Secure 5.0: SqlGrantOptionWarn

SqlGrantOptionWarn

Last updated: January 22, 2026

Detects WITH GRANT OPTION statements, which allows the recipient to pass permissions on to other users, helping you prevent privilege escalation security risks which could spread beyond intended recipients.

Uses

Property	Value
Liquibase version required	4.6.0+
Scope (--checks-scope)	changelog
Default status	enabled
Default severity (exit code)	0 ("INFO")
Customizable settings	No (static)

Note: SqlGrantOptionWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Before you begin

Ensure that you have correctly specified your Liquibase Secure license key.

Ensure that the --checks-scope parameter includes the scope of this check.

Changelog checks prerequisites

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Procedure

Enable

This check is enabled by default. To verify that it is currently enabled, run the checks show command:

liquibase checks show --check-name=<string>

To run the check, use the checks run command.

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

Note: For flow files you'll need to run liquibase flow to apply your changes.

SqlGrantOptionWarn

Uses

Before you begin

Changelog checks prerequisites

CLI

Flow

liquibase.properties

JAVA_OPTS

Environment variable

Procedure

Enable

To run the check, use the checks run command.

CLI example

Flow example