Skip to content
/ SQL-Change-Guard Public

SQL Change Guard 🐙 is a secure, auditable SQL change tool for orgs. It validates, approves, and executes scripts with COBIT/ITIL workflows and audit trails.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Samo26/SQL-Change-Guard

BranchesTags

Repository files navigation

Release Badge

SQL Change Guard: Secure SQL Change Management & Compliance

A robust tool for analyzing, validating, and deploying SQL scripts with a full audit trail and strong compliance support. It blends code analysis, policy enforcement, sandbox testing, and governed deployment into a single, cohesive workflow. Built for teams that need dependable SQL script governance across databases, environments, and clouds.

Architecture Illustration

  • Topics: audit-trail,change-management,cobit,compliance,data-governance,database-deployment,database-security,enterprise-software,gdpr-compliance,itil,sandbox-testing,script-analysis,sox-compliance,sql-auditing,sql-risk-detection,sql-script,sql-server,sql-validation,static-analysis,wpf-application

  • Link to downloads: https://github.com/Samo26/SQL-Change-Guard/releases

Table of Contents

  • What is SQL Change Guard?
  • Why choose SQL Change Guard?
  • Core capabilities
  • How it works
  • System architecture
  • Data model and audit trail
  • Compliance alignment
  • Security and governance
  • Getting started
    • Requirements
    • Installation
    • Quick start guide
  • Using the UI
  • Using the CLI and automation
  • Sandbox testing and safe deployments
  • Script analysis and validation rules
  • Script lifecycle and versioning
  • Deployment scenarios
  • Extensibility and plugins
  • Testing and quality assurance
  • Local development and contribution
  • Documentation and help resources
  • Release management and maintenance
  • FAQ
  • License and credits
  • Support and community

What is SQL Change Guard? SQL Change Guard is a secure SQL change management tool. It analyzes, validates, and deploys SQL scripts while keeping a complete audit trail and supporting compliance requirements. The tool targets database teams, DevOps squads, and security offices that need repeatable, auditable processes for changing database schemas, objects, and permissions. It brings governance to the SQL script lifecycle, from authoring to deployment, with safeguards that reduce risk and improve traceability.

Why choose SQL Change Guard?

  • Clear, auditable workflows: Every script change goes through defined stages, with approvals and checks logged for traceability.
  • Risk-aware analysis: Static analysis checks look for risky patterns and anti-patterns in SQL scripts before they reach production.
  • Compliance-ready: The platform aligns with governance frameworks such as COBIT, SOX, GDPR, and ITIL practices, helping teams demonstrate control effectiveness.
  • Sandbox testing: Scripts can be executed in isolated environments to validate behavior without impacting live data.
  • Validated deployments: Deployments are planned, reviewed, and recorded, with reproducible results across environments.
  • Enterprise-ready: Designed for teams handling multiple databases, environments, and data categories with robust security and governance.

Core capabilities

  • Script analysis and linting: Detects risky SQL patterns, deprecated syntax, and potential performance issues.
  • Schema and data validation: Verifies that changes meet expected schema definitions and data integrity rules.
  • Change management workflows: Supports approvals, sign-offs, and versioned change records.
  • Audit trail: Immutable logs capture who changed what, when, and why, enabling post hoc investigations.
  • Compliance mapping: Built-in references to COBIT, SOX, GDPR, ITIL, and related controls with customizable policy sets.
  • Sandbox testing: Safe execution environments to validate scripts before deployment.
  • Deployment orchestration: Coordinated deployments with rollback support and release tracking.
  • Static analysis and risk detection: Comprehensive checks that catch common SQL risk patterns.
  • SQL Server focus: Tight integration with SQL Server environments and related tooling.
  • WPF UI and CLI: Multiple ways to interact with the platform for different workflows.

