MR
Mayur Rathi
@github
⭐ 34.1k GitHub stars

Sql-Code-Review

Sql-Code-Review is an code AI skill with a core value of Universal SQL code review assistant that performs comprehensive security, maintainability, and code quality analysis across all SQL databases (MySQL, PostgreSQL, SQL Server, Oracle). It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

Universal SQL code review assistant that performs comprehensive security, maintainability, and code quality analysis across all SQL databases (MySQL, PostgreSQL, SQL Server, Oracle). Focuses on SQL in

Last verified on: 2026-07-14

Quick Facts

Category code
Works With Claude, GitHub Copilot
Source github/awesome-copilot
Stars ⭐ 34.1k
Last Verified 2026-07-14
Risk Level Low
mkdir -p ./skills/sql-code-review && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/sql-code-review/SKILL.md -o ./skills/sql-code-review/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# SQL Code Review


Perform a thorough SQL code review of ${selection} (or entire project if no selection) focusing on security, performance, maintainability, and database best practices.


🔒 Security Analysis


SQL Injection Prevention

sql
-- ❌ CRITICAL: SQL Injection vulnerability
query = "SELECT * FROM users WHERE id = " + userInput;
query = f"DELETE FROM orders WHERE user_id = {user_id}";

-- ✅ SECURE: Parameterized queries
-- PostgreSQL/MySQL
PREPARE stmt FROM 'SELECT * FROM users WHERE id = ?';
EXECUTE stmt USING @user_id;

-- SQL Server
EXEC sp_executesql N'SELECT * FROM users WHERE id = @id', N'@id INT', @id = @user_id;

Access Control & Permissions

- **Principle of Least Privilege**: Grant minimum required permissions

- **Role-Based Access**: Use database roles instead of direct user permissions

- **Schema Security**: Proper schema ownership and access controls

- **Function/Procedure Security**: Review DEFINER vs INVOKER rights


Data Protection

- **Sensitive Data Exposure**: Avoid SELECT * on tables with sensitive columns

- **Audit Logging**: Ensure sensitive operations are logged

- **Data Masking**: Use views or functions to mask sensitive data

- **Encryption**: Verify encrypted storage for sensitive data


⚡ Performance Optimization


Query Structure Analysis

sql
-- ❌ BAD: Inefficient query patterns
SELECT DISTINCT u.* 
FROM users u, orders o, products p
WHERE u.id = o.user_id 
AND o.product_id = p.id
AND YEAR(o.order_date) = 2024;

-- ✅ GOOD: Optimized structure
SELECT u.id, u.name, u.email
FROM users u
INNER JOIN orders o ON u.id = o.user_id
WHERE o.order_date >= '2024-01-01' 
AND o.order_date < '2025-01-01';

Index Strategy Review

- **Missing Indexes**: Identify columns that need indexing

- **Over-Indexing**: Find unused or redundant indexes

- **Composite Indexes**: Multi-column indexes for complex queries

- **Index Maintenance**: Check for fragmented or outdated indexes


Join Optimization

- **Join Types**: Verify appropriate join types (INNER vs LEFT vs EXISTS)

- **Join Order**: Optimize for smaller result sets first

- **Cartesian Products**: Identify and fix missing join conditions

- **Subquery vs JOIN**: Choose the most efficient approach


Aggregate and Window Functions

sql
-- ❌ BAD: Inefficient aggregation
SELECT user_id, 
       (SELECT COUNT(*) FROM orders o2 WHERE o2.user_id = o1.user_id) as order_count
FROM orders o1
GROUP BY user_id;

-- ✅ GOOD: Efficient aggregation
SELECT user_id, COUNT(*) as order_count
FROM orders
GROUP BY user_id;

🛠️ Code Quality & Maintainability


SQL Style & Formatting

sql
-- ❌ BAD: Poor formatting and style
select u.id,u.name,o.total from users u left join orders o on u.id=o.user_id where u.status='active' and o.order_date>='2024-01-01';

-- ✅ GOOD: Clean, readable formatting
SELECT u.id,
       u.name,
       o.total
FROM users u
LEFT JOIN orders o ON u.id = o.user_id
WHERE u.status = 'active'
  AND o.order_date >= '2024-01-01';

Naming Conventions

- **Consistent Naming**: Tables, columns, constraints follow consistent patterns

- **Descriptive Names**: Clear, meaningful names for database objects

- **Reserved Words**: Avoid using database reserved words as identifiers

- **Case Sensitivity**: Consistent case usage across schema


Schema Design Review

- **Normalization**: Appropriate normalization level (avoid over/under-normalization)

- **Data Types**: Optimal data type choices for storage and performance

- **Constraints**: Proper use of PRIMARY KEY, FOREIGN KEY, CHECK, NOT NULL

- **Default Values**: Appropriate default values for columns


🗄️ Database-Specific Best Practices


PostgreSQL

sql
-- Use JSONB for JSON data
CREATE TABLE events (
    id SERIAL PRIMARY KEY,
    data JSONB NOT NULL,
    created_at TIMESTAMPTZ DEFAULT NOW()
);

-- GIN index for JSONB queries
CREATE INDEX idx_events_data ON events USING gin(data);

-- Array types for multi-value columns
CREATE TABLE tags (
    post_id INT,
    

🎯 Best For

  • Engineering teams doing code reviews
  • Open source maintainers
  • Security auditors
  • DevSecOps teams
  • Compliance officers

💡 Use Cases

  • Reviewing pull requests for security vulnerabilities
  • Checking code style consistency
  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Sql-Code-Review to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Does this skill check for OWASP Top 10?

Security-focused review skills often include OWASP checks. Check the skill content for specific vulnerability categories covered.

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Is Sql-Code-Review compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Sql-Code-Review?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Sql-Code-Review?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/sql-code-review/SKILL.md, ready to use.

⚠️ Common Mistakes to Avoid

Blindly accepting AI suggestions

Always verify AI-generated review comments. Some suggestions may not apply to your specific codebase conventions.

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills