snowflake-policy-guardrails
Implement Snowflake lint rules, policy enforcement, and automated guardrails. Use when setting up code quality rules for Snowflake integrations, implementing pre-commit hooks, or configuring CI policy checks for Snowflake best practices. Trigger with phrases like "snowflake policy", "snowflake lint", "snowflake guardrails", "snowflake best practices check", "snowflake eslint".
claude-code
Allowed Tools
ReadWriteEditBash(npx:*)
Provided by Plugin
snowflake-pack
Claude Code skill pack for Snowflake (30 skills)
Installation
This skill is included in the snowflake-pack plugin:
/plugin install snowflake-pack@claude-code-plugins-plusClick to copy
Instructions
Snowflake Policy & Guardrails
Overview
Automated policy enforcement and guardrails for Snowflake integrations.
Prerequisites
- ESLint configured in project
- Pre-commit hooks infrastructure
- CI/CD pipeline with policy checks
- TypeScript for type enforcement
ESLint Rules
Custom Snowflake Plugin
// eslint-plugin-snowflake/rules/no-hardcoded-keys.js
module.exports = {
meta: {
type: 'problem',
docs: {
description: 'Disallow hardcoded Snowflake API keys',
},
fixable: 'code',
},
create(context) {
return {
Literal(node) {
if (typeof node.value === 'string') {
if (node.value.match(/^sk_(live|test)_[a-zA-Z0-9]{24,}/)) {
context.report({
node,
message: 'Hardcoded Snowflake API key detected',
});
}
}
},
};
},
};
ESLint Configuration
// .eslintrc.js
module.exports = {
plugins: ['snowflake'],
rules: {
'snowflake/no-hardcoded-keys': 'error',
'snowflake/require-error-handling': 'warn',
'snowflake/use-typed-client': 'warn',
},
};
Pre-Commit Hooks
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: snowflake-secrets-check
name: Check for Snowflake secrets
entry: bash -c 'git diff --cached --name-only | xargs grep -l "sk_live_" && exit 1 || exit 0'
language: system
pass_filenames: false
- id: snowflake-config-validate
name: Validate Snowflake configuration
entry: node scripts/validate-snowflake-config.js
language: node
files: '\.snowflake\.json$'
TypeScript Strict Patterns
// Enforce typed configuration
interface SnowflakeStrictConfig {
apiKey: string; // Required
environment: 'development' | 'staging' | 'production'; // Enum
timeout: number; // Required number, not optional
retries: number;
}
// Disallow any in Snowflake code
// @ts-expect-error - Using any is forbidden
const client = new Client({ apiKey: any });
// Prefer this
const client = new SnowflakeClient(config satisfies SnowflakeStrictConfig);
Architecture Decision Records
ADR Template
# ADR-001: Snowflake Client Initialization
## Status
Accepted
## Context
We need to decide how to initialize the Snowflake client across our application.
## Decision
We will use the singleton pattern with lazy initialization.
## Consequences
- Pro: Single client instance, connection reuse
- Pro: Easy to mock in tests
- Con: Global state requires careful lifecycle management
## Enforcement
- ESLint rule: snowflake/use-singleton-client
- CI check: grep for "new SnowflakeClient(" outside allowed files
Policy-as-Code (OPA)
# snowflake-policy.rego
package snowflake
# Deny production API keys in non-production environments
deny[msg] {
input.environment != "production"
startswith(input.apiKey, "sk_live_")
msg := "Production API keys not allowed in non-production environment"
}
# Require minimum timeout
deny[msg] {
input.timeout < 10000
msg := sprintf("Timeout too low: %d < 10000ms minimum", [input.timeout])
}
# Require retry configuration
deny[msg] {
not input.retries
msg := "Retry configuration is required"
}
CI Policy Checks
# .github/workflows/snowflake-policy.yml
name: Snowflake Policy Check
on: [push, pull_request]
jobs:
policy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for hardcoded secrets
run: |
if grep -rE "sk_(live|test)_[a-zA-Z0-9]{24,}" --include="*.ts" --include="*.js" .; then
echo "ERROR: Hardcoded Snowflake keys found"
exit 1
fi
- name: Validate configuration schema
run: |
npx ajv validate -s snowflake-config.schema.json -d config/snowflake/*.json
- name: Run ESLint Snowflake rules
run: npx eslint --plugin snowflake --rule 'snowflake/no-hardcoded-keys: error' src/
Runtime Guardrails
// Prevent dangerous operations in production
const BLOCKED_IN_PROD = ['deleteAll', 'resetData', 'migrateDown'];
function guardSnowflakeOperation(operation: string): void {
const isProd = process.env.NODE_ENV === 'production';
if (isProd && BLOCKED_IN_PROD.includes(operation)) {
throw new Error(`Operation '${operation}' blocked in production`);
}
}
// Rate limit protection
function guardRateLimits(requestsInWindow: number): void {
const limit = parseInt(process.env.SNOWFLAKE_RATE_LIMIT || '100');
if (requestsInWindow > limit * 0.9) {
console.warn('Approaching Snowflake rate limit');
}
if (requestsInWindow >= limit) {
throw new Error('Snowflake rate limit exceeded - request blocked');
}
}
Instructions
Step 1: Create ESLint Rules
Implement custom lint rules for Snowflake patterns.
Step 2: Configure Pre-Commit Hooks
Set up hooks to catch issues before commit.
Step 3: Add CI Policy Checks
Implement policy-as-code in CI pipeline.
Step 4: Enable Runtime Guardrails
Add production safeguards for dangerous operations.
Output
- ESLint plugin with Snowflake rules
- Pre-commit hooks blocking secrets
- CI policy checks passing
- Runtime guardrails active
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| ESLint rule not firing | Wrong config | Check plugin registration |
| Pre-commit skipped | --no-verify | Enforce in CI |
| Policy false positive | Regex too broad | Narrow pattern match |
| Guardrail triggered | Actual issue | Fix or whitelist |
Examples
Quick ESLint Check
npx eslint --plugin snowflake --rule 'snowflake/no-hardcoded-keys: error' src/
Resources
Next Steps
For architecture blueprints, see snowflake-architecture-variants.