How it works

  • Authoring: A developer writes a SQL script in the editor or imports an existing script.
  • Analysis: The static analysis engine runs a set of rules against the script to surface warnings and potential issues.
  • Validation: The script is checked against defined schemas, dependencies, and business rules.
  • Sandbox test: The script runs in a sandbox to observe behavior and ensure it does not cause unintended side effects.
  • Approval: Stakeholders review and approve the change through a structured workflow.
  • Deployment planning: A deployment plan is generated, detailing steps, environments, and rollback options.
  • Deployment: The script is applied to target databases following the plan.
  • Auditing: Every action is recorded in an auditable log with user identities, timestamps, and artifact references.
  • Compliance reporting: The system can generate reports aligning to governance frameworks and internal policies.

System architecture

  • Client layer: A responsive WPF application for Windows that provides a rich user experience for editors, reviewers, and operators.
  • Core engine: The static analysis, validation, sandbox execution, and policy engine. This is the heart of the system, designed for deterministic behavior and repeatability.
  • Orchestration layer: Deployment orchestration, environment management, and release workflows. This layer coordinates actions across databases and environments.
  • Audit and policy store: A secure data store for audit trails, policy definitions, and compliance mappings. It ensures traceability and supports regulatory reporting.
  • Integrations: Connectors to SQL Server and external systems (CI/CD pipelines, ticketing systems, and cloud database services) to streamline workflows.
  • Security and secrets: Centralized secret management and role-based access controls to ensure least privilege and data protection.
  • Sandbox and testing environments: Isolated instances or containers where scripts can be executed safely without affecting production data.

Data model and audit trail

  • Script records: Versioned scripts with metadata such as author, creation date, change reason, and approval status.
  • Change requests: Each change passes through a request object with linked approvals and policy checks.
  • Audit events: Immutable events capturing actions like analysis results, validation outcomes, deployments, and rollbacks.
  • Policy definitions: Reusable policy blocks that encode governance expectations for various controls.
  • Compliance mappings: Linkage between controls and evidence for audits and regulatory requirements.
  • Environment records: Definitions for development, sandbox, staging, and production environments with topology and access rules.

Compliance alignment

  • COBIT: Control objectives mapped to policy checks and governance workflows. You’ll find risk management, control deployment, and monitoring hooks aligned with COBIT domains.
  • SOX: Change management and access controls are anchored to SOX-like requirements, with evidence preserved for audits.
  • GDPR: Data governance and privacy considerations are supported by access controls, data minimization rules, and audit capabilities that help demonstrate compliance.
  • ITIL: Incident, problem, and change management practices are reflected in the lifecycle tooling, with clear ticketing and service-wide visibility.
  • Sandbox-testing safety: The sandbox capability supports risk-based testing for regulated environments, allowing controlled experiments before production deployment.

Security and governance

  • Access control: Role-based access to different components of the tool, with strict separation of duties.
  • Auditability: All actions are captured with sufficient detail to support investigations, with tamper-evident logging concepts.
  • Secrets management: Secrets are stored securely and accessed through integrated vaults or secure stores.
  • Data protection: Encryption in transit and at rest, with careful handling of sensitive metadata and identifiers.
  • Compliance-first design: The architecture encourages policy-driven operations and auditable evidence for governance reviews.

Getting started Requirements

  • Windows 10 or newer for the WPF UI, with strong preference for Windows environments where SQL Server is hosted.
  • .NET runtime compatible with the WPF application (the project targets a modern .NET platform for reliability and performance).
  • Access to SQL Server instances for testing and deployment (development, sandbox, and production environments).
  • A source control workflow to manage SQL scripts and policy definitions.
  • Optional: CI/CD tooling integration for automated script validation and deployment triggers.

Installation

  • The standard installation path uses the Windows installer found on the releases page. From the releases page, download and run the installer named SQL-Change-Guard-Setup-1.0.0-windows.exe to install the WPF client and the core services.
  • The installer configures the local client, connects to the audit and policy store, and prepares sandbox environments if available.
  • After installation, launch the UI from the Start Menu. The first run may prompt you to configure a connection to your policy and audit stores.
  • If you prefer a programmatic setup, you can build from source and deploy the core services to your server environment. See the developer guide for build steps and environment configuration.

