Object privilege grant affects 20+ users via role inheritance. Review if this access scope is intentional.
`GRT-BROAD-PRIV`	🟡 medium	Broad privilege grant detected. Object privilege affects multiple roles and users via role inheritance.

Functions & Procedures (UDF/PROC/FUNC-xxx)

Rule ID	Risk	Description
`UDF-NEW`	🟢 low	User-defined function created. Verify return type and usage patterns.
`UDF-DYNSQL`	🟠 high	User-defined function executes dynamic SQL with potential injection vector. SQL injection risk if inputs are not validated. Consider parameterized queries (e.g. USING clause).
`UDF-SECURE-RMV`	🟠 high	SECURE flag removed from function. Function body is now visible to users with USAGE privilege.
`UDF-EXTACC-CFG`	🟡 medium	Function configured with external access integrations or secrets. Review access permissions.
`FUNC-DROP`	🟡 medium	DROP FUNCTION detected. Function definition removed. Verify no dependencies.
`PROC-NEW`	🟢 low	Stored procedure created. Verify business logic and access controls.
`PROC-DYNSQL`	🟠 high	Stored procedure executes dynamic SQL with potential injection vector. SQL injection risk if inputs are not validated. Consider parameterized queries (e.g. USING clause / sp_executesql parameters).
`PROC-DROP`	🟡 medium	DROP PROCEDURE detected. Procedure definition removed. Verify no dependencies.
`PROC-SECURE-RMV`	🟠 high	SECURE flag removed from procedure. Procedure body is now visible to users with USAGE privilege.
`PROC-EXECAS-OWNER`	🟡 medium	Procedure set to EXECUTE AS OWNER. RISK: If owner has elevated privileges (e.g., deploy role), this grants all callers elevated access. Consider EXECUTE AS CALLER for better privilege isolation.
`PROC-EXECAS-CALLER`	🟢 low	Procedure set to EXECUTE AS CALLER. Runs with invoker's privileges. Safer than OWNER if procedure owner has elevated rights (e.g., deploy role). Context-dependent security.
`PROC-EXECAS-RESTRICT`	🟠 high	Procedure set to EXECUTE AS RESTRICTED CALLER. This is a significant compromise between security models - review carefully.
`PROC-EXTACC-CFG`	🟡 medium	Procedure configured with external access integrations or secrets. Review access permissions.

Dynamic SQL (DYNSQL-xxx)

Rule ID	Risk	Description
`DYNSQL`	🟠 high	Dynamic SQL execution detected. SQL injection risk if input parameters are not validated. Consider parameterized queries (USING clause / sp_executesql parameters).
`DYNSQL-CONCAT`	🔴 critical	Dynamic SQL argument is built via string concatenation or FORMAT(...) interpolation. SQL injection risk — switch to a parameterized query (USING clause / sp_executesql parameter binding).
`DYNSQL-NO-PARAM`	🟡 medium	Dynamic SQL executed without parameter binding when the surface supports it (Snowflake USING, sp_executesql @params, EXECUTE … USING). Bind runtime values rather than interpolating.
`DYNSQL-PARAM-CLEAN`	⚪ info	Dynamic SQL recognized as injection-clean: every interpolated value is quoted into an identifier or literal slot it cannot break out of. Informational — verify no untrusted value reaches an unquoted slot.
`DYNSQL-QUOTE-MISMATCH`	🔴 critical	Dynamic SQL applies identifier quoting to a value placed inside a string literal. Identifier quoting (QUOTENAME / quote_ident / %I) delimits identifiers and does not escape the string-literal quote, so the value can still break out of the literal — use literal quoting (quote_literal / QUOTE / %L) or a bound parameter.
`DYNSQL-LITERAL-QUOTER-IDENT`	🟡 medium	Dynamic SQL applies literal/string quoting to a value placed in an identifier position (a table or column name). Literal quoting (quote_literal / QUOTE / %L) produces a quoted string, not an identifier, so the assembled statement is malformed or refers to the wrong object — use identifier quoting (quote_ident / QUOTENAME / %I) or validate the name against an allow-list.
`DYNSQL-CROSS-SERVER`	🔴 critical	Cross-server dynamic SQL execution detected. The remote server's auth context is exercised — validate the connection string and SQL construction.

External Tables (EXTTBL-xxx)

Rule ID	Risk	Description
`EXTTBL-NEW`	🟢 low	External table created. Federated data source registered for querying.

Diff Signals (DIFF-xxx)

Rule ID	Risk	Description
`DIFF-WRITE-WHERE-RMV`	🔴 critical	Write statement became unbounded after WHERE clause was removed. May affect entire table.
`DIFF-LIMIT-RMV-MULTI`	🔴 critical	LIMIT removed from multi-table query. Potential cartesian explosion.
`DIFF-JOIN-CROSS-ADD`	🔴 critical	JOIN changed from {witness.baseline_kind} to CROSS. Cartesian product risk.
`DIFF-SAMPLE-ADD`	🔴 critical	SAMPLE/TABLESAMPLE added. Query now operates on SUBSET of data.
`DIFF-LIMIT-RMV`	🟠 high	LIMIT removed. Query is now unbounded.
`DIFF-WHERE-RMV`	🟠 high	WHERE clause removed. Query is now unbounded.
`DIFF-JOIN-RMV`	🟠 high	JOIN removed. Data relationship lost.
`DIFF-DISTINCT-RMV`	🟠 high	DISTINCT removed. Query may now return duplicate rows.
`DIFF-JOIN-NARROW`	🟠 high	JOIN changed from {witness.baseline_kind} to {witness.head_kind}. May silently drop rows.
`DIFF-HAVING-RMV`	🟠 high	HAVING clause removed. Aggregate filtering lost.
`DIFF-GROUPBY-COL-RMV`	🟠 high	GROUP BY column removed. May cause aggregate explosion or changed grouping.
`DIFF-QUALIFY-RMV-MULTI`	🟠 high	QUALIFY clause removed from multi-table query with window functions. Window function filtering lost.
`DIFF-AGG-FUNC-CHG`	🟠 high	Aggregate function changed from {witness.baseline} to {witness.head}. Verify business logic.
`DIFF-JOIN-COND-CHG`	🟠 high	JOIN condition changed. Data relationship logic altered.
`DIFF-WHERE-COND-CHG`	🟠 high	WHERE clause predicates changed. Query filtering logic altered.
`DIFF-WIN-PART-CHG`	🟠 high	Window function partition changed. Results may differ.
`DIFF-UNION-TO-UNIONALL`	🟠 high	UNION changed to UNION ALL. Deduplication lost — may return duplicate rows.
`DIFF-STMT-KIND-CHG`	🟠 high	Statement type changed from {witness.baseline} to {witness.head}. Verify intent.
`DIFF-PROJ-CHG`	🟡 medium	Output projection slot changed from {witness.baseline_kind} to {witness.head_kind}. Verify output semantics.
`DIFF-WIN-FRAME-CHG`	🟠 high	Window frame changed. Running totals, rankings, or cumulative calculations affected.
`DIFF-WIN-PART-RMV`	🟠 high	PARTITION BY removed from window function. Function now operates over entire result set instead of per-group.
`DIFF-AGG-DISTINCT-RMV`	🟠 high	DISTINCT removed from aggregate function. May now count/sum duplicate values.
`DIFF-SUBQ-SCOPE-CHG`	🟠 high	Subquery scope type changed (e.g., EXISTS→NOT EXISTS). Query logic inverted.
`DIFF-JOIN-TYPE-CHG`	🟡 medium	JOIN type changed from {witness.baseline_kind} to {witness.head_kind}. Verify result-set behavior.
`DIFF-QUALIFY-RMV`	🟡 medium	QUALIFY clause removed. Window function filtering lost.
`DIFF-TBL-RMV`	🟡 medium	Table removed from query. Data relationship changed.
`DIFF-CTE-RMV`	🟡 medium	CTE (Common Table Expression) removed. Query structure simplified.
`DIFF-XSCHEMA-ADD`	🟡 medium	Query now accesses tables across different schemas.
`DIFF-LIMIT-INCR`	🟡 medium	LIMIT increased. More data may be returned.
`DIFF-SETOP-CHG`	🟡 medium	SET operation changed from {witness.baseline} to {witness.head}. Query logic altered.
`DIFF-WIN-RMV`	🟡 medium	Window function {witness.function} removed from query. Analytic computation lost.
`DIFF-AGG-DISTINCT-ADD`	🟡 medium	DISTINCT added to aggregate function. May reduce result values.
`DIFF-AGG-ARG-CHG`	🟡 medium	Aggregate function input changed. Verify correct column.
`DIFF-GROUPBY-COL-ADD`	🟡 medium	GROUP BY column added. Aggregation granularity changed.
`DIFF-AGG-RMV`	🟡 medium	Aggregate function removed from query. Calculation lost.
`DIFF-HAVING-CHG`	🟡 medium	HAVING clause filter logic changed. Aggregate filtering behavior affected.
`DIFF-SETOP-ADD`	🟡 medium	SET operation (UNION/INTERSECT/EXCEPT) added. Query logic extended.
`DIFF-SETOP-RMV`	🟡 medium	SET operation removed. Query logic simplified.
`DIFF-SUBQ-PRED-CHG`	🟡 medium	Predicate changed within a subquery. Subquery filtering behavior affected.
`DIFF-COL-RMV`	🟢 low	Column removed from output. Downstream consumers may break.
`DIFF-ORDERBY-CHG`	🟢 low	ORDER BY clause changed. Result ordering affected.
`DIFF-LIMIT-DECR`	🟢 low	LIMIT decreased. Query is more restrictive.
`DIFF-WHERE-ADD`	🟢 low	WHERE clause added. Query is now bounded.
`DIFF-LIMIT-ADD`	🟢 low	LIMIT added. Query is now bounded.
`DIFF-DISTINCT-ADD`	🟢 low	DISTINCT added. Duplicates will be removed.
`DIFF-QUALIFY-ADD`	🟢 low	QUALIFY clause added for window function filtering.
`DIFF-HAVING-ADD`	🟢 low	HAVING clause added for aggregate filtering.
`DIFF-WRITE-WHERE-ADD`	🟢 low	Write statement became bounded with WHERE clause.
`DIFF-TBL-ADD`	🟢 low	New table added to query.
`DIFF-JOIN-ADD`	🟢 low	New JOIN added to query.
`DIFF-COL-ADD`	🟢 low	New column added to output.
`DIFF-CTE-ADD`	🟢 low	CTE (Common Table Expression) added. Query structure enhanced.
`DIFF-WIN-ADD`	🟢 low	Window function {witness.function} added to query. Adds ranking, row numbering, or analytic computation.
`DIFF-AGG-ARG-REFACTOR`	🟢 low	Aggregate function input refactored. Likely a column extraction.
`DIFF-AGG-ARG-COL-SUBST`	🟡 medium	Column reference inside aggregate input was substituted. Verify the metric still measures the intended attribute.
`DIFF-AGG-ARG-CONST-DRIFT`	🟢 low	Hardcoded literal inside aggregate input changed. Verify the constant change is intentional (threshold, default, tax rate).
`DIFF-AGG-ARG-OP-FLIP`	🟠 high	Binary operator inside aggregate input changed (e.g. + to -). Output semantics altered.
`DIFF-AGG-ARG-UNARY-FLIP`	🟠 high	Unary operator inside aggregate input changed (e.g. IS NULL to IS NOT NULL). Predicate or sign inverted.
`DIFF-AGG-ARG-FN-NAME-CHG`	🟡 medium	Function called inside aggregate input was replaced. Verify semantic equivalence across dialects.
`DIFF-AGG-ARG-FN-ARITY-CHG`	🟢 low	Function arity inside aggregate input changed. Fallback chain depth or input set shifted.
`DIFF-AGG-ARG-CASE-BRANCH-CHG`	🟡 medium	CASE branch count inside aggregate input changed. Aggregated output rules shifted.
`DIFF-AGG-ARG-CASE-ELSE-ADDED`	🟡 medium	CASE inside aggregate input gained an ELSE clause. NULL handling now explicit; output for unmatched rows changed.
`DIFF-AGG-ARG-CASE-ELSE-RMV`	🟡 medium	CASE inside aggregate input lost its ELSE clause. Unmatched rows now produce NULL, changing aggregate output for sparse data.
`DIFF-AGG-ARG-CAST-TYPE-CHG`	🟡 medium	Cast target type inside aggregate input changed. Precision, truncation, or representation may shift.
`DIFF-AGG-ARG-SHAPE-CHG`	🟡 medium	Expression wrapping shape inside aggregate input changed (e.g. bare column wrapped in COALESCE/function). NULL or coercion semantics altered.
`DIFF-AGG-ARG-SUBQ-CHG`	🟠 high	Scalar subquery inside aggregate input now reads a different table set. Data dependency shifted.
`DIFF-AGG-ARG-FIELD-PATH-CHG`	🟡 medium	Semi-structured field access path inside aggregate input changed. Verify the new JSON/variant path resolves to the intended attribute.
`DIFF-AGG-ADD`	🟢 low	New aggregate function added to query.
`DIFF-SAMPLE-RMV`	🟢 low	SAMPLE/TABLESAMPLE removed. Query now operates on full data.
`DIFF-NULL-EXPANSION`	🟠 high	Output column became nullable across the change. Downstream NOT NULL consumers may break silently.
`DIFF-LINEAGE-LOSS`	🟡 medium	Output column lost upstream source columns. Data provenance shrunk.
`DIFF-TAINT-PROPAGATION`	🟠 high	Output column gained sensitivity tags. Possible PII leak via new join path or new projection.
`DIFF-CONSTRAINT-RELAX`	🟡 medium	Output column's structural constraints were relaxed. Downstream consumers relying on the constraint may break.

