AI-powered SQL & dbt code review for every pull request.
Altimate Code Actions brings production-grade SQL analysis, dbt impact assessment, query cost estimation, and PII detection directly into your GitHub pull request workflow. Every SQL change gets reviewed automatically before it merges.
With version: 2 in your .altimate.yml, the action delegates all static checks to the altimate-code CLI. This unlocks 40+ capabilities across 7 check categories:
| Category | Checks | Description |
|---|---|---|
| Lint | 26 rules (L001-L026) | AST-level SQL anti-pattern detection |
| Validate | SQL parsing | DataFusion-based syntax validation |
| Safety | Injection, destructive ops | SQL injection vectors, privilege escalation |
| Policy | Custom guardrails | Block patterns, require standards, enforce governance |
| PII | 15 categories | Column, literal, and comment scanning |
| Semantic | Schema-aware | Join correctness, type mismatches, missing columns |
| Grade | Quality scoring | Letter grades (A-F) per file |
V2 is fully backward compatible. If the CLI is not installed, the action falls back to built-in regex rules automatically.
# Quick start with v2
version: 2
checks:
lint:
enabled: true
safety:
enabled: true
validate:
enabled: trueSee V2 Configuration Reference and Migration Guide for details.
| Capability | Description | |
|---|---|---|
| ⚡ | Executive Summary | One-line scope, impact, cost, and severity overview at the top of every review |
| 🔍 | SQL Quality Analysis | 26 lint rules + safety + validation + policy enforcement (v2) or 19 regex rules (v1) |
| 🌳 | dbt Impact Analysis | Maps changed models to downstream dependencies, exposures, and tests in your dbt DAG |
| 🗺️ | Mermaid DAG Visualization | Colored dependency graph rendered inline using GitHub-native Mermaid |
| 💰 | Cost Estimation | Estimates query cost deltas so you catch expensive changes before they hit production |
| 🛡️ | PII Detection | Identifies personally identifiable information across 15 categories to prevent data leaks |
| 🔒 | Policy Enforcement | Custom organizational guardrails via .altimate-policy.yml (v2) |
| 💬 | Inline Comments | Critical issues posted directly on diff lines for faster triage |
| 🎮 | Interactive Commands | @altimate review, @altimate impact, @altimate cost, @altimate help in PR comments |
No API key needed. Catches SQL anti-patterns, schema breaking changes, and PII exposure.
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: staticAdd an LLM for deeper analysis:
- uses: AltimateAI/altimate-code-actions@v0
with:
model: anthropic/claude-haiku-4-5-20251001
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}Add this workflow to your repository at .github/workflows/altimate-review.yml:
name: Altimate Code Review
on:
pull_request:
types: [opened, synchronize]
permissions:
pull-requests: write
contents: read
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: static
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}That is it. Open a PR that touches .sql files and Altimate will post a review comment.
When Altimate reviews your pull request, it posts a compact, structured comment like this:
## Altimate Code Review
**3 files · 5 issues (1 error) · impact 42/100 · +$6.30/mo**
| File | Line | Rule | Message | Fix |
|------|------|------|---------|-----|
| stg_orders.sql | 14 | no-select-star | Avoid SELECT * | Enumerate columns explicitly |
<details><summary>:warning: Warnings (2)</summary>
| File | Line | Rule | Message | Fix |
|------|------|------|---------|-----|
| fct_revenue.sql | 27 | missing-where | DELETE without WHERE | Add a WHERE clause |
| fct_revenue.sql | 53 | implicit-join | Comma join detected | Use explicit JOIN syntax |
</details>
<details><summary>:blue_circle: Info (2)</summary>
| File | Line | Rule | Message | Fix |
|------|------|------|---------|-----|
| stg_users.sql | 8 | pii-detected | Column `email` may contain PII | Mask or exclude from SELECT |
| stg_users.sql | 9 | pii-detected | Column `phone` may contain PII | Mask or exclude from SELECT |
</details>
### Blast Radius
```mermaid
graph LR
stg_orders:::changed --> dim_customers
stg_orders:::changed --> rpt_daily_revenue --> Revenue_Dashboard:::exposure
fct_revenue:::changed --> rpt_daily_revenue
fct_revenue:::changed --> Executive_KPI_Report:::exposure
classDef changed fill:#f96,stroke:#333
classDef exposure fill:#69f,stroke:#333
7 tests cover modified or downstream models
| Model | Before | After | Delta | Root Cause |
|---|---|---|---|---|
| fct_revenue | $12.40/mo | $18.70/mo | +$6.30/mo | Added full table scan |
Altimate Code · Docs · 19 rules
When `comment_mode: both` is configured, critical issues are also posted as inline review comments directly on the affected diff lines.
