scan - supaschema

Use scan to grade a declarative schema and surface safety findings without a database. scan reads the declarative tree (or any source) and runs the rule packs. It does not connect to a database.

Use this when

A repo needs a quick Postgres safety score.
CI should surface RLS, grant, and hygiene findings.
An onboarding check wants a baseline grade.

Run it

npx supaschema scan
npx supaschema scan --from dir:database/schemas
npx supaschema scan --reporter json

With no --from, scan reads the declarative tree from config.sources.to. Output is credential-redacted before printing. JSON output is the machine contract used by the GitHub Action; it includes file, score, grade, errorCount, warningCount, and diagnostics.

Flags

--from

source

Source to scan. Defaults to the declarative tree (config.sources.to).

--reporter

text | json | github | sarif

Output format. Use json for Action PR comments and check runs. An unknown value exits 2 with an error.

What it scores

a composite safety score (0-100) and letter grade A-F;
table-naming hygiene;
RLS misconfiguration (enabled without a policy; policy without RLS; policy missing the predicate required for its command);
over-broad grants (to PUBLIC, ALL privileges, or roles outside hints.allowedGrantees).

Exit codes

Code	Meaning
0	Scan completed; warnings are allowed.
2	Error-severity findings, or an unknown `--reporter`.

Last modified on June 18, 2026

sync

type-contract

⌘I

​Use this when

​Run it

​Flags

​What it scores

​Exit codes

Use this when

Run it

Flags

What it scores

Exit codes