Snowflake (SNW-xxx)

Rule ID	Risk	Description
`SNW-GRT-PRIV-ROLE`	🔴 critical	Privilege escalation detected: granting privileged system role. This gives full administrative control and should require explicit approval.
`SNW-STG-CRED-CHG`	🟠 high	Storage credentials changed on stage. Verify authorization and audit trail.
`SNW-STG-ENC-OFF`	🔴 critical	Encryption disabled on stage. This exposes data at rest to potential breaches.
`SNW-STG-ENC-ON`	🟢 low	Encryption enabled on stage. Positive security signal.
`SNW-STG-INTG-CHG`	🟡 medium	Storage integration changed on stage. Verify access controls.
`SNW-STG-INTG-SET`	🟢 low	Storage integration set on stage. External storage access configured.
`SNW-STG-TAG-SET`	🟢 low	Tag set on stage. Positive governance signal for metadata tracking.
`SNW-STG-TAG-RMV`	🟡 medium	Tag removed from stage. Verify governance metadata tracking is maintained.
`SNW-STG-DROP`	🟡 medium	DROP STAGE detected. Stage and any staged files will be removed.
`SNW-EXPORT-UNBOUNDED`	🟠 high	COPY INTO exports data to external location without filtering. Full table contents may be exposed.
`SNW-UNKNOWN`	🟠 high	Unknown syntax detected. Cannot verify compliance for this statement. Review against latest Snowflake documentation.
`SNW-PWDPOL-NEW`	🟡 medium	Password Policy created. Positive security signal - password controls in place.
`SNW-PWDPOL-MINLEN-CRIT`	🔴 critical	Password Policy created with CRITICAL weak minimum length (<8 characters). This violates basic security standards.
`SNW-PWDPOL-MINLEN-WEAK`	🟠 high	Password Policy created with weak minimum length (8-11 characters). CIS/CISA recommend ≥12 characters (NIST SP 800-63B requires ≥8).
`SNW-PWDPOL-MINLEN-CFG`	🟢 low	Password Policy minimum length configured. Positive governance signal.
`SNW-PWDPOL-MAXLEN-LOW`	🟡 medium	Password Policy has restrictive maximum length. Users cannot create long, complex passwords.
`SNW-PWDPOL-COMPLEX-WEAK`	🟠 high	Password Policy created with weak complexity requirements (<2 character classes). Passwords may be easily guessable.
`SNW-PWDPOL-COMPLEX-CFG`	🟢 low	Password Policy complexity requirements configured. Positive governance signal.
`SNW-PWDPOL-NOEXPIRY`	🔴 critical	Password Policy created with NO expiration (PASSWORD_MAX_AGE_DAYS = 0). Passwords never expire.
`SNW-PWDPOL-EXPIRY-LONG`	🟠 high	Password Policy created with long expiration (>180 days). Consider shorter expiration period.
`SNW-PWDPOL-EXPIRY-STALE`	🟡 medium	Password Policy has long expiration period (>=90 days). Passwords remain valid for extended periods.
`SNW-PWDPOL-EXPIRY-FAIR`	🟢 low	Password Policy has moderate expiration period (30-89 days). Consider tighter expiration for sensitive environments.
`SNW-PWDPOL-EXPIRY-CFG`	🟢 low	Password Policy expiration configured. Passwords will expire per policy.
`SNW-PWDPOL-RETRIES-HIGH`	🔴 critical	Password Policy created with high max retries (>10). Account brute-force risk.
`SNW-PWDPOL-RETRIES-CHG`	🟠 high	Password Policy created with moderate max retries (6-10). Consider limiting to 5 or fewer.
`SNW-PWDPOL-LOCKOUT-SHORT`	🟠 high	Password Policy created with short lockout time (<5 minutes). Account brute-force window too small.
`SNW-PWDPOL-LOCKOUT-WEAK`	🟡 medium	Password Policy has short lockout time (<5 minutes). Brute-force attacks have reduced penalty window.
`SNW-PWDPOL-LOCKOUT-CFG`	🟢 low	Password Policy lockout configured. Positive governance signal — brute-force protection active.
`SNW-PWDPOL-NOHIST`	🟠 high	Password Policy created with NO history (PASSWORD_HISTORY = 0). Users can reuse passwords immediately.
`SNW-PWDPOL-HIST-CFG`	🟢 low	Password Policy history configured. Positive governance signal — password reuse prevented.
`SNW-PWDPOL-MINLEN-CRITWEAK`	🔴 critical	Password minimum length SET to CRITICAL weak value (<8). This violates basic security standards.
`SNW-PWDPOL-MINLEN-WEAKEN`	🟠 high	Password minimum length weakened (8-11 characters). CIS/CISA recommend ≥12 characters (NIST SP 800-63B requires ≥8).
`SNW-PWDPOL-EXPIRY-OFF`	🔴 critical	Password expiration DISABLED (PASSWORD_MAX_AGE_DAYS = 0). Passwords never expire.
`SNW-PWDPOL-EXPIRY-LONGSET`	🟠 high	Password expiration SET to long duration (>180 days). Consider shorter period.
`SNW-PWDPOL-RETRIES-INCR`	🔴 critical	Password max retries INCREASED (>10). Account brute-force risk significantly increased.
`SNW-PWDPOL-LOCKOUT-CUT`	🟠 high	Password lockout time SHORTENED (<5 minutes). Brute-force attack window reduced too much.
`SNW-PWDPOL-HIST-OFF`	🟠 high	Password history DISABLED (PASSWORD_HISTORY = 0). Users can reuse passwords immediately.
`SNW-PWDPOL-MINLEN-UNSET`	🔴 critical	Password minimum length UNSET. Reverts to default (8 characters), weakening security.
`SNW-PWDPOL-EXPIRY-UNSET`	🔴 critical	Password expiration UNSET. Reverts to default, may remove expiration entirely.
`SNW-PWDPOL-HISTORY-UNSET`	🟠 high	Password history UNSET. Reverts to default (0), users can reuse passwords immediately.
`SNW-PWDPOL-RETRIES-UNSET`	🔴 critical	Password max retries UNSET. Reverts to default, may allow unlimited login attempts enabling brute-force attacks.
`SNW-PWDPOL-LOCKOUT-UNSET`	🔴 critical	Password lockout time UNSET. Reverts to default, may remove account lockout protection enabling brute-force attacks.
`SNW-PWDPOL-NAME-CHG`	🟠 high	Password Policy renamed. This may break user/role assignments referencing this policy.
`SNW-PWDPOL-TAG-ADD`	🟢 low	Password Policy tag set. Positive governance signal — metadata tag added.
`SNW-PWDPOL-TAG-RMV`	🟡 medium	Password Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-PWDPOL-COMMENT-RMV`	🟢 low	Comment removed from Password Policy. Documentation lost.
`SNW-PWDPOL-DROP`	🔴 critical	Password Policy dropped. Password strength controls removed. Verify this doesn't weaken authentication security.
`SNW-SESSPOL-NEW`	🟢 low	Session Policy created. Positive governance signal — session timeout controls configured.
`SNW-SESSPOL-IDLE-LONG`	🟠 high	Session Policy created with long idle timeout (>24 hours). Consider shorter timeout for better security.
`SNW-SESSPOL-UIIDLE-LONG`	🟠 high	Session Policy created with long UI idle timeout (>24 hours). Consider shorter timeout for better security.
`SNW-SESSPOL-IDLE-LONGSET`	🟠 high	Session idle timeout SET to long duration (>24 hours). Consider shorter timeout for better security.
`SNW-SESSPOL-UIIDLE-LONGSET`	🟠 high	UI idle timeout SET to long duration (>24 hours). Consider shorter timeout for better security.
`SNW-SESSPOL-IDLE-CHG`	🟡 medium	Session idle timeout modified. Review new timeout value.
`SNW-SESSPOL-IDLE-UNSET`	🔴 critical	Session idle timeout UNSET. Sessions can remain active indefinitely. This weakens security posture significantly.
`SNW-SESSPOL-UIIDLE-UNSET`	🔴 critical	UI idle timeout UNSET. UI sessions can remain active indefinitely. Verify this doesn't create unattended access risk.
`SNW-SESSPOL-NAME-CHG`	🟡 medium	Session Policy renamed. Verify all roles/users referencing this policy are updated.
`SNW-SESSPOL-TAG-ADD`	🟢 low	Session Policy tag set. Positive governance signal — metadata tag added.
`SNW-SESSPOL-TAG-RMV`	🟡 medium	Session Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-SESSPOL-COMMENT-ADD`	🟢 low	Comment added to Session Policy. Positive documentation signal.
`SNW-SESSPOL-COMMENT-RMV`	🟢 low	Comment removed from Session Policy. Documentation lost.
`SNW-SESSPOL-DROP`	🔴 critical	Session Policy dropped. Session governance controls removed. All roles/users referencing this policy lose session management.
`SNW-NETPOL-NEW`	🔴 critical	Network Policy created. New network access controls established.
`SNW-NETPOL-IPALLOW-CFG`	🟢 low	Network Policy ALLOWED_IP_LIST configured. IP allowlist established.
`SNW-NETPOL-IPBLOCK-CFG`	🟢 low	Network Policy BLOCKED_IP_LIST configured. IP blocklist established.
`SNW-NETPOL-RULELIST-CFG`	🟡 medium	Network Policy ALLOWED_NETWORK_RULE_LIST configured. Network rules referenced.
`SNW-NETPOL-SET`	🔴 critical	Network Policy SET operation. This replaces the entire IP/rule list. Verify authorization and review new configuration.
