ast/sql-injection-template
SQL injection via template literal interpolating user input
What it detects
A query/execute/raw/run call receives a tagged template literal that interpolates a value sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. Interpolating raw user input into SQL is the textbook injection vector — use parameterised queries instead. Detected via AST: false positives are rare because we require both the SQL-call shape AND the user-input expression in the same call site.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.