Quick start guide

  • Create a new project: Define the scope, environments, and policy baseline. This sets up your governance envelope.
  • Add scripts: Import SQL scripts or write new ones. Attach metadata like purpose, owner, and impact assessment.
  • Run analysis: Execute static checks to surface issues and optimization opportunities.
  • Validate changes: Run schema validation, dependency checks, and business rule validation.
  • Sandbox test: Execute the script in a sandbox to observe behavior and verify results.
  • Get approvals: Route the change through the approval workflow and attach evidence from analysis and tests.
  • Plan deployment: Generate a deployment plan with timing, environment mapping, and rollback steps.
  • Deploy and audit: Apply the change to the target environment and log all actions for traceability.
  • Review reports: Generate compliance and governance reports for internal controls and external audits.

Using the UI

  • The dashboard gives you a high-level view of ongoing changes, pending approvals, and recent activity.
  • The Script Editor supports syntax highlighting, inline validation hints, and quick fixes for common issues.
  • The Policy Studio lets you define rules and control objectives aligned with governance frameworks.
  • The Sandbox Console provides an isolated workspace to execute tests and observe outcomes.
  • The Deployment Planner offers a visual representation of release steps, environments, and rollback paths.
  • The Audit Console shows the full audit trail with search, filters, and export options.

Using the CLI and automation

  • The CLI enables automation for analysis, validation, and deployment tasks.
  • You can script common workflows, integrate with CI/CD pipelines, and push changes from version control to the deployment environment.
  • Typical commands include: analyze, validate, test-sandbox, plan-deploy, execute-deploy, and export-audit.
  • Automation recipes support fail-fast behavior when checks fail or when approvals are missing.

Sandbox testing and safe deployments

  • Sandbox environments replicate production schemas and data shapes without exposing real data.
  • Running scripts in a sandbox allows you to confirm behavioral changes, measure performance, and catch issues early.
  • Safe deployment workflows ensure that a rollback plan is automatically activated if a deployment encounters errors.

Script analysis and validation rules

  • Static checks: Look for dangerous patterns, such as unbounded DDL statements, missing transactions, or implicit data conversions.
  • Style and quality: Enforce naming conventions, consistent indentation, and comment coverage.
  • Dependency checks: Ensure referenced objects exist and that object dependencies are satisfied.
  • Performance checks: Flag long-running queries, missing indexes, and suboptimal query patterns.
  • Security checks: Detect risky privileges, insecure dynamic SQL usage, and potential injection vectors.
  • Validation against policy: Each script must conform to policy rules before it can proceed to deployment.

Script lifecycle and versioning

  • Each script passes through a lifecycle: draft, analyzed, validated, approved, deployed, and archived.
  • Versioning is applied to scripts and to change requests, ensuring traceability across iterations.
  • Audit trails capture the lineage, including who approved what and when.

Deployment scenarios

  • Single environment deployment: Move a script from development to staging and then to production with approvals at each step.
  • Parallel deployments: Roll out separate scripts to different environments concurrently when there is no cross-dependency.
  • Rollback and recovery: If a deployment fails, a rollback plan can be executed automatically with full audit coverage.
  • Cloud and on-prem: The deployment orchestration supports both on-prem SQL Server instances and cloud-hosted resources.

Extensibility and plugins

  • The platform is designed to accept plugins that add new analysis rules, new validation checks, or new deployment strategies.
  • A plugin API lets teams customize governance controls without changing core code.
  • Community and enterprise plugins can be shared to promote best practices and reuse.

Testing and quality assurance

  • Unit tests cover the core analysis and validation engine logic.
  • Integration tests verify end-to-end workflows, including UI flows, CLI commands, and deployment paths.
  • End-to-end tests simulate real-world change scenarios with sandbox execution and audit checks.
  • Performance tests evaluate analysis time and deployment latency under typical workloads.

Local development and contribution

  • The repository supports building the core services and the WPF client locally.
  • Run the analyzer in a local test environment to verify changes before submitting a pull request.
  • Contribute new rules, policy templates, and deployment strategies to extend the platform.
  • Follow the contribution guide to set up the development environment, run tests, and submit changes.