`SNW-NETPOL-ADD`	🟠 high	Network Policy ADD operation. Network rules or IPs added.
`SNW-NETPOL-RMV`	🔴 critical	Network Policy REMOVE operation. Network restrictions removed.
`SNW-NETPOL-NAME-CHG`	🟠 high	Network Policy renamed. Dependent objects may be affected.
`SNW-NETPOL-TAG-ADD`	🟢 low	Tag added to Network Policy. Positive governance signal.
`SNW-NETPOL-TAG-RMV`	🟡 medium	Tag removed from Network Policy. Governance metadata may be incomplete.
`SNW-NETPOL-COMMENT-RMV`	🟢 low	Comment removed from Network Policy. Documentation cleared.
`SNW-NETPOL-DROP`	🔴 critical	Network Policy dropped. Network access controls removed.
`SNW-AUTHPOL-NEW`	🟠 high	Authentication Policy created. New authentication controls established.
`SNW-AUTHPOL-MFA-OFF`	🔴 critical	Authentication Policy created without MFA requirement. Multi-factor authentication not enforced, accounts vulnerable to credential compromise.
`SNW-AUTHPOL-CHG`	🟠 high	Authentication Policy modified. Authentication controls changed. Review new configuration.
`SNW-AUTHPOL-METHODS-CHG`	🔴 critical	Authentication methods changed. Allowed authentication methods modified. Verify this is authorized.
`SNW-AUTHPOL-MFA-CHG`	🔴 critical	MFA requirement changed. Multi-factor authentication policy modified. Verify enforcement still meets compliance requirements.
`SNW-AUTHPOL-CLIENT-CHG`	🟠 high	Client types changed. Allowed client types modified. Verify this is authorized.
`SNW-AUTHPOL-SECINTG-CHG`	🔴 critical	Security integrations changed. Authentication providers modified. Verify trust relationships remain intact.
`SNW-AUTHPOL-DROP`	🔴 critical	Authentication Policy dropped. Authentication controls removed. Account vulnerable to credential compromise.
`SNW-AUTHPOL-ON`	🟢 low	Authentication policy enabled. Positive security signal.
`SNW-AUTHPOL-OFF`	🔴 critical	Authentication policy disabled. Identity verification suspended.
`SNW-AGGPOL-NEW`	🟠 high	Aggregation Policy created. This controls minimum group sizes for aggregation queries to prevent small group disclosures. Verify MIN_GROUP_SIZE is adequate for your privacy requirements.
`SNW-AGGPOL-NOCONST`	🔴 critical	Aggregation Policy uses NO_AGGREGATION_CONSTRAINT. This removes all aggregation protections, allowing small group queries that may disclose sensitive information.
`SNW-AGGPOL-GRPSZ-CRIT`	🔴 critical	Aggregation Policy has dangerously low MIN_GROUP_SIZE (< 3). Groups smaller than 3 can easily lead to re-identification.
`SNW-AGGPOL-GRPSZ-LOW`	🟠 high	Aggregation Policy has low MIN_GROUP_SIZE (3-4). While better than 1-2, groups of 3-4 still pose re-identification risks.
`SNW-AGGPOL-GRPSZ-STRONG`	🟢 low	Aggregation Policy has strong MIN_GROUP_SIZE (≥10). Good privacy protection. This significantly reduces re-identification risk.
`SNW-AGGPOL-COND`	🟡 medium	Aggregation Policy uses conditional logic (CASE expressions). Conditional policies can have different protections for different scenarios. Verify all branches have adequate MIN_GROUP_SIZE values.
`SNW-AGGPOL-NOCONST-CHG`	🔴 critical	Aggregation Policy body changed to NO_AGGREGATION_CONSTRAINT. Protection removed entirely. This exposes data to unrestricted aggregation queries.
`SNW-AGGPOL-CHG`	🟡 medium	Aggregation Policy altered. Policy modified. Review changes to ensure they maintain adequate privacy protections.
`SNW-AGGPOL-NAME-CHG`	🟡 medium	Aggregation Policy renamed. Policy name changed. Verify references to this policy are updated in dependent objects and documentation.
`SNW-AGGPOL-TAG-ADD`	🟢 low	Aggregation Policy tag set. Metadata tag added to policy. Informational only.
`SNW-AGGPOL-TAG-RMV`	🟡 medium	Aggregation Policy tag removed. Governance metadata lost. Verify this is intentional.
`SNW-AGGPOL-COMMENT-ADD`	🟢 low	Comment added to Aggregation Policy. Positive documentation signal.
`SNW-AGGPOL-COMMENT-RMV`	🟢 low	Comment removed from Aggregation Policy. Documentation lost.
`SNW-AGGPOL-DROP`	🔴 critical	Aggregation Policy dropped. Aggregation protections removed. This removes minimum group size constraints, potentially exposing sensitive data through small group aggregations.
`SNW-PROJPOL-NEW`	🟢 low	Projection Policy created. Positive governance signal — projection controls in place.
`SNW-PROJPOL-DROP`	🟠 high	Projection Policy dropped. Projection controls removed. Verify dependent objects are updated.
`SNW-PROJPOL-CHG`	🟡 medium	Projection Policy altered. Policy modified. Review changes.
`SNW-PROJPOL-NAME-CHG`	🟡 medium	Projection Policy renamed. Verify references in dependent objects.
`SNW-PROJPOL-ALLOWLIST`	🟡 medium	Projection Policy uses ALLOW => TRUE. Verify allowlist is intentional.
`SNW-PROJPOL-ENFORCE-OFF`	🔴 critical	Projection Policy enforcement DISABLED (ENFORCEMENT => 'NULLIFY'). Constraints not enforced; data exposed.
`SNW-PROJPOL-ENFORCE-ON`	🟢 low	Projection Policy enforcement enabled. Positive security signal.
`SNW-PROJPOL-COND`	🟡 medium	Projection Policy uses conditional logic (CASE expressions). Verify all branches have adequate constraints.
`SNW-PROJPOL-TAG-ADD`	🟢 low	Projection Policy tag set. Positive governance signal — metadata tag added.
`SNW-PROJPOL-TAG-RMV`	🟡 medium	Projection Policy tag removed. Governance metadata lost.
`SNW-PROJPOL-COMMENT-ADD`	🟢 low	Comment added to Projection Policy. Positive documentation signal.
`SNW-PROJPOL-COMMENT-RMV`	🟢 low	Comment removed from Projection Policy. Documentation lost.
`SNW-MASK-EXEMPT`	🔴 critical	Masking Policy created with EXEMPT_OTHER_POLICIES = TRUE. May bypass other data protection policies.
`SNW-API-INTG-NEW`	🔴 critical	API Integration created. New external API access established. Verify endpoint security.
`SNW-API-INTG-NOPFX`	🟡 medium	API Integration created or modified WITHOUT prefix restrictions. Unrestricted API access may be granted. Consider setting API_ALLOWED_PREFIXES or API_BLOCKED_PREFIXES.
`SNW-API-INTG-ON`	🟢 low	API Integration enabled. Info: Integration is active.
`SNW-API-INTG-OFF`	🟠 high	API Integration disabled. Integration is no longer active. Verify dependent services are not impacted.
`SNW-API-INTG-CREDCHG`	🟠 high	API credential changed on API Integration. Authentication credential or cloud IAM reference modified. Audit trail required.
`SNW-API-INTG-CREDRMV`	🟠 high	API Key UNSET from API Integration. Authentication credential removed. Verify this change is intentional.
`SNW-STGINTG-NEW`	🟠 high	Storage Integration created. New external storage access established. Verify cloud IAM trust relationship.
`SNW-STGINTG-NEW-OFF`	🟡 medium	Storage Integration created with ENABLED = FALSE. Integration not active at creation.
`SNW-STGINTG-OFF`	🔴 critical	Storage Integration disabled. External storage access suspended.
`SNW-STGINTG-ON`	🟢 low	Storage Integration enabled. Positive signal — integration active.
`SNW-STGINTG-AWS-CHG`	🔴 critical	Storage Integration AWS role changed. Cloud IAM trust relationship modified. Verify authorization.
`SNW-STGINTG-AZURE-CHG`	🔴 critical	Storage Integration Azure tenant changed. Cloud trust relationship modified. Verify authorization.
`SNW-STGINTG-LOC-CHG`	🟠 high	Storage Integration allowed locations changed. Data access scope modified.
`SNW-STGINTG-BLOCKLOC-CHG`	🟠 high	Storage Integration blocked locations changed. Data access scope modified.
`SNW-STGINTG-TAG-ADD`	🟢 low	Storage Integration tag set. Positive governance signal — metadata tag added.
`SNW-STGINTG-TAG-RMV`	🟡 medium	Storage Integration tag removed. Governance metadata lost. Verify this is intentional.
`SNW-STGINTG-DROP`	🔴 critical	Storage Integration dropped. External storage access removed. All dependent stages and pipes affected.
`SNW-EXTACC-NEW`	🟡 medium	External access integration created. Network egress configured.
`SNW-EXTACC-DROP`	🟠 high	External access integration dropped. Network egress removed.
`SNW-EXTACC-OFF`	🟠 high	External access integration disabled. Network egress suspended.
`SNW-EXTACC-ON`	🟡 medium	External access integration enabled. Network egress activated.
