Set policy check severity and exit codes

Last updated: September 2, 2025

Procedure

1

Run the checks customize command using the following example parameters

Example of configured severity and exit codes output

Executing Policy Checks against changelog.xml

Executing all checks because a valid Liquibase Secure license was found!

Checks completed validation of the changelog and found the following issues:

Changeset ID:       1::triggerGrantCheck
Changeset Filepath: changelog.xml
Check Name:         Warn on Detection of 'GRANT' Statements (SqlGrantWarn)
Check Severity:     CRITICAL (Return code: 3)
Message:            A statement granting privileges to a role or user was
					detected in your changelog. To prevent unintended access to
					the database or data it is recommended that the granting and
					revocation of privileges be carefully reviewed.

Changeset ID:       1::triggerGrantCheck
Changeset Filepath: changelog.xml
Check Name:         Warn on Detection of grant that contains 'WITH ADMIN OPTION' (SqlGrantAdminWarn)
Check Severity:     INFO (Return code: 0)
Message:            A statement granting privileges to a role or user with the
					ADMIN OPTION was detected in your changelog. Granting
					privileges to users or roles with the ADMIN OPTION can lead
					to security issues.  We recommend this changeset be
					carefully reviewed.

Changesets Validated:
  ID: 1::triggerGrantCheck; Author: Liquibase Secure User; File path: changelog.xml

run against each changeset:
  Warn on Detection of 'GRANT' Statements
  Warn on Detection of 'REVOKE' Statements
  Warn when 'DROP TABLE' detected
  Warn when 'DROP COLUMN' detected
  Warn when 'MODIFY <column>' detected
  Check Table Column Count
  Warn when 'TRUNCATE TABLE' detected
  Warn on Detection of grant that contains 'WITH GRANT OPTION'
  Warn on Detection of grant that contains 'WITH ADMIN OPTION'
  Changesets Must Have a Label Assigned
  Changesets Must Have a Context Assigned
  Changesets Must Have a Comment Assigned

liquibase.command.CommandFailedException: run command exited with an error code of 3
2

Follow the CLI instructions to set the severity level

Set the Severity to return a code of 0-4 when triggered (current: '<currentvalue>'. options: 'INFO' (0) 'MINOR' (1), 'MAJOR' (2), 'CRITICAL' (3), BLOCKER' (4) )
3

Change the default severity of INFO in the CLI

Change the default severity of INFO in the CLI output by entering one of the below words or their associated number:

  • MINOR or 1

  • MAJOR or 2

  • CRITICAL or 3

  • BLOCKER or 4

Example: If you set the severity to CRITICAL, you will see 3 in the show output and as the returned exit code when triggered.

The checks-settings.config file you specify when running the customize command changes the ModifyDataTypeWarn check to have a new severity value in a corresponding number.