dbt Postgres Adapter

registryPyPI

package namedbt-postgres

maintainerdbt Labs

dbt-postgres is the PostgreSQL adapter bundled with dbt Core, connecting to PostgreSQL (and PostgreSQL-compatible databases like Amazon RDS, AlloyDB, and Redshift with limitations). It uses psycopg2 for the database connection and reads credentials from the dbt profiles file.

api usage

Checking dbt Postgres Adapter

dbt-postgres 1.8.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=dbt-postgres&version=1.8.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "dbt-postgres",
  "version": "1.8.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

PostgreSQL credentials used by dbt often hold schema owner privileges across the analytics database. A compromised adapter can exfiltrate these credentials and use them to read or drop production tables.

Attestd monitors dbt-postgres using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages dbt Core SQLAlchemy postgresql CVE coverage Response fields