feat: add PostgreSQL parser and reporting capabilities

.coderabbit.yaml

@@ -121,7 +121,11 @@ reviews:
         comment/string-aware multi-statement rejection and SELECT/WITH-only (DML
         behind WithAllowDML) policy. EXPLAIN takes no bind params, so
         concatenation is by design — the defense is validate() + the rolled-back
-        read-only tx; do not "fix" it with parameterization.
+        read-only tx; do not "fix" it with parameterization. Deliberate
+        carve-out: explain keeps Result.Query (and the inner analyzer.Result
+        .Query of its findings) RAW — the user typed the query on their own CLI,
+        it never reaches a log/telemetry sink, and Fingerprint is still set. Do
+        NOT flag explain findings for not redacting Query; that is intended.
 
     - path: "**/*_test.go"
       instructions: >-

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,43 @@
+---
+name: Bug report
+about: Report incorrect behavior, a false positive/negative, or a crash
+title: ""
+labels: bug
+assignees: ""
+---
+
+**Do not file security vulnerabilities here** — see [SECURITY.md](../../SECURITY.md).
+
+## What happened
+
+A clear description of the bug.
+
+## Expected behavior
+
+What you expected instead. For a false positive/negative, say which **rule**
+(e.g. `select-star`) fired or failed to fire.
+
+## Reproduction
+
+The SQL or Go snippet, and how it was issued:
+
+```sql
+-- query (redacted is fine)
+```
+
+```go
+// minimal repro
+```
+
+## Environment
+
+- sqlguard version / commit:
+- Affected module(s) (root, `integrations/<name>`, `parsers/<name>`):
+- Parser in use (default fallback / pgparser / mysqlparser):
+- Entry surface (runtime middleware / CLI `scan` / CLI `explain` / integration):
+- Go version:
+- Database + dialect (if relevant):
+
+## Additional context
+
+Logs (redaction-safe), config (`.sqlguard.yml`), or anything else useful.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/KARTIKrocks/sqlguard/security/advisories/new
+    about: Report security issues privately — please do not open a public issue.
+  - name: Question / discussion
+    url: https://github.com/KARTIKrocks/sqlguard/discussions
+    about: Ask usage questions or discuss ideas here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest a new rule, integration, or capability
+title: ""
+labels: enhancement
+assignees: ""
+---
+
+## Problem
+
+What are you trying to catch or do that sqlguard can't today?
+
+## Proposed solution
+
+What you'd like to see. If you're proposing a **new detection rule**, include:
+
+- the SQL anti-pattern it should flag,
+- example queries that should and should **not** trigger it,
+- a suggested severity (info / warning / critical),
+- any tunable (and its default).
+
+If you're proposing a **new integration**, name the ORM/driver and its
+hook/seam.
+
+## Alternatives considered
+
+Other approaches, workarounds, or existing rules/config that almost fit.
+
+## Additional context
+
+Anything else — links, prior art, willingness to send a PR.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,27 @@
+## Summary
+
+What does this PR change, and why?
+
+Closes #<!-- issue number, if any -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New detection rule
+- [ ] New integration / parser
+- [ ] Feature / enhancement
+- [ ] Docs only
+- [ ] Refactor / chore
+
+## Checklist
+
+- [ ] `make ci` passes (fmt-check, vet, lint, test-race) across all modules
+- [ ] Added/updated tests (and, where practical, a failure-mode check)
+- [ ] Updated docs as needed (`README.md`, `CLAUDE.md`, `.sqlguard.example.yml`)
+- [ ] Added an entry under `## [Unreleased]` in `CHANGELOG.md`
+- [ ] No new third-party deps in `analyzer` / `middleware` / `reporter`
+- [ ] Findings stay redaction-safe (no raw literals leak into a `Result`)
+
+## Notes for reviewers
+
+Anything reviewers should focus on — tricky areas, trade-offs, follow-ups.

.github/dependabot.yml

@@ -0,0 +1,56 @@
+version: 2
+
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      go-dependencies:
+        patterns:
+          - "*"
+
+  - package-ecosystem: gomod
+    directory: /integrations/gormguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /integrations/sqlxguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /integrations/pgxguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /integrations/bunguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /integrations/xormguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /integrations/entguard
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /parsers/pgparser
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /parsers/mysqlparser
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/ci.yml

@@ -0,0 +1,109 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go-version: ["1.26"]
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Run tests
+        run: go test ./... -count=1 -race
+
+      - name: Test integrations (gormguard)
+        run: cd integrations/gormguard && go test ./... -count=1 -race
+
+      - name: Test integrations (sqlxguard)
+        run: cd integrations/sqlxguard && go test ./... -count=1 -race
+
+      - name: Test integrations (pgxguard)
+        run: cd integrations/pgxguard && go test ./... -count=1 -race
+
+      - name: Test integrations (bunguard)
+        run: cd integrations/bunguard && go test ./... -count=1 -race
+
+      - name: Test integrations (xormguard)
+        run: cd integrations/xormguard && go test ./... -count=1 -race
+
+      - name: Test integrations (entguard)
+        run: cd integrations/entguard && go test ./... -count=1 -race
+
+      - name: Test parsers (pgparser)
+        run: cd parsers/pgparser && go test ./... -count=1 -race
+
+      - name: Test parsers (mysqlparser)
+        run: cd parsers/mysqlparser && go test ./... -count=1 -race
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: "1.26"
+
+      - uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.11
+          args: --timeout=5m
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: "1.26"
+
+      - name: Build CLI
+        run: go build -o bin/sqlguard ./cmd/sqlguard
+
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version: "1.26"
+
+      # `make coverage` runs every module and merges into a single coverage.out
+      # (root go test does not reach the satellite modules).
+      - name: Generate merged coverage
+        run: make coverage
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage.out
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly re-scan so newly published CodeQL queries flag old code too.
+    - cron: "0 6 * * 1"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name != 'schedule' }}
+
+permissions:
+  # CodeQL requires security-events: write to upload SARIF results
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (Go)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.26"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go
+          # Build the modules ourselves (below) so the tracer sees all nine.
+          build-mode: manual
+          queries: security-extended
+
+      # Each integration/parser carries its own go.mod (heavy deps kept opt-in),
+      # so `go build ./...` from root does NOT reach them. Build every module
+      # under the CodeQL tracer so all nine are analyzed — same MODULES loop the
+      # Makefile uses; a satellite must not silently skip scanning.
+      - name: Build all modules
+        run: |
+          set -e
+          for mod in . \
+            ./integrations/gormguard ./integrations/sqlxguard \
+            ./integrations/pgxguard ./integrations/bunguard \
+            ./integrations/xormguard ./integrations/entguard \
+            ./parsers/pgparser ./parsers/mysqlparser; do
+            echo "==> Building $mod"
+            (cd "$mod" && go build ./...)
+          done
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:go"

.gitignore

@@ -7,6 +7,7 @@
 *.dll
 *.so
 *.dylib
+bin
 
 # Test binary, built with `go test -c`
 *.test
@@ -17,6 +18,9 @@ coverage.*
 *.coverprofile
 profile.cov
 
+# FE
+sqlguard-website
+
 # Dependency directories (remove the comment below to include it)
 # vendor/