Find query depth attacks, N+1 resolvers, over-fetching, auth gaps, and schema design issues — before attackers and performance problems find them for you.
A single deeply-nested query can bring down your entire API. One resolver with a database call inside a loop creates an N+1 that turns milliseconds into seconds. Most GraphQL APIs ship without depth limits, without complexity analysis, and without proper authorization on every field. GQLLint scans your resolvers, schemas, and client queries for anti-patterns so your GraphQL layer is fast, secure, and production-ready.
90 checks across 6 categories, covering every aspect of GraphQL security, performance, and schema quality.
Detects missing query depth limits, no max complexity configuration, unbounded nested selections, recursive type definitions without depth guards, and APIs vulnerable to depth-based denial of service attacks.
Finds database queries inside resolver map/forEach loops, missing DataLoader usage for batching, unbatched HTTP calls in list resolvers, and resolver patterns that turn a single query into hundreds of database hits.
Catches resolvers that SELECT * regardless of requested fields, missing field-level data loading, client queries requesting all fields, unused fragments, and patterns that waste bandwidth and database resources.
Detects mutations without authentication checks, missing field-level authorization, no rate limiting on expensive queries, introspection enabled in production, and resolvers that expose data without proper access control.
Finds non-nullable fields without defaults, missing pagination on list types, God types with too many fields, inconsistent naming conventions, missing deprecation notices, and schema patterns that break client compatibility.
Catches template literal interpolation in gql queries, dynamic query construction from user input, missing persisted queries, client-side query strings without whitelisting, and injection vulnerabilities in query building.
Purpose-built for GraphQL security and performance. Not a schema validator pretending to catch anti-patterns.
| Capability | GQLLint | Manual Review | graphql-eslint | Apollo Studio | Stellate |
|---|---|---|---|---|---|
| Query depth attack detection | ✓ 15 rules | Ad hoc | Partial | Partial | ✓ |
| N+1 resolver detection | ✓ 15 rules | Ad hoc | ✗ | Partial | ✗ |
| Over/under fetching analysis | ✓ 15 rules | ✗ | ✗ | Partial | ✗ |
| Auth & rate limiting checks | ✓ 15 rules | Ad hoc | ✗ | Partial | ✓ |
| Schema design analysis | ✓ 15 rules | Ad hoc | ✓ | Partial | ✗ |
| Client query safety | ✓ 15 rules | Ad hoc | Partial | ✗ | ✗ |
| Static analysis (no runtime) | ✓ | ✓ | ✓ | ✗ | ✗ |
| 100% local / zero telemetry | ✓ | ✓ | ✓ | ✗ | ✗ |
| Score & grading system | ✓ | ✗ | ✗ | Partial | ✗ |
| Zero configuration | ✓ | N/A | ✗ | ✗ | ✗ |
Start scanning for free. Upgrade when your GraphQL layer demands it.
No spam. One email per week max. Unsubscribe anytime.
Install GQLLint in 30 seconds. Find every depth attack, N+1 resolver, and auth gap before your attackers find them for you.