Skip to main content
AnomalyArmor uses an open-source SQL security layer called the Query Gateway to enforce strict access controls on every query we run against your database. This page explains how it works and how you can verify our security claims.

What is the Query Gateway?

The Query Gateway is a SQL validation layer that parses and validates every query before execution. It’s the enforcement mechanism behind our “metadata only” promise. Query execution flow through Gateway validation

Key Security Properties

PropertyDescription
Fail-closedIf a query cannot be parsed, it is blocked. No exceptions.
Pre-execution validationQueries are validated before reaching your database
Recursive checkingSubqueries and CTEs are validated against the same rules
Comment strippingSQL comments are removed to prevent obfuscation attacks
Open sourceFull source code available for your security team to audit

Access Levels

The Query Gateway enforces three distinct permission tiers. AnomalyArmor uses different access levels depending on the operation:
LevelPurposePermittedBlocked
Schema OnlyMetadata queriesSystem tables (information_schema, pg_catalog, etc.)Any row-level data
AggregatesStatistics onlyCOUNT(*), AVG, SUM, MIN, MAXRaw column values, SELECT *
FullComplete read accessAny valid SELECT(unrestricted)

What AnomalyArmor Uses

FeatureAccess LevelExample Query
Schema discoverySchema OnlySELECT table_name FROM information_schema.tables
Freshness monitoringAggregatesSELECT MAX(updated_at) FROM orders
Row countsAggregatesSELECT COUNT(*) FROM users
AnomalyArmor does not use full access level. We only query metadata (schema_only) and aggregate statistics (aggregates) for freshness monitoring.

Schema Only Mode

In schema_only mode, queries can only access system catalogs: 
-- Allowed
SELECT table_name, column_name, data_type
FROM information_schema.columns;

-- Blocked (not a system table)
SELECT * FROM users;

-- Blocked (even aggregates on user tables)
SELECT COUNT(*) FROM orders;

Aggregates Mode

In aggregates mode, queries can retrieve statistical information but never raw values: 
-- Allowed
SELECT MAX(created_at) FROM orders;
SELECT COUNT(*) FROM users;
SELECT AVG(amount) FROM transactions;

-- Blocked (returns raw values)
SELECT email FROM users;
SELECT * FROM orders LIMIT 1;

-- Blocked (window functions can leak row data)
SELECT ROW_NUMBER() OVER (ORDER BY id) FROM users;

Open Source Verification

The Query Gateway is fully open source under the Apache 2.0 license. Your security team can:
  1. Audit the code - Review exactly how queries are validated
  2. Run the test suite - 97+ tests covering security edge cases
  3. Verify our claims - See the exact rules enforced at each access level

GitHub Repository

View the source code, run tests, and verify our security implementation

Running the Tests Yourself

# Clone the repository
git clone https://github.com/anomalyarmor/anomalyarmor-query-gateway.git
cd anomalyarmor-query-gateway

# Install dependencies
pip install -e ".[dev]"

# Run the test suite
pytest -v

Technical Implementation

SQL Parsing

The gateway uses sqlglot to parse queries into an Abstract Syntax Tree (AST). This enables:
  • Dialect-aware parsing (PostgreSQL, MySQL, Databricks, ClickHouse, etc.)
  • Accurate identification of accessed tables and columns
  • Detection of nested queries and CTEs

Validation Process

Query validation process from parsing to allow/block decision

Supported Databases

The gateway supports all databases that AnomalyArmor connects to:
  • PostgreSQL
  • MySQL
  • Databricks
  • ClickHouse
  • Snowflake
  • SQL Server
  • BigQuery
  • Redshift

Audit Logging

Every query validation is logged with:
  • Query text
  • Access level applied
  • Allow/block decision
  • Rejection reason (if blocked)
  • Metadata (asset ID, user ID, timestamp)
These logs are available in your audit trail (Enterprise plans).

FAQ

The gateway is open source, but AnomalyArmor runs it as part of our managed service. Self-hosted deployments are available for Enterprise customers.
Blocked queries are logged and never reach your database. The discovery job will report an error, which our engineering team investigates.
No. All database queries from AnomalyArmor pass through the gateway. There is no code path that executes queries directly.
  1. Check your database query logs - you’ll only see metadata and aggregate queries
  2. Review the open-source gateway code

Security Overview

Full security documentation

Data Handling

What data we access and store