Run a Policy Check

Note: This is a Liquibase Pro feature, so you need a Liquibase Pro License Key to use it.

The Liquibase Policy Checks feature allows you to build quality, security, and compliance into your database development workflow by utilizing the checks command. It operates by running checks against a changelog and customizing the Check's configuration, which will notify you when it identifies the specified scenario.

Prerequisites

Ensure you use Liquibase 4.5.0 or later.

Run checks against your changelog with the default configuration

The policy checks capability supports all changelog formats. This instruction includes a formatted SQL changelog. If you use your own changelog, example output might differ.

1. Create a new changelog.sql file and add the following:

--liquibase formatted sql
				
--changeset your.name:1 labels:v0 context:all
create table person (
	id int primary key,
	name varchar(50) not null,
	address1 varchar(50),
	address2 varchar(50),
	city varchar(30)
)
				
--changeset your.name:2 labels:v0 context:all
create table company (
	id int primary key,
	name varchar(50) not null,
	address1 varchar(50),
	address2 varchar(50),
	city varchar(30)
)
				
--changeset other.dev:3 labels:v0 context:all
alter table person add column country varchar(2)

--changeset other.dev:4 labels:v0 context:all
drop table person;

2. Open your CLI and navigate to the directory with the changelog file that you intend to use. In this example, we will use a sample changelog file.
3. Execute checks against a sample changelog file using the default configuration provided by Liquibase with the run command.
   Enter this command in the CLI:

liquibase checks run

Note: If a configuration file does not exist, Liquibase prompts you to create a new liquibase.checks-settings.conf file for checks.

If you use a sample changelog provided in the instruction, the last changeset in changelog.sql contains a drop table statement that is flagged by one of the checks in the default configuration.

Executing Policy Checks against changelog.sql
Checks completed validation of the changelog and found the following issues:
Changeset ID:       4
Changeset Filepath: changelog.sql
Check Name:         Warn when 'DROP TABLE' detected (ChangeDropTableWarn)
Message:            Liquibase recommends that changesets which result in tables
                    being dropped are reviewed carefully to prevent the
                    unintentional loss of data.  Review this changeset to
                    confirm that the referenced table is being dropped safely.

Changesets Validated:
  ID: 1; Author: your.name; File path: changelog.sql
  ID: 2; Author: your.name; File path: changelog.sql
  ID: 3; Author: other.dev; File path: changelog.sql
  ID: 4; Author: other.dev; File path: changelog.sql

run against each changeset:
  Warn on Detection of 'GRANT' Statements
  Warn on Detection of 'REVOKE' Statements
  Warn when 'DROP TABLE' detected
  Warn when 'DROP COLUMN' detected
  Warn when 'MODIFY <column>' detected

Liquibase command 'run' was executed successfully.

The following pages will help you proceed with all policy checks capabilities:

• Policy Checks
• Policy Checks Commands
• Disable Policy Checks
• Library of Policy Checks
• Use the Checks Settings Configuration File
• Use Policy Checks in Automation: Severity and Exit Code