CLI Reference¶
Commands¶
generate¶
Generate code from SQL schema and queries.
| Flag | Default | Description |
|---|---|---|
-c, --config |
scythe.toml |
Path to config file |
Reads the config, parses schema and queries, runs type inference, and writes generated code to the configured output directory. If scythe.toml is not found, the command exits with an error.
check¶
Validate SQL without generating code. Runs parsing, analysis, and lint rules.
| Flag | Default | Description |
|---|---|---|
-c, --config |
scythe.toml |
Path to config file |
Exits with code 1 if any lint errors are found. Warnings are reported but do not cause failure.
lint¶
Lint SQL files for correctness, performance, and style.
| Flag | Default | Description |
|---|---|---|
-c, --config |
scythe.toml |
Path to config file |
--fix |
false | Auto-fix violations where possible |
--dialect |
ansi |
SQL dialect for sqruff rules |
files... |
(from config) | SQL files to lint directly |
Two modes:
- With config: Runs both scythe rules (schema-aware) and sqruff rules.
- With files: Runs sqruff rules only (no schema context).
fmt¶
Format SQL files using sqruff.
| Flag | Default | Description |
|---|---|---|
-c, --config |
scythe.toml |
Path to config file |
--check |
false | Report files needing formatting; exit 1 if any |
--diff |
false | Show unified diff of changes |
--dialect |
ansi |
SQL dialect for formatting rules |
files... |
(from config) | SQL files to format directly |
migrate¶
Convert a sqlc project to scythe format.
| Argument | Default | Description |
|---|---|---|
sqlc_config |
sqlc.yaml |
Path to sqlc config file (v1 or v2) |
Reads the sqlc config, converts query annotations from sqlc format to scythe format, and generates a scythe.toml.
audit¶
Run security rules over SQL schema and queries. Emits findings in human, SARIF, or JSON format. See the Audit guide for the full rule catalog and CI integration recipes.
| Flag | Default | Description |
|---|---|---|
-c, --config |
scythe.toml |
Path to config file |
--format |
human |
Output format: human, sarif, json |
--list-rules |
false | Print the rule catalog (id, name, severity, category) and exit 0 |
--explain <RULE_ID> |
-- | Print the description and CWE refs for a rule by id, then exit 0 |
--severity <LEVEL> |
-- | Drop findings below this severity (off, warn, error) |
--exit-zero |
false | Exit 0 even if error-severity findings are present (advisory CI gate) |
-o, --output <PATH> |
(stdout) | Write reporter output to a file instead of stdout |
--ignore-suppressions |
false | Disable inline -- scythe-audit: ignore[...] annotations |
--dialect <DIALECT> |
postgres |
SQL dialect for explicit-file mode (postgres, mysql, sqlite, mssql, oracle, snowflake) |
files... |
(from config) | SQL files to audit directly |
Exits with code 2 when any error-severity finding is present (unless --exit-zero is set). This is distinct from scythe lint exit code 1 so CI can tell apart lint failures from security failures.
inspect¶
Connect to a live database and run operational health checks — missing FK indexes, disabled RLS with policies, duplicate indexes. Emits findings in the same human/SARIF/JSON shape as scythe audit. See the Inspect guide for the full check catalog and CI integration recipes.
| Flag | Default | Description |
|---|---|---|
DATABASE_URL |
(from env) | Positional connection URL. Falls back to $DATABASE_URL, then $SCYTHE_DATABASE_URL |
--format |
human |
Output format: human, sarif, json |
--list-checks |
false | Print the check catalog (id, name, severity, description) and exit 0 |
--severity <LEVEL> |
-- | Drop findings below this severity (off, warn, error) |
--exit-zero |
false | Exit 0 even if error-severity findings are present (advisory CI gate) |
-o, --output <PATH> |
(stdout) | Write reporter output to a file instead of stdout |
--dialect <DIALECT> |
(from URL scheme) | Engine override: postgres (full), mysql (stub) |
Exits with code 2 when any error-severity finding is present (unless --exit-zero is set). Same convention as scythe audit.
Exit Codes¶
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Error (lint failures, parse errors, etc.) |
| 2 | Audit failure (error-severity finding from scythe audit) |
Examples¶
# Generate code with default config
scythe generate
# Generate code with custom config path
scythe generate --config my-project.toml
# Check SQL validity
scythe check
# Lint with auto-fix
scythe lint --fix
# Lint specific files without a config
scythe lint --dialect postgres sql/*.sql
# Format check in CI
scythe fmt --check
# Preview formatting changes
scythe fmt --diff
# Migrate from sqlc
scythe migrate sqlc.yaml
# Audit a project for security issues
scythe audit
# List every audit rule
scythe audit --list-rules
# Explain a specific rule
scythe audit --explain SC-SEC10
# CI: emit SARIF for GitHub code scanning
scythe audit --format sarif -o audit.sarif
# Advisory mode (don't fail the build)
scythe audit --exit-zero
# Audit explicit files with a non-default dialect
scythe audit --dialect mysql sql/migrations/*.sql