## Features
### Always-On (Static Analysis)
These checks run on every PR without any external credentials:
- **SELECT * detection** -- Flag wildcard selects that break downstream consumers
- **Missing WHERE clauses** -- Catch unfiltered UPDATE and DELETE statements
- **Implicit joins** -- Convert comma-separated joins to explicit JOIN syntax
- **Unused CTEs** -- Find common table expressions that are defined but never referenced
- **Ambiguous column references** -- Detect columns that could resolve to multiple tables
- **Duplicate column aliases** -- Catch conflicting column names in SELECT lists
- **ORDER BY in subqueries** -- Remove unnecessary sorting inside subqueries
- **UNION vs UNION ALL** -- Suggest UNION ALL when deduplication is not required
- **Cartesian joins** -- Warn on joins missing a join condition
- **Schema qualification** -- Require fully qualified table references
### dbt-Aware
Enable with `impact_analysis: true` when your repository contains a dbt project:
- **DAG impact mapping** -- Trace changes through the full dependency graph
- **Downstream model enumeration** -- List every model affected by the change
- **Exposure alerting** -- Flag when dashboards and reports are impacted
- **Test coverage check** -- Verify that affected models have test coverage
- **Impact scoring** -- Aggregate risk score from 0 to 100
- **Schema breaking change detection** -- Detect column renames and removals that break downstream
### Cost Intelligence
Enable with `cost_estimation: true` and warehouse credentials:
- **Before/after cost comparison** -- Estimate monthly cost before and after the change
- **Per-model cost deltas** -- Pinpoint which models drive cost increases
- **Aggregate cost summary** -- Total cost impact across the entire PR
### PII Detection
Enable with `pii_check: true`:
- Detects 15 PII categories: email, phone, SSN, credit card, IP address, date of birth, name, address, passport, driver license, national ID, bank account, health records, biometric data, geolocation
### Interactive Commands
When interactive mode is enabled, developers can trigger specific analyses by commenting on a PR:
| Command | Description |
|---------|-------------|
| `@altimate review` | Run full SQL quality review on the PR |
| `@altimate impact` | Run dbt DAG impact analysis only |
| `@altimate cost` | Run cost estimation only |
| `@altimate help` | Show available commands and configuration |
Configure trigger phrases with the `mentions` input (default: `@altimate,/altimate,/oc`).
## What Altimate Adds Beyond dbt Cloud
| Feature | dbt Cloud CI | Altimate Code (v1) | Altimate Code (v2) |
|---------|-------------|-------------------|-------------------|
| Slim CI (build changed models) | Yes | No (use dbt Cloud) | No (use dbt Cloud) |
| SQL anti-pattern detection | No | 19 regex rules | 26 AST-level lint rules |
| SQL syntax validation | No | No | Yes (DataFusion) |
| SQL injection detection | No | No | Yes |
| Policy enforcement | No | No | Yes (custom guardrails) |
| Impact blast radius in PR | Limited | Full DAG visualization | Full DAG visualization |
| Query cost estimation | No | Yes (Snowflake, BigQuery) | Yes (Snowflake, BigQuery) |
| PII detection | No | 15 categories (regex) | 15 categories (AST-aware) |
| Semantic analysis | No | No | Yes (schema-aware) |
| SQL quality grading | No | No | Yes (A-F grades) |
| Schema breaking changes | No | Yes | Yes |
| AI-powered review | No | Yes | Yes |
Altimate Code Actions and dbt Cloud CI are complementary. Use dbt Cloud for build/test orchestration and slim CI, and Altimate for deep SQL quality analysis, cost estimation, and PII detection on every pull request.
## Configuration
### Inputs
| Input | Type | Default | Description |
|-------|------|---------|-------------|
| `model` | string | `""` | AI model for analysis (e.g., `anthropic/claude-haiku-4-5-20251001`). Required for `ai` and `full` modes. |
| `mode` | string | `full` | Review mode: `static`, `ai`, or `full` |
| `sql_review` | boolean | `true` | Enable SQL quality analysis |
| `impact_analysis` | boolean | `true` | Enable dbt DAG impact analysis |
| `cost_estimation` | boolean | `false` | Enable query cost estimation |
| `pii_check` | boolean | `true` | Enable PII detection |
| `interactive` | boolean | `true` | Enable interactive mode (`/altimate` mentions in PR comments) |
| `mentions` | string | `/altimate,/oc` | Trigger phrases for interactive mode (comma-separated) |
| `dbt_project_dir` | string | *(auto-detect)* | Path to dbt project root |
| `dbt_version` | string | *(auto-detect)* | dbt version: `1.7`, `1.8`, or `1.9` |
| `manifest_path` | string | *(auto-detect)* | Path to dbt `manifest.json` |
| `warehouse_type` | string | | Warehouse type: `snowflake`, `bigquery`, `postgres`, `databricks`, `redshift` |
| `warehouse_connection` | string | | JSON warehouse connection config (alternative to env vars) |
| `max_files` | number | `50` | Maximum number of SQL files to analyze per PR |
| `severity_threshold` | string | `warning` | Minimum severity to include in review: `info`, `warning`, `error`, `critical` |
| `comment_mode` | string | `single` | Comment style: `single` (one summary comment), `inline` (per-line comments), `both` |
