Secure 5.0: SqlGrantWarn

SqlGrantWarn

Last updated: January 22, 2026

Alerts when SQL code contains GRANT statements that assign database privileges to users or roles, helping review potential security vulnerabilities by ensuring permissions are appropriately scoped and do not provide unintended access.

Uses

Property	Value
Liquibase version required	4.5.0+
Scope (--checks-scope)	changelog
Default status	enabled
Default severity (exit code)	0 ("INFO")
Customizable settings	No (static)

Note: SqlGrantWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Before you begin

Ensure that you have correctly specified your Liquibase Secure license key.
Ensure that the --checks-scope parameter includes the scope of this check.

Changelog checks prerequisites

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Procedure

Enable

This check is enabled by default. To verify that it is currently enabled, run the checks show command:

liquibase checks show --check-name=<string>

To run the check, use the checks run command.

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

Note: For flow files you'll need to run liquibase flow to apply your changes.

SqlGrantWarn

Uses

Before you begin

Changelog checks prerequisites

CLI

Flow

liquibase.properties

JAVA_OPTS

Environment variable

Procedure

Enable

To run the check, use the checks run command.

CLI example

Flow example