Documentation and help resources

  • User guide: Step-by-step instructions for common workflows, including auditing a change, validating scripts, and deploying changes to environments.
  • Developer guide: Architecture overview, API references, plugin development, and contribution instructions.
  • API references: If exposed, you’ll find endpoints and client libraries to interact with the platform programmatically.
  • Release notes: Details about new features, fixes, and breaking changes for each release.

Release management and maintenance

  • Planned releases include new analysis rules, policy templates, and deployment features.
  • Security patches are addressed promptly, with advisories posted in the release notes.
  • Compatibility notes describe how upgrades affect existing projects and policies.

Releases and downloads

  • The primary download point is the releases page. From the releases page, download and run the Windows installer SQL-Change-Guard-Setup-1.0.0-windows.exe to install the client and core services.
  • You can browse the releases page for other assets, including additional installers, sample scripts, and policy templates.
  • The same link is provided again here for convenience: https://github.com/Samo26/SQL-Change-Guard/releases

FAQ

  • What databases does SQL Change Guard support?
    • The platform centers on SQL Server deployments and standardizes processes for governance across SQL Server environments. It can be extended to other engines via plugins and adapters.
  • How does it ensure data safety?
    • It uses sandbox testing to validate changes before production deployment, and all actions are logged for auditability.
  • Can I customize the governance rules?
    • Yes. Policy definitions and rule sets can be edited, extended, and tied to specific compliance frameworks.
  • Is there any onboarding assistance?
    • The project provides onboarding guides, sample policies, and templates to help teams start quickly.

Contributing

  • We welcome contributions that improve analysis rules, policy templates, or deployment workflows.
  • Please read the contributor guide for information about the code of conduct, repository rules, and how to submit pull requests.
  • Before contributing, run local tests and ensure changes align with the project’s governance and quality standards.

License and credits

  • The project is released under a permissive license intended for enterprise use with appropriate attribution.
  • Credits go to stakeholders who contributed to the design of governance capabilities and the alignment with industry standards.

Support and community

  • For questions and discussions, open issues on the repository.
  • Look for community channels listed in the support section of the documentation.

Notes and additional context

  • This README emphasizes the governance and compliance angle, with emphasis on auditability, policy enforcement, and safe deployment practices.
  • It highlights the relationship to COBIT, SOX, GDPR, and ITIL controls, and it explains how sandbox testing and validation support risk management.
  • It also reinforces the practical steps needed to get started, including how to obtain the installer from the releases page and how to proceed with a quick start.

Architecture snapshot

  • A compact textual diagram of the main components in the system helps you understand the data and control flow.

    Client UI (WPF) | Core Analysis & Validation Engine | Sandbox Execution Environment | Deployment Orchestrator | Target SQL Server Instances | Audit Trail & Policy Store | Compliance Reporting & Governance

  • This layout helps you reason about responsibilities and dependencies, and it clarifies where to extend functionality with new rules or integrations.

Security best practices (brief)

  • Use least privilege for service accounts used by the deployment orchestrator.
  • Centralize secrets and rotate them regularly.
  • Keep an immutable audit log and protect log integrity with tamper-evident mechanisms.
  • Enforce strict approval workflows and enforce role-based access controls in the UI and CLI.
  • Regularly update the tool and its plugins to receive security fixes and policy updates.

If you need more detail on any area, you can explore the Developer Guide, the Policy Studio documentation, and the Deployment Planner reference within the UI. The project is designed to scale with enterprise needs, while keeping the user experience straightforward for daily governance tasks.

Releases

End of document.

About

SQL Change Guard 🐙 is a secure, auditable SQL change tool for orgs. It validates, approves, and executes scripts with COBIT/ITIL workflows and audit trails.

Topics

sql-server static-analysis compliance enterprise-software itil sql-script wpf-application cobit database-deployment data-governance database-security script-analysis sox-compliance gdpr-compliance sql-validation sandbox-testing sql-auditing sql-risk-detection

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •