Library of Policy Checks
Note: This is a Liquibase Pro feature, so you need a Liquibase Pro License Key to use it.
Liquibase provides a default set of checks with default settings defined in the checks settings file. Liquibase Pro users can run unlimited enabled checks.
For more information about how policy checks work and how to use them, see Policy Checks.
Configuration
Policy checks are either static or dynamic:
- A check is static if the attributes of the check cannot be customized. You cannot run the
copy,customize, ordeletecommands on static checks. - A check is dynamic if there are settings you can customize.
- You can copy, customize, and reset dynamic checks.
- You cannot delete dynamic checks.
- You can copy, customize, or delete the copy of a dynamic check.
- You can also reset a copy to the parent check’s default settings.
You can run the enable and disable commands on all checks:
- Most (but not all) static checks are enabled by default.
- For example, the static check
SqlGrantWarnis enabled by default because it has widely applicable use-cases and has no customization options that would require manual input. - However, a static check like
RequireChangesetIDisUUIDis disabled by default because it may have more niche applicability.
- For example, the static check
- Most (but not all) dynamic checks are disabled by default.
- For example, the dynamic check
SqlUserDefinedPatternCheckis disabled by default because it has some customization options that require manual input. - However, the dynamic check
PrimaryKeyOnCreateTableis enabled by default because its customization options all have default values that are non-null.
- For example, the dynamic check
To see whether a check is currently enabled, run the show command.
Policy Check Scope
The scope of each check can be changelogs, databases, or both. This means that individual checks can deliver more insight into your changelogs and/or databases depending on the check. This is specified on each check listed below and on their corresponding page. Learn more at the following links:
| Scope | Definition |
|---|---|
| changelog | These checks examine the working changelog where it looks for specific patterns (e.g. presence of undesirable changes such as GRANT) |
| database, changelog | These checks examine both the database and the changelog (e.g. maximum number of columns in a table which could be in a new change or an existing table) |
| database | These checks examine the target database for specific structures / patterns (e.g. presence of constraints on a table) |
List of changelog scope checks
| Short Name | Scope (--checks-scope value) |
Description | Enabled by Default | Liquibase version required |
|---|---|---|---|---|
ChangeDropColumnWarn
|
changelog
|
This check warns a user when a column is being dropped so that they can ensure that such a schema change won't lead to unintentional loss of data and unrecoverable data loss. | true | 4.5.0+ |
ChangeDropTableWarn
|
changelog
|
This check warns a user when a table is being dropped so that they can ensure that dropping the table won't lead to unintentional data loss. | true | 4.5.0+ |
ChangesetAttributesAndValue
|
changelog
|
This check triggers when specified attributes do not match the user-supplied string or regex pattern. | false | 4.29.0+ |
ChangesetAttributesSetTrueOrFalse
|
changelog
|
This check triggers when specified attributes do not match TRUE or FALSE, as configured by the user. |
false | 4.29.0+ |
ChangesetCommentCheck
|
changelog
|
This check enforces the Liquibase best-practice recommendation to assign comments to every changeset to document the purpose of a changeset for other/future consumers of this changelog. | true | 4.5.0+ |
ChangesetContextCheck
|
changelog
|
This check enforces the Liquibase best-practice recommendation to assign a context to every changeset to provide better deployment control and to enhance traceability and granularity of deployments across changesets. | true | 4.5.0+ |
ChangesetLabelCheck
|
changelog
|
This check enforces the Liquibase best-practice recommendation to assign labels to every changeset to provide better deployment control and to enhance traceability and granularity of deployments across changesets. | true | 4.5.0+ |
ChangeTruncateTableWarn
|
changelog
|
This check warns a user when a table is being truncated so that they can ensure this change will not lead to unintentional data loss. | true | 4.6.0+ |
CheckRunInTransactionValue
|
changelog
|
This check triggers when a changeset contains the user-specified runInTransaction value of true or false. |
true | 4.27.0+ |
CustomCheckTemplate
|
changelog
|
4.29.0+ | ||
DetectChangeType
|
changelog
|
This changelog check warns a user when a changeset includes a Change Type listed by the user as forbidden. Note: This check applies only to model-based changelogs such as XML, YAML, and JSON. It does not apply to SQL changelogs. |
true | 4.19.0+ |
EndDelimiterExistsWhenPatternExists
|
changelog
|
false | 4.27.0+ | |
MaxAffectedRowsAllowedDelete
|
changelog
|
true | 4.28.0+ | |
MaxAffectedRowsAllowedInsert
|
changelog
|
true | 4.28.0+ | |
MaxAffectedRowsAllowedUpdate
|
changelog
|
true | 4.28.0+ | |
ModifyDataTypeWarn
|
changelog
|
This check warns a user when a change will result in modification of a data type so they can ensure this change will not lead to unintentional data loss. | true | 4.5.0+ |
OneChangePerChangeset
|
changelog
|
This check enforces the Liquibase Best Practice of keeping individual changesets small by limiting them to one statement or change. | true | 4.19.1+ |
PatternAFollowedByPatternB
|
changelog
|
This check allows you to check for specific patterns in your changelog and then produce a logged record of changeset structure when certain conditions are met. |
false | 4.26.0+ |
PatternANotFollowedByPatternB
|
changelog
|
