Security & Credentials
Never Use Production Databases
SqlProof generates data, creates temporary state, and may replay schema DDL. Always point it at a dedicated test database or disposable container.
| Mode | Risk level | Notes |
|---|---|---|
| Testcontainers | None | Fully isolated throwaway database |
| Connection string | Low when configured safely | Use staging or a restricted role |
Use Environment Variables
Never hardcode credentials:
export DATABASE_URL=postgresql://sqlproof_test:password@localhost:5432/testdbimport osfrom sqlproof import SqlProof
proof = SqlProof.from_connection_string(os.environ["DATABASE_URL"])Keep .env files out of git.
Minimal Database Role
When using a connection string, create a role scoped to the test database:
CREATE ROLE sqlproof_test LOGIN PASSWORD 'strong-password';GRANT CONNECT ON DATABASE testdb TO sqlproof_test;GRANT CREATE ON DATABASE testdb TO sqlproof_test;Do not grant SUPERUSER or point SqlProof at production credentials.