Everything you need to secure a data pipeline in CI
Veric is a batteries-included static analyzer for dbt and warehouse SQL. Each feature links into the docs so you can see exactly which rules fire and why.
PII & PHI lineage
Track classifier tags across joins, CTEs, and dbt refs. Alerts when sensitive columns leak into public models.
Read the docsCardinality contracts
Detect unintended fan-out in joins. Fails fast on many-to-many joins that should have been many-to-one.
Read the docsLLM-generated SQL guardrails
Flags when model outputs flow into DML or unsafe string concatenation. Specifically targets AI-generated code paths.
Read the docsUser-tainted-input tracking
Conservative taint propagation from API inputs through SQL expressions. Catches SQL injection in data apps.
Read the docsAttribute-grammar engine
Unlike lint-style checkers, veric types your SQL with attributes that cross file and ref boundaries.
Read the docsSARIF + GitHub code scanning
First-class SARIF output. Shows as code-scanning alerts in GitHub Security with zero glue.
Read the docsdbt-native
Understands `ref()`, `source()`, dbt tests, seeds, snapshots, and the manifest graph. No rewrites needed.
Read the docsContract diffs
Warn when a PR breaks a column contract downstream consumers depend on. `veric diff` prints the blast radius.
Read the docs