SqlGrantWarn
Last updated: July 14, 2025
This check warns a user when a SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues.
Uses
Property | Value |
Liquibase version required | 4.5.0+ |
Scope (--checks-scope) | changelog |
Default status | enabled |
Default severity (exit code) | 0 ("INFO") |
Customizable settings | No (static) |
Use the check to warn when changelogs contain WITH GRANT statements. Unintended or unauthorized GRANTS can lead to security and compliance issues, especially in regulated industries. This policy check alerts users so they can exercise more control over privileges and permission changes, which is especially important in automated data pipelines, before these changes are deployed to your policy checked environments.
Note: SqlGrantWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.
Before you begin
Ensure that you have correctly specified your Liquibase Pro license key.
Ensure that the
--checks-scopeparameter includes the scope of this check.
Changelog checks prerequisites
--license-key=<string>
--checks-scope=<string>Procedure
Enable
This check is enabled by default. To verify that it is currently enabled, run the checks show command:
liquibase checks show --check-name=<string>
To run the check, use the checks run command.
liquibase checks run --check-name=<string>Note: For flow files you'll need to run liquibase flow to apply your changes.