| `fail_on` | string | `none` | Fail the action when issues at this severity or above are found: `none`, `error`, `critical` |
### Outputs
| Output | Description |
|--------|-------------|
| `issues_found` | Total number of issues found |
| `impact_score` | dbt impact score (0-100), if impact analysis was enabled |
| `estimated_cost_delta` | Estimated monthly cost delta in USD, if cost estimation was enabled |
| `comment_url` | URL of the posted PR comment |
| `report_json` | Full review report as a JSON string |
### Environment Variables
| Variable | Required | Description |
|----------|----------|-------------|
| `GITHUB_TOKEN` | Yes | GitHub token for PR comments and file access (provided automatically) |
| `ANTHROPIC_API_KEY` | For `ai`/`full` mode | API key for Claude models |
| `OPENAI_API_KEY` | For `ai`/`full` mode | API key for OpenAI models (alternative to Anthropic) |
| `SNOWFLAKE_ACCOUNT` | For Snowflake cost estimation | Snowflake account identifier |
| `SNOWFLAKE_USER` | For Snowflake cost estimation | Snowflake username |
| `SNOWFLAKE_PASSWORD` | For Snowflake cost estimation | Snowflake password |
| `BIGQUERY_CREDENTIALS` | For BigQuery cost estimation | GCP service account JSON |
## Workflow Examples
### Basic SQL Review
Static analysis only, no API keys required:
```yaml
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: static
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Use Claude for deeper analysis:
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: ai
model: anthropic/claude-haiku-4-5-20251001
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- uses: AltimateAI/altimate-code-actions@v0
with:
mode: full
model: anthropic/claude-haiku-4-5-20251001
impact_analysis: true
dbt_project_dir: ./dbt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- uses: AltimateAI/altimate-code-actions@v0
with:
mode: full
model: anthropic/claude-sonnet-4-20250514
impact_analysis: true
cost_estimation: true
pii_check: true
warehouse_type: snowflake
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
SNOWFLAKE_USER: ${{ secrets.SNOWFLAKE_USER }}
SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}Let developers ask for reviews by commenting @altimate on a PR:
name: Altimate Interactive
on:
issue_comment:
types: [created]
permissions:
pull-requests: write
contents: read
jobs:
review:
if: contains(github.event.comment.body, '@altimate')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: AltimateAI/altimate-code-actions@v0
with:
interactive: true
mentions: "@altimate,@alt"
mode: full
model: anthropic/claude-sonnet-4-20250514
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}Only surface errors and critical issues, and fail the CI check:
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: static
severity_threshold: error
fail_on: error
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Post review comments directly on the changed lines:
- uses: AltimateAI/altimate-code-actions@v0
with:
mode: static
comment_mode: both
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}| Warehouse | SQL Analysis | Cost Estimation | Impact Analysis |
|---|---|---|---|
| Snowflake | Yes | Yes | Yes |
| BigQuery | Yes | Yes | Yes |
| PostgreSQL | Yes | -- | Yes |
| Databricks | Yes | -- | Yes |
| Redshift | Yes | -- | Yes |
| MySQL | Yes | -- | -- |
| SQL Server | Yes | -- | -- |
| DuckDB | Yes | -- | Yes |
| dbt Core Version | Status | Notes |
|---|---|---|
| 1.7.x | Supported | Minimum supported version |
| 1.8.x | Supported | |
| 1.9.x | Supported | Latest supported version |
E2E tests run against all three versions on Python 3.10, 3.11, and 3.12.
Altimate Code Actions is a GitHub Action that runs the altimate-code CLI inside your CI pipeline. When a pull request is opened or updated, the action:
-
Collects context -- Fetches the list of changed files from the GitHub API, filters for SQL and dbt-related files, and parses the unified diff to extract added and modified code.
-
Runs analysis -- Passes the changed SQL through the
altimate-codeCLI, which performs static analysis (anti-pattern detection, PII scanning) and optionally AI-powered review (using Claude or GPT models). If a dbt project is detected and impact analysis is enabled, it parses the dbt manifest to trace downstream dependencies. -
Estimates costs -- When cost estimation is enabled with warehouse credentials, the CLI runs
EXPLAINor equivalent queries against your warehouse to estimate the before/after cost of modified queries. -
Reports results -- Formats the findings into a structured PR comment (or inline review comments) and posts it via the GitHub API. If a previous Altimate comment exists on the PR, it is updated in place rather than creating a duplicate.
The action uses a sticky comment pattern (identified by an HTML marker) so that re-running the workflow on new commits updates the existing review rather than flooding the PR with repeated comments.
All analysis runs inside the GitHub Actions runner. Your code is never sent to external servers beyond the AI model API calls (when using ai or full mode). Warehouse credentials are used only for cost estimation queries and are never logged.
Contributions are welcome. See CONTRIBUTING.md for development setup, testing instructions, and the PR process.