SqlGrantWarn

Last updated: July 14, 2025

This check warns a user when a SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues.

Uses

Property

Value

Liquibase version required

4.5.0+

Scope (--checks-scope)

changelog

Default status

enabled

Default severity (exit code)

0 ("INFO")

Customizable settings

No (static)

Use the check to warn when changelogs contain WITH GRANT statements. Unintended or unauthorized GRANTS can lead to security and compliance issues, especially in regulated industries. This policy check alerts users so they can exercise more control over privileges and permission changes, which is especially important in automated data pipelines, before these changes are deployed to your policy checked environments.

Note: SqlGrantWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Before you begin

  1. Ensure that you have correctly specified your Liquibase Pro license key.

  2. Ensure that the --checks-scope parameter includes the scope of this check.

Changelog checks prerequisites

--license-key=<string>
--checks-scope=<string>

Procedure

1

Enable

This check is enabled by default. To verify that it is currently enabled, run the checks show command:

liquibase checks show --check-name=<string>

2

To run the check, use the checks run command.

liquibase checks run --check-name=<string>

Note: For flow files you'll need to run liquibase flow to apply your changes.

SqlGrantWarn - Liquibase