Everything you need to secure a data pipeline in CI

Veric is a batteries-included static analyzer for dbt and warehouse SQL. Each feature links into the docs so you can see exactly which rules fire and why.

PII & PHI lineage

Track classifier tags across joins, CTEs, and dbt refs. Alerts when sensitive columns leak into public models.

Cardinality contracts

Detect unintended fan-out in joins. Fails fast on many-to-many joins that should have been many-to-one.

LLM-generated SQL guardrails

Flags when model outputs flow into DML or unsafe string concatenation. Specifically targets AI-generated code paths.

User-tainted-input tracking

Conservative taint propagation from API inputs through SQL expressions. Catches SQL injection in data apps.

Attribute-grammar engine

Unlike lint-style checkers, veric types your SQL with attributes that cross file and ref boundaries.

SARIF + GitHub code scanning

First-class SARIF output. Shows as code-scanning alerts in GitHub Security with zero glue.

dbt-native

Understands `ref()`, `source()`, dbt tests, seeds, snapshots, and the manifest graph. No rewrites needed.

Contract diffs

Warn when a PR breaks a column contract downstream consumers depend on. `veric diff` prints the blast radius.