SqlRevokeWarn
Last updated: July 14, 2025
This check warns a user when a SQL contains 'REVOKE' statements so that they can ensure that the privilege being revoked won't lead to data access and dependency issues.
Uses
Property | Value |
Liquibase version required | 4.5.0+ |
Scope (--checks-scope) | changelog |
Default status | enabled |
Default severity (exit code) | 0 ("INFO") |
Customizable settings | No (static) |
Use SQLRevokeWarn to warn when changelogs contain REVOKE statements so that you do not have security issues due to the wrong privileges being removed, which can lead to failing jobs and even downtime. This policy check alerts users so they can exercise more control over the privileges and roles set and unset from changesets within the changelog.
Note: A REVOKE statement might be used in a lower environment (such as Test or Staging), but should only be used with extreme care in higher environments, such as Production. This check can even be configured to stop automated jobs which contain REVOKE.
Note: SqlRevokeWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.
Before you begin
Ensure that you have correctly specified your Liquibase Pro license key.
Ensure that the
--checks-scopeparameter includes the scope of this check.
Changelog checks prerequisites
--license-key=<string>
--checks-scope=<string>Procedure
Enable
This check is enabled by default. To verify that it is currently enabled, run the checks show command:
liquibase checks show --check-name=<string>
To run the check, use the checks run command.
liquibase checks run --check-name=<string>Note: For flow files you'll need to run liquibase flow to apply your changes.