`SNW-EXTACC-HOSTS-CHG`	🔴 critical	External access allowed hosts changed. Network egress scope modified.
`SNW-EXTACC-NETRULES-CHG`	🟠 high	External access network rules changed. Verify egress restrictions.
`SNW-EXTACC-SECRETS-CHG`	🔴 critical	External access allowed secrets changed. Credential access modified.
`SNW-EXTACC-SECRET-RMV`	🟠 high	External access secret removed from allowed list.
`SNW-EXTACC-NETRULE-ADD`	🟡 medium	Network rule added to external access integration.
`SNW-EXTACC-NETRULE-RMV`	🟠 high	Network rule removed from external access integration.
`SNW-EXTACC-COMMENT-CHG`	🟢 low	External access integration comment changed.
`SNW-EXTACC-TAG-ADD`	🟢 low	Tag added to external access integration. Positive governance.
`SNW-EXTACC-TAG-RMV`	🟡 medium	Tag removed from external access integration.
`SNW-EXTACC-NAME-CHG`	🟠 high	External access integration renamed. Dependent objects may break.
`SNW-EXTACC-OWNER-CHG`	🟠 high	External access integration ownership changed.
`SNW-EXTACC-CHG`	🟡 medium	External access integration modified. Verify configuration.
`SNW-NOTIFINTG-NEW`	🟢 low	Notification integration created. External notification configured.
`SNW-NOTIFINTG-CHG`	🟢 low	Notification integration modified. Verify configuration.
`SNW-DYNTBL-NEW`	🟢 low	Dynamic table created. Materialized view with automatic refresh.
`SNW-DYNTBL-PARSE-ERR`	🟡 medium	Dynamic table query could not be parsed. Lineage extraction incomplete.
`SNW-DYNTBL-DROP`	🟠 high	Dynamic table dropped. Materialized view and automatic refresh removed.
`SNW-DYNTBL-SUSP`	🟢 low	Dynamic table suspended. Automatic refresh paused.
`SNW-DYNTBL-RESUME`	🟢 low	Dynamic table resumed. Automatic refresh reactivated.
`SNW-DYNTBL-NAME-CHG`	🟡 medium	Dynamic table renamed. Update dependent references.
`SNW-DYNTBL-SWAP`	🟡 medium	Dynamic table swapped with another. Verify data integrity.
`SNW-DYNTBL-TAG-ADD`	🟢 low	Tag set on dynamic table. Positive governance signal for metadata tracking.
`SNW-DYNTBL-TAG-RMV`	🟡 medium	Tag removed from dynamic table. Verify governance metadata tracking is maintained.
`SNW-DYNTBL-RAP-ADD`	🟡 medium	Row access policy applied to dynamic table. Access controls configured.
`SNW-DYNTBL-RAP-RMV`	🟠 high	Row access policy removed from dynamic table. Access controls weakened.
`SNW-DYNTBL-MASK-ADD`	🟡 medium	Masking policy applied to dynamic table column. Data protection configured.
`SNW-DYNTBL-MASK-RMV`	🟠 high	Masking policy removed from dynamic table column. Data protection weakened.
`SNW-PIPE-NEW`	🟢 low	Pipe created. Data loading pipeline configured.
`SNW-PIPE-AUTOINGEST`	🟡 medium	Pipe created with AUTO_INGEST = TRUE. Data will be loaded automatically when files arrive in stage.
`SNW-PIPE-DROP`	🟠 high	Pipe dropped. Data loading pipeline removed. Incoming data will no longer be auto-loaded.
`SNW-PIPE-SET`	🟢 low	Pipe properties modified via SET.
`SNW-PIPE-TAG-SET`	🟢 low	Tag assigned to pipe. Governance metadata applied.
`SNW-PIPE-TAG-UNSET`	🟡 medium	Tag removed from pipe. Governance metadata lost.
`SNW-PIPE-REFRESH`	🟢 low	Pipe manually refreshed. Staged files will be re-evaluated for loading.
`SNW-STREAM-NEW`	🟢 low	Stream created. CDC tracking enabled on source object.
`SNW-STREAM-APPENDONLY`	🟢 low	Stream configured with APPEND_ONLY mode. Only INSERT operations will be tracked.
`SNW-STREAM-INSERTONLY`	🟢 low	Stream configured with INSERT_ONLY mode for external table.
`SNW-STREAM-DROP`	🟠 high	Stream dropped. CDC tracking removed - downstream consumers may be affected.
`SNW-SCHEMA-MGDACC-NEW`	🟢 low	Schema created with MANAGED ACCESS. Centralized privilege management enabled - only schema owner can grant privileges.
`SNW-SCHEMA-MGDACC-ON`	🟢 low	Schema MANAGED ACCESS enabled. Centralized privilege management now active - only schema owner can grant privileges on objects.
`SNW-SCHEMA-MGDACC-OFF`	🟠 high	Schema MANAGED ACCESS disabled. Object owners can now grant privileges. Review privilege grants for compliance.
`SNW-SCHEMA-RETENTION-CHG`	🟠 high	Schema data retention period changed. Time Travel and Fail-safe capabilities for all objects in schema may be affected.
`SNW-SCHEMA-SWAP`	🟠 high	Schema swapped with another schema. All objects exchanged between schemas. Verify access controls.
`SNW-ROLE-PRIV-USE`	🔴 critical	Privileged role should not be hardcoded in scripts. Use role grants or session variables instead.
`SNW-TASK-NEW`	🟢 low	Scheduled task created. Automated SQL execution configured.
`SNW-TASK-DROP`	🟠 high	Scheduled task dropped. Automated workflow removed.
`SNW-TASK-RESUME`	🟡 medium	Task resumed. Automated execution is now active.
`SNW-TASK-SUSPEND`	🟢 low	Task suspended. Automated execution paused.
`SNW-TASK-BODY-CHG`	🟡 medium	Task SQL body modified. Review the new logic for correctness.
`SNW-TASK-DEP-CHG`	🟡 medium	Task dependency chain modified. Verify DAG execution order.
`SNW-TASK-EXECAS`	🟠 high	Task EXECUTE AS configured. Verify privilege escalation is intentional.
`SNW-TASK-PARSE-ERR`	🟡 medium	Task body SQL could not be parsed. Lineage extraction incomplete.
`SNW-TASK-OVERLAP-ALL`	🟠 high	OVERLAP_POLICY = ALLOW_ALL_OVERLAP. Multiple instances of the entire task graph, including the root task, can run concurrently. Risk of resource contention, duplicate processing, and data races.
`SNW-TASK-OVERLAP-CHILD`	🟡 medium	OVERLAP_POLICY = ALLOW_CHILD_OVERLAP. A new task graph instance starts while child tasks are still running. Verify child tasks are idempotent.
`SNW-DB-FROM-SHARE`	🟠 high	Database created from share. Data is being accessed from external provider. Verify data governance compliance.
`SNW-DB-REPLICA`	🟡 medium	Database created as replica. Data is being replicated from another region/account.
`SNW-DB-SWAP`	🟠 high	Database swapped with another database. All objects exchanged between databases. Verify access controls.
`SNW-DB-RETENTION-CHG`	🟠 high	Database data retention period changed. Time Travel and Fail-safe capabilities may be affected.
`SNW-DB-REPL-ON`	🟠 high	Database replication enabled. Data will be replicated to other accounts/regions. Verify compliance with data residency requirements.
`SNW-DB-REPL-OFF`	🟠 high	Database replication disabled. Disaster recovery capabilities reduced.
`SNW-DB-FAILOVER-ON`	🟡 medium	Database failover enabled. Account can be promoted as failover target.
`SNW-DB-FAILOVER-OFF`	🟠 high	Database failover disabled. Disaster recovery failover capability removed.
`SNW-DB-FAILOVER-PROMOTE`	🔴 critical	Database promoted to primary. This is a failover event. The database is now writable and replication direction has changed.
`SNW-DB-REFRESH`	🟡 medium	Database refresh initiated from primary. Local changes may be overwritten.
`SNW-WH-NEW`	🟢 low	Warehouse created. New compute resource provisioned.
`SNW-WH-LARGE`	🟡 medium	Warehouse created with very large size (4XL+). Significant cost impact — verify workload justifies size.
`SNW-WH-SNOWPARK`	🟡 medium	Snowpark-optimized warehouse created. Specialized compute for ML/data engineering workloads.
`SNW-WH-NO-AUTOSUSPEND`	🟡 medium	Warehouse auto-suspend disabled (AUTO_SUSPEND = 0). Credits will be consumed continuously.
`SNW-WH-MULTICLUSTER`	🟢 low	Multi-cluster warehouse configured. Scaling parameters affect cost and concurrency.
`SNW-WH-DROP`	🔴 critical	DROP WAREHOUSE detected. Compute resource permanently removed. Active queries and dependent tasks will fail.
`SNW-WH-SUSPEND`	🟢 low	Warehouse suspended. Compute paused — no credits consumed while suspended.
`SNW-WH-RESUME`	🟡 medium	Warehouse resumed. Compute is now active and consuming credits.
`SNW-WH-ABORT`	🟠 high	ABORT ALL QUERIES on warehouse. All running queries terminated immediately.
`SNW-WH-RENAME`	🟡 medium	Warehouse renamed. References using old name will break.
`SNW-WH-SIZE-CHG`	🟡 medium	Warehouse size changed. Cost and performance characteristics altered.
`SNW-WH-SET`	🟢 low	Warehouse properties modified via SET.
`SNW-WH-TAG-SET`	🟢 low	Tag assigned to warehouse. Governance metadata applied.
`SNW-WH-TAG-UNSET`	🟡 medium	Tag removed from warehouse. Governance metadata lost.