This check allows you to check for specific patterns in your changelog and then produce a logged record of changeset structure when certain conditions are met. | false | 4.26.0+ |
PatternANotPrecededByPatternB
|
changelog
|
This check allows you to check for specific patterns in your changelog and then produce a logged record of changeset structure when certain conditions are met. | false | 4.26.0+ |
PatternAPrecededByPatternB
|
changelog
|
This check allows you to check for specific patterns in your changelog and then produce a logged record of changeset structure when certain conditions are met. |
false | 4.26.0+ |
PrimaryKeyOnCreateTable
|
changelog
|
This check warns when a create table action does not also include a primary key. | true | 4.12.0+ |
RequireChangesetIDisUUID
|
changelog
|
This check alerts you when a changeset ID does not follow the 8-4-4-4-12 pattern of UUID or GUID. | false | 4.12.0+ |
RollbackRequired
|
changelog
|
This check enforces the Liquibase best-practice recommendation to include rollbacks to every changeset. | true | 4.7.0+ |
SQLGrantAdminWarn
|
changelog
|
This check warns a user when a SQL contains 'GRANT' statements that include the 'WITH ADMIN OPTION' clause so that they can ensure that the privilege being granted won't lead to security issues or violate compliance regulations. | true | 4.6.0+ |
SqlGrantOptionWarn
|
changelog
|
This check warns a user when SQL contains 'GRANT' statements that include the 'WITH GRANT OPTION' clause so that they can ensure that the privilege being granted won't lead to security issues or violate compliance regulations. | true | 4.6.0+ |
SqlGrantSpecificPrivsWarn
|
changelog
|
This check warns a user when a changeset includes or generates sql that grants specific privileges to a user or role. | false | 4.6.0+ |
SqlGrantWarn
|
changelog
|
This check warns a user when a SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues. | true | 4.5.0+ |
SqlRevokeWarn
|
changelog
|
This check warns a user when a SQL contains 'REVOKE' statements so that they can ensure that the privilege being revoked won't lead to data access and dependency issues. | true | 4.5.0+ |
SqlSelectStarWarn
|
changelog
|
This check warns a user when generated or raw SQL contains 'SELECT *' statements so that they can ensure selecting all fields from a table in a query is safe and necessary. | true | 4.19.0+ |
SqlUserDefinedPatternCheck
|
changelog
|
This check scans SQL for the presence of specific patterns and warns the user when they are found. | false | 4.5.0+ |
UserDefinedContextCheck
|
changelog
|
false | 4.25.0+ | |
UserDefinedLabelCheck
|
changelog
|
false | 4.25.0+ | |
WarnOnUseDatabase
|
changelog
|
This check warns a user when generated or raw SQL contains 'USE DATABASE' directive. | true | 4.19.0+ |
List of changelog and database scope checks
| Short Name | Scope (--checks-scope value) |
Description | Enabled by Default | Liquibase version required |
|---|---|---|---|---|
ChainedChecksTemplate
|
changelog or database |
4.27.0+ | ||
ObjectNameMustMatch
|
changelog or database |
The ObjectNameMustMatch check allows you to confirm the listed object names conform to the supplied pattern. | false | 4.6.2+ |
ObjectNameMustNotMatch
|
changelog or database |
The ObjectNameMustNotMatch check allows you to confirm the listed object names conform to the supplied pattern and locate the object names that do not match so they can be corrected. | false | 4.6.2+ |
OracleReservedKeywords
|
changelog or database |
This check can be used to prevent Oracle's reserved keywords from being used in database object names. | false | 4.12.0+ |
PostgresNonReservedKeywords
|
changelog or database |
This check disallows Postgres non-reserved keywords from being used in database object names. See the SQL Key Words Appenix for complete list of keywords. | false | 4.12.0+ |
PostgresReservedKeywords
|
changelog or database |
This check disallows Postgres reserved keywords from being used in database object names. See the SQL Key Words Appendix for complete list of keywords. | false | 4.12.0+ |
SQLServerFutureReservedKeywords
|
changelog or database |
This check disallows SQL Server's future reserved keywords from being used in database object names. See Reserved Keywords (Transact-SQL) for complete list of keywords. | false | 4.12.0+ |
SQLServerODBCReservedKeywords
|
changelog or database |
This check disallows SQL Server's ODBC reserved keywords from being used in database object names. See Reserved Keywords (Transact-SQL) for complete list of keywords. | false | 4.12.0+ |
SQLServerReservedKeywords
|
changelog or database |
This check disallows SQL Server reserved keywords from being used in database object names. See Reserved Keywords (Transact-SQL) for complete list of keywords. | false | 4.12.0+ |
TableColumnLimit
|
changelog or database |
The TableColumnLimit check allows you to ensure that no table described in a changelog or existing in a database target has more than a threshold number of columns. | true | 4.5.0+ |
TableCommentCheck
|
changelog or database |
The TableCommentCheck check allows you to flag any table that does not have a comment. Note that this is not a check for a Liquibase changelog comment. | false | 4.12.0+ |
TableCommentPatternCheck
|
changelog or database |
The TableCommentPatternCheck check triggers when specific user-supplied patterns are present in table comments. | false | 4.12.0+ |
List of database scope checks
| Short Name | Scope (--checks-scope value) |
Description | Enabled by Default | Liquibase version required |
|---|---|---|---|---|
CheckTablesForIndex
|
database
|
This check scans your target URL database tables to find tables which do not have an associated index. | true | 4.19.0+ |
ConstraintMustExist
|
database
|
The ConstraintMustExist check allows you to specify an individual table or column by name to check that it has one or more specific constraints. | false | 4.12.0+ |
