Multi-Engine Proxy
PostgreSQL, Oracle, and MySQL/MariaDB on independent listeners. Connect any standard client — psql, sqlplus, mysql, DBeaver, your ORM — without application changes.
Query Observability
Track every query with full SQL text, parameters, execution time, rows affected, and optional result-data capture. Text and binary protocols decoded the same way.
Granular Access Control
Time-windowed grants with combinable controls — read_only, block_copy, block_ddl — plus per-grant quotas on queries and bytes transferred.
User & API Key Management
Local users with admin, viewer, and connector roles. Optional Slack sign-in. API keys for programmatic access — and they cannot create or revoke other keys.
Secure by Design
Passwords hashed with Argon2id, database credentials encrypted with AES-256-GCM and bound to the database UID. Append-only audit log of every administrative change.
Defense in Depth
Read-only enforced via SQL inspection and engine-level session flags. MySQL LOCAL INFILE opted out of the upstream capabilities. PostgreSQL session bypass attempts blocked.
Session Packet Dumps
Optional per-session binary capture of the post-auth command stream. Same .dbbat-dump format across all protocols, with a CLI anonymiser for safe sharing.
REST API + Web UI
Full OpenAPI 3.0 spec served at /api/docs. React frontend embedded in the binary at /app for managing users, databases, grants, and browsing query history.
Single Binary
One Go binary backed by PostgreSQL. Distroless Docker image, Helm chart, Kubernetes-friendly. Stateless beyond its store — replicas welcome.
Quick Start
Get DBBat running in seconds with Docker — one container fronts PostgreSQL, Oracle, and MySQL/MariaDB:
docker run
-p 5434:5434 # PostgreSQL proxy
-p 1522:1522 # Oracle proxy
-p 3307:3307 # MySQL / MariaDB proxy
-p 4200:4200 # REST API + web UI
-e DBB_DSN=postgres://dbbat:dbbat@pgserver:5432/dbbat
ghcr.io/fclairamb/dbbat