BigQuery (BQ-xxx)

Rule ID	Risk	Description
`BQ-SNAP-TBL-NEW`	🟢 low	Snapshot table created. Point-in-time clone of source table.
`BQ-SNAP-TBL-DROP`	🟡 medium	Snapshot table dropped. Point-in-time recovery path removed for this dataset.
`BQ-SEARCHIDX-NEW`	🟢 low	Search index created for full-text search capabilities.
`BQ-SEARCHIDX-DROP`	🟡 medium	Search index dropped. Full-text search performance on this table may degrade.
`BQ-VECIDX-NEW`	🟢 low	Vector index created for ML embedding similarity search.
`BQ-VECIDX-CHG`	🟢 low	Vector index modified (e.g., REBUILD). Validate embedding search quality/performance baselines.
`BQ-VECIDX-DROP`	🟡 medium	Vector index dropped. ML embedding search performance on this table may degrade.
`BQ-MODEL-NEW`	🟢 low	BigQuery ML model created. Training data pipeline established.
`BQ-MODEL-DROP`	🟡 medium	BigQuery ML model dropped. Dependent prediction queries will fail.
`BQ-MODEL-CHG`	🟢 low	BigQuery ML model options modified.
`BQ-MODEL-EXPORT`	🟡 medium	BigQuery ML model exported to external storage. Model artifacts leaving BigQuery.
`BQ-ASSERT-CFG`	🟢 low	ASSERT statement present. Data quality/runtime invariant check is enforced.
`BQ-ASSERT-NODESC`	🟢 low	ASSERT statement missing descriptive message. Failures may be harder to triage in logs and runtime pipelines.
`BQ-MODEL-REMOTE`	🟠 high	BigQuery ML model uses REMOTE WITH CONNECTION. Model calls external endpoint — review connection security and data exposure.
`BQ-EXPORT-UNBOUNDED`	🟠 high	EXPORT DATA exports query results to external storage without WHERE filtering. Full table contents may be exposed.
`BQ-MODEL-UNBOUNDED`	🟠 high	BQML training query has no WHERE/filter conditions. Model may train on unintended full datasets.
`BQ-EXPORT-AWS-LEAK`	🔴 critical	Hardcoded AWS access key detected in EXPORT DATA statement. Use secure credential management instead.
`BQ-EXPORT-PWD-LEAK`	🔴 critical	Hardcoded password detected in EXPORT DATA statement. Use secure parameter passing instead.
`BQ-EXPORT-APIKEY-LEAK`	🔴 critical	Hardcoded API key or access token detected in EXPORT DATA statement. Store API keys in secure secrets managers.
`BQ-EXPORT-CONNSTR-LEAK`	🔴 critical	Connection string with embedded credentials detected in EXPORT DATA statement. Use secure credential storage.
`BQ-LOAD-AWS-LEAK`	🔴 critical	Hardcoded AWS access key detected in LOAD DATA statement. Use secure credential management instead.
`BQ-LOAD-PWD-LEAK`	🔴 critical	Hardcoded password detected in LOAD DATA statement. Use secure parameter passing instead.
`BQ-LOAD-APIKEY-LEAK`	🔴 critical	Hardcoded API key or access token detected in LOAD DATA statement. Store API keys in secure secrets managers.
`BQ-LOAD-CONNSTR-LEAK`	🔴 critical	Connection string with embedded credentials detected in LOAD DATA statement. Use secure credential storage.
`BQ-EXTTBL-AWS-LEAK`	🔴 critical	Hardcoded AWS access key detected in CREATE EXTERNAL TABLE/SCHEMA. Use secure credential management instead.
`BQ-EXTTBL-PWD-LEAK`	🔴 critical	Hardcoded password detected in CREATE EXTERNAL TABLE/SCHEMA. Use secure parameter passing instead.
`BQ-EXTTBL-APIKEY-LEAK`	🔴 critical	Hardcoded API key or access token detected in CREATE EXTERNAL TABLE/SCHEMA. Store API keys in secure secrets managers.
`BQ-EXTTBL-CONNSTR-LEAK`	🔴 critical	Connection string with embedded credentials detected in CREATE EXTERNAL TABLE/SCHEMA. Use secure credential storage.
`BQ-MODEL-AWS-LEAK`	🔴 critical	Hardcoded AWS access key detected in CREATE/ALTER/EXPORT MODEL. Use secure credential management instead.
`BQ-MODEL-PWD-LEAK`	🔴 critical	Hardcoded password detected in CREATE/ALTER/EXPORT MODEL. Use secure parameter passing instead.
`BQ-MODEL-APIKEY-LEAK`	🔴 critical	Hardcoded API key or access token detected in CREATE/ALTER/EXPORT MODEL. Store API keys in secure secrets managers.
`BQ-MODEL-CONNSTR-LEAK`	🔴 critical	Connection string with embedded credentials detected in CREATE/ALTER/EXPORT MODEL. Use secure credential storage.
`BQ-LOAD-EXTSTORE`	🟡 medium	LOAD DATA references external cloud storage (GCS/S3/Azure). Verify source data integrity and access controls.
`BQ-EXTTBL-EXTSTORE`	🟡 medium	CREATE EXTERNAL TABLE/SCHEMA references external cloud storage (GCS/S3/Azure). Verify source integrity and access boundaries.
`BQ-MODEL-EXPORT-EXTSTORE`	🟡 medium	EXPORT MODEL writes artifacts to external cloud storage. Verify destination boundaries and retention controls.

PostgreSQL (PG-xxx)

Rule ID	Risk	Description
`PG-DOMAIN-DROP`	🟠 high	Domain dropped. Columns using this domain type will be affected.
`PG-DOMAIN-CASCADE-DROP`	🔴 critical	Domain dropped with CASCADE. All dependent columns, constraints, and types will be removed.
`PG-DOMAIN-NAME-CHG`	🟢 low	Domain renamed. Verify all dependent columns and types reference the new name.
`PG-DOMAIN-OWNER-CHG`	🟡 medium	Domain ownership changed. Verify the new owner has appropriate permissions.
`PG-DOMAIN-NOTNULL-DROP`	🟠 high	NOT NULL constraint removed from domain. Columns using this domain may now accept NULL values, potentially causing data quality issues.
`PG-DOMAIN-CONSTR-DROP`	🟠 high	Constraint removed from domain. Data validation enforced by this constraint is no longer active.
`PG-DOMAIN-CONSTR-CASCADE-DROP`	🔴 critical	Domain constraint dropped with CASCADE. Cascading removal may affect dependent objects and columns.
`PG-DOMAIN-CHG`	🟡 medium	Domain altered. Review changes to ensure data type semantics remain correct.
`PG-RLS-CHG`	🟡 medium	Row-level security policy modified. Review the updated USING/WITH CHECK expressions to ensure data access remains correctly restricted.
`PG-RLS-NAME-CHG`	🟢 low	Row-level security policy renamed. Verify dependent references are updated.
`PG-RLS-DROP`	🔴 critical	Row-level security policy dropped. Row-level data protection removed. All rows may become visible to users who were previously restricted.
`PG-RLS-CASCADE-DROP`	🔴 critical	Row-level security policy dropped with CASCADE. Cascading removal may affect dependent objects beyond this policy.
`PG-RLS-PERMISSIVE`	🟡 medium	RLS policy created as PERMISSIVE. Multiple permissive policies are combined with OR, which may be less restrictive than intended. Consider RESTRICTIVE policies for tighter control.
`PG-RLS-WEAK-CHECK`	🔴 critical	PostgreSQL RLS policy WITH CHECK expression is always true. Policy does not restrict write operations — any row can be inserted or updated.
`PG-COPY-FROM`	🟡 medium	COPY FROM imports data into a table. Verify the data source is trusted and the target table is correct.
`PG-COPY-TO`	🟠 high	COPY TO exports data from a table. This may expose sensitive data — verify authorization and destination.
`PG-COPY-PROGRAM`	🔴 critical	COPY with PROGRAM executes a shell command on the server. CRITICAL SECURITY RISK: This allows arbitrary command execution with database server privileges.
`PG-EXT-NEW`	🟠 high	CREATE EXTENSION installs server-side code (C functions, operators, types). Some extensions (e.g. dblink, postgres_fdw, pg_stat_statements) grant powerful capabilities. Requires superuser or trusted extension support.
`PG-EXT-CASCADE-NEW`	🔴 critical	CREATE EXTENSION ... CASCADE installs the extension AND all its dependencies automatically. Dependencies are installed without explicit review, increasing the attack surface.
`PG-MATVIEW-REFRESH`	🟢 low	Materialized view refreshed. This rebuilds the cached data from the underlying query.
`PG-IDX-REBUILD`	🟡 medium	REINDEX rebuilds indexes. This may cause temporary performance impact and lock contention.
`PG-IDX-NAME-CHG`	🟢 low	Index renamed. Update any references to this index.
`PG-IDX-CHG`	🟡 medium	Index altered (tablespace or properties changed). Review impact on query performance.
`PG-TRIG-NAME-CHG`	🟢 low	Trigger renamed. Update any references to this trigger.
`PG-TRIG-CASCADE-DROP`	🔴 critical	Trigger dropped with CASCADE. Cascading removal may affect dependent objects.
`PG-IDX-DROP`	🟢 low	DROP INDEX removes an index. May degrade query performance on dependent queries.
`PG-IDX-CASCADE-DROP`	🟡 medium	DROP INDEX ... CASCADE removes an index and all dependent objects.
`PG-EXT-DROP`	🟠 high	DROP EXTENSION removes a PostgreSQL extension. Security extensions (pgcrypto, pg_audit) may be silently removed, weakening data protection.
`PG-EXT-CASCADE-DROP`	🔴 critical	DROP EXTENSION ... CASCADE removes the extension AND all dependent objects. This can silently drop functions, views, and columns that depend on extension types.
`PG-TRIG-OFF`	🔴 critical	ALTER TABLE ... DISABLE TRIGGER disables a trigger. Audit triggers, referential integrity triggers, and security enforcement triggers will stop firing. This is a common attack vector.
`PG-ROLE-NEW`	🟡 medium	CREATE ROLE/USER adds a new database principal. Review granted privileges, login capability, and role membership to prevent privilege creep.
`PG-ROLE-CHG`	🟠 high	ALTER ROLE/USER modifies a database principal's attributes. Changes to privilege flags (SUPERUSER, CREATEDB, CREATEROLE, REPLICATION, LOGIN) can significantly affect security posture.
`PG-ROLE-DROP`	🟠 high	DROP ROLE/USER removes a database principal. Dependent objects (owned tables, grants) may become inaccessible. Use REASSIGN OWNED before dropping.
`PG-ROLE-SET`	🟠 high	SET ROLE or SET SESSION AUTHORIZATION changes the current session identity. This can escalate privileges or impersonate other users.
`PG-SESSION-CHG`	🟡 medium	SET or RESET modifies session configuration (search_path, etc.). search_path changes can enable schema hijacking attacks.
`PG-SESSION-SET`	🟢 low	SET modifies a session configuration parameter.
`PG-SESSION-DISCARD`	🟡 medium	DISCARD resets session state (plans, sequences, temporary objects). Verify this is intentional.
`PG-RULE-NEW`	🟠 high	CREATE RULE defines a query rewrite rule. Rules silently transform queries, which can lead to unexpected behavior. Consider triggers as a more transparent alternative.
`PG-RULE-CHG`	🟡 medium	ALTER RULE modifies a PostgreSQL query rewrite rule. Rules can redirect INSERT/UPDATE/DELETE to different tables, affecting data integrity.
`PG-RULE-DROP`	🟠 high	DROP RULE removes a query rewrite rule. If the rule enforced data routing or security constraints, those protections are removed.
`PG-OWNED-DROP`	🔴 critical	DROP OWNED removes all objects owned by the specified roles. This is a mass deletion operation that can cause significant data loss.
`PG-OWNED-REASSIGN`	🟠 high	REASSIGN OWNED transfers ownership of all objects from one role to another. Verify the target role has appropriate permissions.
`PG-TBLSPC-NEW`	🟢 low	CREATE TABLESPACE defines a new storage location for database objects.
`PG-TBLSPC-CHG`	🟡 medium	ALTER TABLESPACE modifies storage configuration (location, options, ownership). Review impact on I/O performance and storage allocation.
`PG-TBLSPC-DROP`	🟡 medium	DROP TABLESPACE removes a storage location. Objects in this tablespace must be relocated first.
`PG-PUB-CHG`	🟡 medium	Logical replication publication modified. Changes affect which data is replicated to subscribers.
`PG-SUB-CHG`	🟡 medium	Logical replication subscription modified. Changes affect data replication from the publisher.
`PG-SYS-CFG-CHG`	🔴 critical	ALTER SYSTEM modifies server-level configuration parameters. This affects all databases and users on the server. Changes take effect after reload/restart.
`PG-TBL-LOCK`	🟠 high	Explicit table lock acquired. This can cause blocking and deadlocks. Verify the lock mode is appropriate.
`PG-RULE-CASCADE-DROP`	🟠 high	DROP RULE ... CASCADE removes the rule AND all dependent objects. Cascading drops can affect data integrity constraints.
`PG-SEQ-DROP`	🟢 low	DROP SEQUENCE removes a sequence generator. Columns using this sequence for defaults will break.
`PG-SEQ-CASCADE-DROP`	🟡 medium	DROP SEQUENCE ... CASCADE removes the sequence and all dependent objects (columns with DEFAULT nextval, etc.).
`PG-TYPE-DROP`	🟢 low	DROP TYPE removes a user-defined type. Columns or functions using this type will break.
`PG-TYPE-CASCADE-DROP`	🟡 medium	DROP TYPE ... CASCADE removes the type and all dependent columns, functions, and casts.
`PG-ANON-EXEC`	🟠 high	DO $ block executes anonymous code. Cannot be tracked by name, audited, or rolled back. Review for privilege escalation, data modification, and unintended side effects.

