Docs
PostgreSQL plugin
Push your PostgreSQL schema to Panache for RLS coverage, grant audits, and dangerous-role detection. Works with Drizzle, Prisma, or any pg_dump.
When to use
Use @withpanache/postgres when you want Panache to audit your PostgreSQL schema for security weaknesses: - Tables without RLS policies in a multi-tenant context. - Overly broad GRANT statements. - Dangerous roles (SUPERUSER, BYPASSRLS, CREATEROLE) on app-tier accounts. - Sensitive columns without explicit access control. Works from any CI/CD that can produce a schema DDL: Drizzle (`drizzle-kit export`), Prisma (`prisma migrate diff`), or raw `pg_dump --schema-only`.
Installation
Add the CLI as a dev dependency, or invoke it ad-hoc via npx:
npm install --save-dev @withpanache/postgres
# or
pnpm add -D @withpanache/postgres
# Ad-hoc, no install:
npx @withpanache/postgres push --from drizzleDrizzle project
Auto-detects a Drizzle project by walking up from the current directory looking for `drizzle.config.{ts,js,mjs,cjs}` and `drizzle-kit` in package.json. Runs `drizzle-kit export --dialect=postgresql` and pushes the output.
export PANACHE_SITE_TOKEN=pnch_xxxxxxxx
npx @withpanache/postgres push --from drizzlePrisma project
Auto-detects a Prisma project by walking up looking for `prisma/schema.prisma` (or `schema.prisma`) and `prisma`/`@prisma/client` in package.json. Runs `prisma migrate diff --from-empty --to-schema-datamodel <schema> --script` and pushes the output.
export PANACHE_SITE_TOKEN=pnch_xxxxxxxx
npx @withpanache/postgres push --from prismaRaw SQL file
Pass `--schema <file>` to read DDL from a SQL file. Useful for projects that maintain a hand-written `schema.sql`, or to push a `pg_dump` artifact captured earlier in the pipeline.
npx @withpanache/postgres push --schema ./db/schema.sqlPipe from stdin
If neither `--from` nor `--schema` is provided, the CLI reads DDL from stdin. The recommended pattern for raw `pg_dump`.
pg_dump --schema-only $DATABASE_URL | \
npx @withpanache/postgres push --token $PANACHE_SITE_TOKENLimits
The Panache ingest API enforces a 2 MB upper bound on the DDL body. Larger schemas are rejected with an explicit error. If your schema exceeds the limit, split it into multiple sites or open an issue to raise the bound. The schema feature must be enabled in the Panache dashboard for each site before the first push (Settings > Databases). Pushes before activation are rejected with a 403.
Library mode
The same logic is exposed as a TypeScript library for use in custom build pipelines or Node scripts:
import { pushSchema, generateSchemaFromDrizzle } from "@withpanache/postgres"
const schema = generateSchemaFromDrizzle(process.cwd())
if (!schema) throw new Error("no Drizzle project")
const result = await pushSchema({
token: process.env.PANACHE_SITE_TOKEN!,
ddl: schema.ddl,
metadata: {
orm: "drizzle",
ormVersion: schema.ormVersion,
gitSha: process.env.GITHUB_SHA,
branch: process.env.GITHUB_REF_NAME,
},
})
if (!result.ok) console.error("push failed:", result.error)All CLI options
The full reference. Every flag below has an env var equivalent (PANACHE_*) — prefer env vars in CI to keep tokens out of `ps aux`.
panache-postgres push [options]
INPUT (pick one)
--schema <file> Read DDL from a SQL file
--from drizzle Auto-detect a Drizzle project
--from prisma Auto-detect a Prisma project
(stdin) Read from stdin if no flag is set
AUTH
--token <token> Site token (or PANACHE_SITE_TOKEN env var)
METADATA
--api-url <url> Override the ingest API URL
--orm <name> Informational label ("drizzle", "prisma", "pg-dump")
--git-sha <sha> Git commit SHA
--branch <name> Git branch name
--preview-url <url> Preview deployment URLExit codes
The CLI uses distinct exit codes so CI scripts can react appropriately:
| Exit | Meaning |
|---|---|
0 | Success. |
1 | Push failed (network, 4xx/5xx, validation). |
2 | Invalid arguments or missing inputs. |
Need help?
If you have questions about the PostgreSQL plugin or need assistance, reach out at hello@withpanache.dev