file-magnifying-glassSQL Security Scan

Optimize every query. Eliminate SQL injection risks, enforce schema best practices, and safeguard PII/PHI data with real-time analysis before deployment.

What it does

The SQL Security Agent scans your SQL code and Databricks environments for security vulnerabilitiesβ€”detecting SQL injection, hardcoded credentials, PII exposure, and missing encryptionβ€”then automatically generates secure code fixes.

Think of it as your automated database security expert that finds vulnerabilities and writes the fixes for you.

You'll get:

  • SQL injection vulnerabilities detected and fixed

  • Hardcoded credentials replaced with secrets management

  • PII data (SSN, emails, phone numbers) automatically masked

  • Insecure joins and queries refactored

  • Auto-generated masking functions for production use

⏱️ Scan time: 2-5 minutes depending on SQL file size

Sample Prompts

circle-check

Why use it

Instead of:

  • Manually reviewing SQL code for security issues

  • Writing PII masking functions from scratch

  • Guessing at privilege escalation risks

  • Spending hours on security audits

You get:

  • Automated vulnerability detection with fixes

  • AI-generated secure code (Claude Sonnet 4)

  • 98-99% accurate PII detection and masking

  • One-command scan-and-fix workflow

  • Compliance-ready security reports

Impact:

  • Zero SQL injection vulnerabilities

  • Automated PII protection (GDPR/HIPAA compliant)

  • Secure credentials management via Databricks secrets

  • Manual security reviews β†’ automated 7-step process


What it scans

The agent detects and fixes these vulnerability types:

Vulnerability
Severity
Standard
Auto-Fix

SQL Injection

πŸ”΄ Critical

CWE-89

βœ… Yes

Hardcoded Credentials

πŸ”΄ Critical

CWE-798

βœ… Yes

PII Exposure

🟠 High

CWE-359

βœ… Yes

Missing Encryption

🟠 High

CWE-311

βœ… Yes

Insecure Joins

🟑 Medium

CWE-1286

βœ… Yes

Over-Privileged Access

🟠 High

CWE-269

⚠️ Manual


How to use it

Basic scan and fix

Scan and automatically fix vulnerabilities in a SQL file:

or in natural language:


Specific scans

Detect PII in a table:

Compliance check:

Privilege analysis:


What you'll see

The 7-step scan-and-fix process


What you get

1. SQL Security Report

File: sql-security-report.html


2. Fixed SQL Files

File: queries_fixed.sql

Before (Vulnerable):

After (Secure):


3. Auto-Generated Masking Functions

File: pii_masking_functions.sql

Usage:


4. Before/After Comparison

Vulnerable Code:

Secure Code:


After the scan

1. Review and apply fixes

The agent shows you each fix with rationale:

  • Review the before/after code

  • Understand why the change improves security

  • Approve or reject each fix

  • Apply all approved fixes at once


2. Deploy masking functions

Use the auto-generated functions in production:


3. Migrate credentials to secrets

Replace hardcoded credentials with Databricks secrets:


4. Update privilege grants

For over-privileged accounts flagged:


5. Re-scan to verify

After applying fixes, verify everything is secure:

Expected result: βœ… No vulnerabilities found


Quality benchmarks

Use these standards to measure SQL security:

Metric
Target
Purpose

SQL Injection

0 instances

Prevent data breaches

Hardcoded Credentials

0 instances

Secure secrets management

PII Masking Coverage

100%

Comply with GDPR/HIPAA

Encryption at Rest

Enabled

Protect sensitive data

Privilege Escalation

No admin grants

Least privilege principle

Security levels:

  • βœ… Secure: 0 critical, 100% PII masked, secrets managed

  • ⚠️ Needs Work: 0 critical, partial PII masking

  • ❌ Vulnerable: Any critical findings, no PII masking


Common issues

"No vulnerabilities found" but I know there are issues?

  • Check file path is correct

  • Verify SQL syntax is valid

  • Try specific scans: detect-pii, compliance

Auto-fixes breaking query logic?

  • Review the "Safety Verification" step output

  • Test fixed queries in non-prod first

  • Reject specific fixes and apply manually

Masking functions not working?

  • Check function syntax: SELECT mask_email('[email protected]')

  • Verify user permissions to create functions

  • Ensure functions are in correct database

PII detection missing fields?

  • Increase confidence threshold: --confidence 90

  • Add custom patterns: --pattern-file custom_pii.yaml

  • Review detection summary for false negatives

Secrets management errors?

  • Verify Databricks secrets scope exists

  • Check secret key names match code references

  • Test secret access: dbutils.secrets.get(scope, key)


Examples

Quick SQL security scan:

Full scan with auto-fix:

Find PII exposure:

Compliance check:

Privilege analysis:

Secure credentials:

Last updated