Databricks (DBX-xxx)

Rule ID	Risk	Description
`DBX-GRT-CAT-ALLPRIV`	🔴 critical	GRANT ALL PRIVILEGES ON CATALOG detected. This grants every privilege on the entire Unity Catalog namespace — including all schemas, tables, views, and volumes within it. Use fine-grained grants (e.g., USE CATALOG, CREATE SCHEMA) instead.
`DBX-GRT-CAT-MANAGE`	🔴 critical	GRANT MANAGE ON CATALOG detected. MANAGE provides broad administrative control over Unity Catalog objects and permissions. Verify this grant is explicitly approved.
`DBX-GRT-CAT-MODIFY`	🔴 critical	GRANT MODIFY ON CATALOG detected. MODIFY in Databricks combines INSERT, UPDATE, and DELETE privileges on ALL current and future tables in the catalog. This is equivalent to granting full DML on every table. Use schema- or table-level grants instead.
`DBX-GRT-SCHEMA-MANAGE`	🟠 high	GRANT MANAGE ON SCHEMA detected. MANAGE allows delegated privilege administration within the schema. Ensure least-privilege scope and approval.
`DBX-GRT-SCHEMA-MODIFY`	🟠 high	GRANT MODIFY ON SCHEMA detected. MODIFY combines INSERT, UPDATE, and DELETE on all current and future tables in the schema. Verify this scope is intended.
`DBX-GRT-VOL-MANAGE`	🟠 high	GRANT MANAGE ON VOLUME detected. This enables broad administration over Unity Catalog volume access and metadata. Verify governance intent.
`DBX-GRT-EXTUSE-LOC`	🔴 critical	GRANT EXTERNAL USE LOCATION detected. This allows temporary credential vending for external processing engines to access Unity Catalog external locations. CRITICAL data exfiltration risk — ALL PRIVILEGES intentionally excludes this privilege.
`DBX-GRT-EXTUSE-SCHEMA`	🔴 critical	GRANT EXTERNAL USE SCHEMA detected. This allows temporary credential vending for external engines to access tables via Iceberg REST APIs. CRITICAL data exfiltration risk — ALL PRIVILEGES intentionally excludes this privilege.
`DBX-GRT-EXTLOC-WRFILES`	🟠 high	GRANT WRITE FILES detected. This allows direct writes to cloud object storage configured as an external location. Databricks recommends using WRITE VOLUME instead for governed access.
`DBX-GRT-EXTLOC-RDFILES`	🟡 medium	GRANT READ FILES detected. This allows direct reads from cloud object storage configured as an external location. Databricks recommends using READ VOLUME instead for governed access.
`DBX-GRT-CRED-CREATE`	🟠 high	GRANT CREATE STORAGE CREDENTIAL detected. This allows the grantee to create new cloud storage credentials in the metastore — a highly privileged infrastructure operation.
`DBX-GRT-EXTLOC-CREATE`	🟠 high	GRANT CREATE EXTERNAL LOCATION detected. This allows the grantee to map new cloud storage paths into Unity Catalog — a privileged infrastructure operation.
`DBX-GRT-SHARE-SETPERM`	🟠 high	GRANT SET SHARE PERMISSION detected. Combined with USE SHARE and USE RECIPIENT, this enables the grantee to share data with external organizations via Delta Sharing. Verify data-sharing authorization.
`DBX-RVK-CAT-ALLPRIV`	🟠 high	REVOKE ALL PRIVILEGES ON CATALOG detected. This can immediately remove broad access and disrupt workloads. Verify blast radius and rollout timing.
`DBX-RVK-CAT-MANAGE`	🟡 medium	REVOKE MANAGE ON CATALOG detected. Catalog-level administrative control is being removed from a principal. Verify this is expected and staged to avoid operational disruption.
`DBX-CRED-NEW`	🟡 medium	Storage credential created. This grants cloud storage access (e.g., IAM role, service account) to Unity Catalog. Verify the credential is authorized and follows least-privilege principles.
`DBX-CRED-OWNER-CHG`	🟠 high	Storage credential ownership transferred. The new owner gains full control over cloud storage access. Verify this transfer is authorized.
`DBX-CRED-NAME-CHG`	🟡 medium	Storage credential renamed. External locations referencing the old name may need to be updated.
`DBX-SCHEMA-MGLOC`	🟡 medium	Schema created with MANAGED LOCATION. Data storage location overrides catalog/metastore default. Verify external location permissions.
`DBX-SCHEMA-LOC`	🟢 low	Schema created with custom LOCATION. Data will be stored at specified path instead of default warehouse directory.
`DBX-SCHEMA-OWNER-CHG`	🟠 high	Schema ownership transferred via OWNER TO. New owner gains full control including DROP privileges. Verify authorization.
`DBX-SCHEMA-PREDOPT-CHG`	🟢 low	Schema predictive optimization setting changed. This affects automatic optimization behavior for objects in the schema.
`DBX-SCHEMA-COLLAT-CHG`	🟢 low	Schema default collation changed. New objects in the schema will use the updated collation. Existing objects are not affected.
`DBX-SCHEMA-DBPROPS-CHG`	🟡 medium	Schema DBPROPERTIES modified. Database properties affect schema metadata and may impact behavior.
`DBX-CAT-NEW`	🟢 low	CREATE CATALOG provisions a new Unity Catalog namespace. All schemas, tables, and other objects within will inherit its permissions and default settings.
`DBX-CAT-OWNER-CHG`	🟠 high	ALTER CATALOG ... OWNER TO transfers full administrative control of the catalog. The new owner gains MANAGE permissions on all objects within. Verify the target principal is authorized.
`DBX-CAT-CASCADE-DROP`	🔴 critical	DROP CATALOG CASCADE destroys the catalog AND all contained schemas, tables, views, and functions. This is an irreversible bulk data-loss operation.
`DBX-CAT-DROP`	🟠 high	DROP CATALOG removes a Unity Catalog namespace. The catalog must be empty unless CASCADE is specified. Verify no downstream dependencies exist.
`DBX-CAT-TAG-CHG`	🟡 medium	Catalog-level tags modified. Tags control governance policies (masking, row filters) across all objects in the catalog. Verify tag values are intentional.
`DBX-CAT-TAG-RMV`	🟡 medium	Catalog-level tags removed. Removing tags may disable governance policies (masking, row filtering) that depend on them.
`DBX-CAT-PREDOPT-CHG`	🟢 low	Predictive optimization setting changed on catalog. This affects automatic maintenance operations (OPTIMIZE, VACUUM) for all tables within the catalog.
`DBX-VOL-NEW`	🟢 low	CREATE VOLUME provisions a new Unity Catalog volume for file storage. External volumes reference cloud storage; managed volumes are fully governed by Unity Catalog.
`DBX-VOL-OWNER-CHG`	🟠 high	ALTER VOLUME ... OWNER TO transfers full administrative control of the volume. The new owner gains MANAGE permissions on the volume and its contents.
`DBX-VOL-DROP`	🟠 high	DROP VOLUME removes a Unity Catalog volume. Managed volumes lose stored files after 7 days; external volumes lose only metadata. This cannot be undone.
`DBX-VOL-NAME-CHG`	🟡 medium	ALTER VOLUME ... RENAME TO changes the volume name. Existing file paths referencing /Volumes/catalog/schema/old_name will break.
`DBX-VOL-TAG-CHG`	🟢 low	Volume-level tags modified. Tags enable governance classification and policy enforcement on the volume.
`DBX-VOL-TAG-RMV`	🟡 medium	Volume-level tags removed. Removing tags may disable governance policies that depend on them for the volume.
`DBX-EXTLOC-NEW`	🟡 medium	External location created. This maps a cloud storage path to a Unity Catalog location with a storage credential. Verify the URL and credential are authorized.
`DBX-EXTLOC-URL-CHG`	🟡 medium	External location URL modified. This changes the mapped cloud storage path for the location. Verify the new URL is intended and access boundaries remain correct.
`DBX-EXTLOC-CRED-CHG`	🟠 high	External location storage credential changed. This alters which cloud principal accesses the storage path. Verify least-privilege access and authorization boundaries.
`DBX-EXTLOC-OWNER-CHG`	🟠 high	External location ownership transferred. The new owner gains administrative control over the location and its storage mapping. Verify this transfer is authorized.
`DBX-EXTLOC-DROP`	🟠 high	External location dropped. Unity Catalog objects relying on this location may lose access to underlying cloud storage. Verify dependency impact before dropping.
`DBX-CONN-NEW`	🟡 medium	External connection created. This establishes a federated connection to an external data system (e.g., PostgreSQL, MySQL, Snowflake). Verify the connection type, host, and credentials are authorized.
`DBX-CONN-DROP`	🟠 high	External connection dropped. Foreign catalogs and federated queries depending on this connection will fail. Verify no active resources depend on this connection.
`DBX-CONN-OWNER-CHG`	🟠 high	External connection ownership transferred. The new owner gains full control over the federated connection and its credentials. Verify this transfer is authorized.
`DBX-CONN-NAME-CHG`	🟡 medium	External connection renamed. Foreign catalogs and queries referencing the old connection name may need to be updated.
`DBX-CONN-CHG`	🟡 medium	External connection options changed. Connection credentials (host, port, password) have been modified. Verify the new options are correct and authorized.
`DBX-CRED-DROP`	🟠 high	Storage credential dropped. External locations and tables depending on this credential will lose access. Verify no active resources depend on this credential.
`DBX-FLOW-NEW`	🟢 low	CREATE FLOW defines a Lakeflow CDC pipeline (AUTO CDC INTO or APPLY CHANGES INTO). Verify keys, sequencing, and SCD mode align with data governance expectations.
`DBX-TBL-PROPS-CHG`	🟡 medium	Delta table properties modified via SET TBLPROPERTIES. Properties like delta.deletedFileRetentionDuration, delta.logRetentionDuration, or delta.appendOnly control data retention, time travel, and mutability. Verify the new values are authorized and won't cause data loss.
`DBX-TBL-PROPS-RMV`	🟠 high	Delta table properties removed via UNSET TBLPROPERTIES. Removing properties like delta.deletedFileRetentionDuration or delta.appendOnly resets them to system defaults, which may reduce retention periods or re-enable mutations on append-only tables.
`DBX-TBL-CLUSTER-OFF`	🟠 high	CLUSTER BY NONE disables liquid clustering on a Delta table. Newly inserted or updated data will no longer be clustered, degrading query performance over time. OPTIMIZE will no longer recluster data. Verify this is intentional.
`DBX-TBL-CLONE-SHALLOW`	🟡 medium	SHALLOW CLONE created. Shallow clones share underlying data files with the source table — they do not duplicate data. If the source table is VACUUM'd or dropped, the clone may become unreadable. Prefer DEEP CLONE for durable, independent copies.
`DBX-TBL-OPT`	🟢 low	OPTIMIZE compacts small files in a Delta table. May be resource-intensive on large tables — schedule during off-peak hours.
`DBX-VACUUM-ZERO`	🔴 critical	VACUUM RETAIN 0 HOURS. All historical data files will be permanently deleted immediately, destroying time travel capability and breaking any concurrent operations. This is irreversible data loss.
`DBX-VACUUM-LOWRET`	🟠 high	VACUUM with retention period below 7 days (168 hours). This may delete data files needed for time travel or concurrent operations, leading to data loss or query failures.
`DBX-TBL-RESTORE`	🟠 high	RESTORE reverts a Delta table to a previous version. This is a data-modifying operation that replaces the current table state with a prior snapshot — downstream consumers may see unexpected data.
`DBX-MERGE-SCHEMA-EVO`	🟡 medium	MERGE WITH SCHEMA EVOLUTION enabled. Target Delta table schema may be automatically altered to match source columns. Validate schema-governance controls and downstream compatibility.
`DBX-TBL-CACHE`	🟢 low	CACHE TABLE caches a table or query result in Spark's in-memory cache. This consumes cluster memory and may affect other workloads. Schedule during off-peak hours for large tables.
`DBX-TBL-UNCACHE`	🟢 low	UNCACHE TABLE removes a table from Spark's in-memory cache. Subsequent queries will read from storage, which may increase latency.

Informational (INFO-xxx)

Rule ID	Risk	Description
`INFO-SNW-PIPE-ERRINT`	⚪ info	Error integration configured on pipe. Error notifications will be sent.
`INFO-UDF-SECURE-ADD`	⚪ info	Function secured. Function body is now hidden from users without ownership.
`INFO-PROC-SECURE-ADD`	⚪ info	Procedure secured. Procedure body is now hidden from users without ownership.
`INFO-SNW-WH-RESMON`	⚪ info	Resource monitor assigned to warehouse. Cost governance in place.
`INFO-TBL-CLONE`	⚪ info	Table cloned. CLONE creates a copy of a table. In Snowflake, clones are zero-copy and share storage until modified. In Databricks, SHALLOW clones share data files while DEEP clones duplicate them.
`INFO-DBX-TBL-HIST`	⚪ info	DESCRIBE HISTORY retrieves the provenance log for a Delta table. This is a read-only audit operation — no data is modified.
`INFO-DBX-TBL-REPAIR`	⚪ info	REPAIR TABLE (MSCK REPAIR TABLE) updates the Hive metastore partition metadata for a partitioned table. This is a metadata maintenance operation; it does not rewrite table data.
`INFO-DBX-TBL-CLUSTER-CFG`	⚪ info	Liquid clustering configured on Delta table. Run OPTIMIZE to apply clustering to existing data.
`INFO-DBX-TBL-CACHE-LAZY`	⚪ info	CACHE LAZY TABLE registers a table for deferred caching — data is only cached on first access. Lower impact than eager CACHE TABLE.
`INFO-Q-PRED-TEMPORAL`	⚪ info	Temporal predicate detected using CURRENT_DATE/CURRENT_TIMESTAMP. Results change daily, affecting cache hit rates.
`INFO-MSSQL-HINT`	⚪ info	T-SQL table hint detected. Table hints override default locking and query plan behavior. Ensure hints are intentional and reviewed during code changes.
`INFO-MSSQL-IDENTITY-INSERT-OFF`	⚪ info	SET IDENTITY_INSERT OFF restores normal IDENTITY column behavior. Positive signal: auto-increment protection re-enabled.
`INFO-MSSQL-SET-OPTION`	⚪ info	T-SQL session option changed via SET. Session options (NOCOUNT, ANSI_NULLS, XACT_ABORT, etc.) affect query behavior and error handling for the current session.
`INFO-MSSQL-EXTMDL-DROP`	🟢 low	DROP EXTERNAL MODEL removes an AI endpoint registration. Positive signal: reduces external attack surface. Verify no dependent queries rely on this model.
`INFO-PG-DOMAIN-NEW`	⚪ info	Domain created. Positive governance signal — custom type constraints are being defined.
`INFO-PG-DOMAIN-CONSTR-ADD`	⚪ info	Constraint added to domain. Positive governance signal — data validation is being strengthened.
`INFO-PG-RLS-NEW`	⚪ info	Row-level security policy created. Positive governance signal — data access is being restricted at the row level.
`INFO-PG-IDX-NEW`	⚪ info	CREATE INDEX adds an index. Positive governance signal — improves query performance.
`INFO-PG-TRIG-ON`	⚪ info	ALTER TABLE ... ENABLE TRIGGER restores trigger firing. Positive signal: security/audit enforcement re-activated.
`INFO-PG-SEQ-NEW`	⚪ info	CREATE SEQUENCE defines a new sequence generator.
`INFO-PG-SEQ-CHG`	⚪ info	ALTER SEQUENCE modifies a sequence generator. Changes to INCREMENT, RESTART, or ownership may affect dependent tables.
`INFO-PG-TYPE-NEW`	⚪ info	CREATE TYPE defines a new composite, enum, or range type.
`INFO-PG-TYPE-CHG`	⚪ info	ALTER TYPE modifies a user-defined type (add/rename values, change owner, etc.).
`INFO-DB-NEW`	⚪ info	Database created. New database provisioned.
`INFO-SCHEMA-NEW`	⚪ info	Schema created. New schema provisioned.
`INFO-TBL-UNDROP`	⚪ info	Table recovered using UNDROP. Previously dropped table has been restored.
`INFO-TYPE-UNDROP`	⚪ info	UNDROP TYPE recovers a previously dropped user-defined type from Snowflake Time Travel.
`INFO-DB-UNDROP`	⚪ info	Database recovered using UNDROP. Previously dropped database has been restored.
`INFO-SCHEMA-UNDROP`	⚪ info	Schema recovered using UNDROP. Previously dropped schema has been restored.
`INFO-PG-MAINT-VACUUM`	⚪ info	VACUUM reclaims storage and updates statistics. Routine maintenance operation.
`INFO-PG-MAINT-ANALYZE`	⚪ info	ANALYZE updates table statistics for the query planner. Routine maintenance operation.
`INFO-PG-MAINT-CLUSTER`	⚪ info	CLUSTER reorders table data according to an index. May cause brief lock on the table.
`INFO-PG-NOTIFY-SUB`	⚪ info	LISTEN subscribes to a notification channel.
`INFO-PG-NOTIFY-SEND`	⚪ info	NOTIFY sends a notification on a channel.
`INFO-PG-NOTIFY-UNSUB`	⚪ info	UNLISTEN unsubscribes from a notification channel.
`INFO-PG-AGG-NEW`	⚪ info	CREATE AGGREGATE defines a new aggregate function.
`INFO-PG-OP-NEW`	⚪ info	CREATE OPERATOR defines a new operator.
`INFO-COMMENT-CHG`	⚪ info	COMMENT ON modifies object metadata. Positive governance signal — improves documentation.
`INFO-DBX-CAT-COMMENT-CHG`	⚪ info	COMMENT ON CATALOG modifies Unity Catalog metadata. Positive governance signal — improves catalog documentation and discoverability.
`INFO-DBX-VOL-COMMENT-CHG`	⚪ info	COMMENT ON VOLUME modifies Unity Catalog volume metadata. Positive governance signal — improves storage documentation.
`INFO-DBX-CONN-COMMENT-CHG`	⚪ info	COMMENT ON CONNECTION modifies Unity Catalog connection metadata. Positive governance signal — documents external data source purpose and ownership.
`INFO-MSSQL-EXEC-PROC`	⚪ info	Stored procedure executed via EXEC. Audit trail: verify the procedure exists and caller has EXECUTE permission.
`INFO-MSSQL-VECIDX-NEW`	⚪ info	CREATE VECTOR INDEX adds a DiskANN vector similarity index. This enables approximate nearest-neighbor search on embedding columns. Review: metric type (cosine/dot/euclidean), MAXDOP setting, and storage impact on the target filegroup.

