pgrls compared to adjacent tools

If you arrived here from a search like “pgrls vs X,” the page you want is linked below. Each one answers the same three questions:

1. Do I need both, one, or neither?
2. What concrete bug does pgrls catch that the other tool doesn’t?
3. Is there a 60-second way to wire pgrls into a setup that already has the other tool?

SQL / migration linters

• pgrls vs sqlfluff — style vs security; use both.
• pgrls vs squawk — migration lock safety vs RLS correctness; use both, squawk pre-apply, pgrls post-apply.
• pgrls vs Atlas — schema management vs policy linter; Atlas writes the policies, pgrls audits them.

Generic SAST

• pgrls vs Semgrep — Semgrep scans source; pgrls scans the live database. No overlap.
• pgrls vs CodeQL — same story, but the SARIF output lands in the same Code Scanning UI.
• pgrls vs Snyk Code — commercial SAST; no RLS coverage. Use both.

Postgres RLS ecosystems

• pgrls + Supabase — Supabase ships the RLS engine; pgrls is the linter that ecosystem doesn’t ship.
• pgrls + PostgREST — PostgREST’s design rests on RLS being correct. pgrls is how you verify that assumption.
• pgrls + Hasura — Hasura permissions are separate from RLS. pgrls is relevant when you’ve layered RLS in for defence-in-depth.

Not here

• pgaudit — audit logging, not linting. Different category.
• ORMs (Prisma, SQLAlchemy, Django, TypeORM) — construct queries; don’t lint policies.
• DB observability (pgwatch, Datadog) — different category.

---

Table of contents

• vs sqlfluff
• vs squawk
• vs Atlas
• vs Semgrep
• vs CodeQL
• vs Snyk Code
• + Supabase
• + PostgREST
• + Hasura