DevGuard — Local-First QA Risk Scanner

DevGuard is a local-first VS Code extension that scans your workspace for QA risk signals before a push or code review.

It helps surface risky SQL migrations, environment drift, missing tests, and PR-level change risks directly inside VS Code — with no cloud calls, no AI API calls, no telemetry, and no network access.

DevGuard is a deterministic risk scanner. It does not guarantee safety, but it helps developers, QA engineers, and SDETs catch common review risks earlier.

Why Use DevGuard?

Risky changes are often discovered too late:

• after a pull request is opened,
• during QA review,
• after a migration reaches staging,
• or after a production deploy.

DevGuard shifts that review earlier by flagging common risk patterns before you share your code.

DevGuard can help you notice:

• destructive SQL migration patterns,
• Cloudflare D1 / SQLite / PostgreSQL / MySQL compatibility concerns,
• .env.example and local env drift,
• source files that appear to lack matching tests,
• package or lockfile changes,
• PRs with migration changes but no related test changes.

Features

• SQL migration risk scanning
  • Detects destructive, locking, and compatibility-sensitive SQL patterns.
• SQL dialect-aware recommendations
  • Supports generic, postgres, sqlite, cloudflare-d1, and mysql.
• Environment drift detection
  • Compares .env.example with local env files.
• Missing test heuristics
  • Flags source files that appear to lack matching .test or .spec files.
• Changed-files scan
  • Uses local Git diff output to review only changed files.
• PR risk scoring
  • Scores migration changes, package drift, source changes without tests, and docs-only changes.
• Visual report
  • Opens a DevGuard Report tab inside VS Code.
• Markdown and JSON exports
  • Export the latest report after choosing a save path.
• Local-first privacy model
  • No telemetry, no network calls, no cloud processing, and no AI API calls.

How It Works

Run a scan from the Command Palette:

DevGuard: Run Project Scan

DevGuard scans your workspace and opens a visual report with:

• overall risk level,
• risk score,
• total findings,
• high / medium / low finding counts,
• SQL dialect used for migration recommendations,
• report mode,
• grouped findings,
• rule IDs,
• file paths,
• line numbers when available,
• recommendations,
• clickable workspace-relative file links.

You can also scan only changed files:

DevGuard: Scan Changed Files

This uses local Git diff output. It does not use shell execution, network access, telemetry, or external APIs.

Commands

Configuration

Create a .devguardrc.json file in your workspace root.

Cloudflare D1 Example

{
  "sql": {
    "dialect": "cloudflare-d1"
  },
  "git": {
    "baseBranch": "main",
    "changedFilesOnly": false
  }
}

Supported SQL Dialects

generic
postgres
sqlite
cloudflare-d1
mysql

Presets

DevGuard supports these presets:

generic
cloudflare-d1
node-postgres
sqlite
mysql
nextjs
typescript-library

Preset merge order:

defaults → preset → user config

User config always wins.

Ignore Paths and Rules

{
  "ignore": {
    "paths": ["migrations/legacy/**"],
    "rules": ["SQL_DROP_TABLE"]
  }
}

Suppress a SQL Finding

-- devguard-ignore-next-line SQL_DROP_TABLE
DROP TABLE scratch;

Risk Gate

{
  "risk": {
    "failOn": "high",
    "mediumThreshold": 30,
    "highThreshold": 70
  }
}

risk.failOn supports:

none
medium
high

VS Code reports gate status without terminating the UI.

Scanner Coverage

SQL Migration Scanner

DevGuard checks SQL and migration files for high-risk schema and data-change patterns, including:

Environment Drift Scanner

Compares .env.example with a local env file.

Secret values are never printed in findings.

Missing Test Scanner

Uses heuristic file matching to identify source files that appear to lack matching test coverage.

DevGuard ignores common low-signal files such as index.ts, types.ts, declaration files, and config files.

Report Exports

DevGuard can export the latest scan report as Markdown or JSON.

Export behavior:

• export only happens through explicit user commands,
• you choose the save path,
• JSON output is sanitized,
• secret values are not printed,
• JSON includes reportSchemaVersion: "1.0".

Example JSON shape:

{
  "reportSchemaVersion": "1.0",
  "summary": {
    "riskLevel": "MEDIUM",
    "riskScore": 42,
    "totalFindings": 7
  },
  "findings": []
}

Privacy and Safety

DevGuard is local-first by design.

DevGuard does not:

• call cloud services,
• call AI APIs,
• send telemetry,
• require API keys,
• require network access,
• print secret values in reports,
• automatically mutate project files.

Export and sample-config file-writing only happen through explicit user commands.

Visual report file-opening is limited to workspace-relative paths. Absolute paths and ../ traversal outside the workspace are rejected.

Performance

DevGuard skips heavy directories by default:

node_modules
dist
out
build
coverage
.git
.next
turbo

Default caps:

Files over the size limit are skipped with a low-risk FILE_SKIPPED_TOO_LARGE finding.

Limitations

DevGuard uses deterministic heuristics, not a full SQL parser.

It can:

• miss risks,
• report false positives,
• over-warn on unusual SQL,
• under-warn on complex migrations,
• miss project-specific testing conventions.

Use DevGuard as an early review assistant, not as a replacement for tests, code review, staging validation, database review, or production deployment checks.

License

MIT License

Copyright (c) 2026 Dharsan Guruparan

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files, to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, subject to the conditions of the MIT License.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.