Other

Rule ID	Risk	Description
`PRIV-ON-FUTURE`	🟡 medium	ON FUTURE grant expands to objects not yet created.
`MSSQL-OPENROWSET-INLINE-CRED`	🔴 critical	OPENROWSET called with an inline connection string containing credentials. T-SQL `OPENROWSET('provider', 'Server=...;PWD=...', ...)` exposes the password in the SQL text and reaches an arbitrary external server. Use a linked-server with stored credentials, or a SQL Server credential object, not inline connection strings.
`RS-DIST-ALL`	🟡 medium	DISTSTYLE ALL replicates the entire table to every compute node. Storage and load cost scale with cluster size; it is intended only for small, slowly-changing dimension tables. Verify the table is small enough to justify full replication.
`RS-BACKUP-NO`	🟠 high	BACKUP NO excludes this table from automated and manual cluster snapshots. Its data is NOT recoverable from a snapshot restore. Confirm the table is genuinely transient (e.g. staging/scratch) before disabling backups.
`RS-SORTKEY-INTERLEAVED`	⚪ info	INTERLEAVED SORTKEY weights every sort column equally but carries higher VACUUM REINDEX maintenance cost and degrades as the table grows. Prefer COMPOUND SORTKEY unless queries filter on many sort columns independently.
`RS-DATASHARE-NEW`	🟢 low	Datashare created (Redshift cross-account / cross-cluster data-sharing object). Objects added to it become queryable by consumer namespaces or AWS accounts; review what gets shared.
`RS-DATASHARE-PUBLIC`	🔴 critical	Datashare set PUBLICACCESSIBLE TRUE — its objects are shareable with ANY AWS account, not just authorized consumer namespaces. This is a broad cross-account data-exposure surface. Confirm public accessibility is intended.
`RS-DATASHARE-OBJ-ADD`	🟢 low	Object added to a datashare — it becomes queryable by the datashare's consumer accounts/namespaces. Verify the table or schema is authorized for cross-account sharing.
`RS-DATASHARE-INCLUDENEW`	🟡 medium	Datashare set to auto-include newly created objects (INCLUDENEW) for a schema — future tables/views are shared with consumers automatically, with no per-object review. Verify implicit sharing of future objects is intended.
`CAT-TBL-UNKNOWN`	🟡 medium	Query references a table that is not present in the attached catalog. The table may be misspelled, dropped, or in a schema/database the catalog snapshot does not cover.
`CAT-COL-UNKNOWN`	🟡 medium	Query references a column that is not declared on its table per the attached catalog. The column may be misspelled, dropped, or added in a schema the catalog snapshot does not cover.
`CAT-COL-AMBIGUOUS`	🟡 medium	Query contains an unqualified column reference that resolves to two or more in-scope tables per the attached catalog. Qualify the column with its source table to avoid surprising binding behavior.
`MSSQL-HINT-DIRTYREAD`	🟠 high	Table hint NOLOCK or READUNCOMMITTED allows reading uncommitted data. Queries may return phantom rows, partially-written rows, or miss rows entirely. This is NOT a free performance optimization.
`MSSQL-HINT-XLOCK`	🟡 medium	Table hint TABLOCKX or XLOCK requests exclusive locks, blocking all concurrent readers and writers. This can cause severe contention and deadlocks in production workloads.
`MSSQL-HINT-INDEX`	🟡 medium	INDEX hint forces a specific index, overriding the query optimizer. The forced index may become stale as data distribution changes, or may be dropped/renamed, causing query failures.
`MSSQL-HINT-FORCESCAN`	🟡 medium	FORCESCAN forces a full table or index scan, bypassing index seeks. Unless intentional for analytics workloads, this typically degrades performance on large tables.
`MSSQL-HINT-FORCESEEK`	🟢 low	FORCESEEK forces the optimizer to use an index seek. While generally safe, this overrides the optimizer's cost-based decision and may degrade performance when a scan would be more efficient.
`MSSQL-BULK-INSERT`	🟡 medium	BULK INSERT loading data from external file. External file access requires ADMINISTER BULK OPERATIONS permission. Verify file path, format options, and data validation.
`MSSQL-EXTMDL-NEW`	🟠 high	CREATE EXTERNAL MODEL registers an external AI endpoint (e.g., Azure OpenAI). Data sent to this model leaves the SQL Server boundary. Review: endpoint URL, credential scope, and data classification of columns that will be embedded or sent for inference.
`MSSQL-EXTMDL-RMT`	🟠 high	External AI model establishes a remote connection to an external service. Verify the endpoint URL is trusted, the credential has minimal required scope, and network egress rules permit this traffic.
`MSSQL-EXTMDL-CHG`	🟡 medium	ALTER EXTERNAL MODEL modifies an AI endpoint configuration. This could change the target service URL, credentials, or model name. Verify the new configuration doesn't expand data exposure.
`MSSQL-LOGIN-NEW`	🟠 high	CREATE LOGIN adds a new server-level authentication principal. This grants the ability to connect to the SQL Server instance. Review: authentication method (password, certificate, Windows, or external provider), password policy, and intended access scope.
`MSSQL-USER-NEW`	🟠 high	CREATE USER adds a new database-level authorization principal. This user can be granted permissions on database objects. Review: whether the user maps to a login (FOR LOGIN), is contained (WITH PASSWORD), or has no login (WITHOUT LOGIN for service accounts).
`MSSQL-IDENTITY-INSERT-ON`	🟠 high	SET IDENTITY_INSERT ON allows explicit values in IDENTITY columns, bypassing auto-increment. This can cause key collisions, break referential integrity, and indicates manual data manipulation. Ensure this is intentional and temporary.
`MSSQL-LOGIN-EXT`	🟠 high	CREATE LOGIN FROM EXTERNAL PROVIDER configures authentication via an external identity provider (e.g., Microsoft Entra ID). Verify: the OBJECT_ID maps to the correct external identity, the TYPE (E=user, X=group/app) is intentional, and the external provider trust relationship is established.
`MSSQL-USER-EXT`	🟠 high	CREATE USER FROM EXTERNAL PROVIDER maps a database user to an external identity (Microsoft Entra ID). Verify: the OBJECT_ID matches the intended external principal, and the external provider configuration is correct.
`SPECTRUM-EXTDATA-NEW`	⚪ info	Redshift Spectrum external schema registers an external data source (Glue Data Catalog / Hive Metastore / federated database). Data queried through it crosses the cluster boundary; verify the IAM role is least-privilege and the external database/location is authorized.
`TRIG-CHG`	🟡 medium	Trigger altered. Review the updated trigger configuration.
`TRIG-DROP`	🟠 high	Trigger dropped. Automated logic previously enforced by this trigger will no longer execute. Verify data integrity.
`TRIG-NEW`	🟡 medium	Trigger created. Triggers execute automatically and can have significant performance and security implications. Review the trigger function.
`MSSQL-XP-CMDSHELL`	🔴 critical	EXEC xp_cmdshell invokes the OS shell from SQL Server. xp_cmdshell runs arbitrary shell commands with the SQL Server service account's privileges (often LocalSystem or a domain account) and is a primary lateral-movement vector after a SQL injection compromise. Disable xp_cmdshell unless absolutely required; if required, restrict to sysadmin only.
`MSSQL-SPCONFIG-XPCMDSHELL`	🔴 critical	sp_configure invoked with 'xp_cmdshell' option. This is the prerequisite to enabling xp_cmdshell at the server level. After this call + RECONFIGURE, EXEC xp_cmdshell can run OS commands. Verify intent and audit the surrounding context.
`DNY-PRIV`	🟡 medium	DENY statement detected. Explicit privilege denial overrides GRANT and blocks access. Verify this is intentional and documented.
`DNY-ALL-PRIV`	🟠 high	DENY ALL PRIVILEGES detected. This blocks all access to the securable and overrides any existing grants.
`DNY-TO-PUBLIC`	🔴 critical	DENY to PUBLIC detected — affects ALL database users/principals. This overrides individual grants and may require admin-level intervention to reverse.
`DNY-CASCADE`	🟠 high	DENY with CASCADE detected. This propagates the denial to all principals who received the privilege via the target principal.
`DNY-AS-PRINCIPAL`	🟠 high	DENY with AS clause detected. This executes the denial on behalf of another principal, which may indicate privilege escalation or impersonation.
`SCRIPT-SILENT-HANDLER`	🟠 high	DECLARE CONTINUE HANDLER FOR SQLEXCEPTION without RESIGNAL silently swallows all errors. This is the SQL equivalent of a bare 'except: pass' — failures will be invisible and the procedure will continue with potentially corrupt state. Add RESIGNAL to re-raise after logging, or use EXIT HANDLER instead.

Generated from builtin_rules.yaml at build time.